Summary Under the proposed Cloud and AI Development Act (CADA), Malta is required to designate one or more national competent authorities responsible for enforcing the cloud sovereignty framework within one year of the regulation's entry into force. As CADA is currently a proposal (COM(2026) 502 final), the specific Maltese authority has not yet been named; however, the European Commission will maintain a public register of all designated authorities. Once designated, the Maltese authority would hold exclusive competence for enforcing the framework against cloud providers whose main establishment is in Malta. This authority would possess significant investigative and enforcement powers, including the ability to order inspections, demand information, impose fines, and levy periodic penalty payments.

Detail

The Cloud and AI Development Act (CADA) proposes a harmonised EU-wide framework for cloud computing sovereignty, requiring Member States to establish robust supervisory structures to ensure compliance with Union assurance levels. For Malta, the obligations regarding the designation, scope, and powers of national competent authorities are set out primarily in Article 25 and Article 26 of the proposal.

Designation and Timeline (Article 25)

As proposed, Article 25(1) mandates that Member States, including Malta, must designate one or more national competent authorities responsible for enforcing Chapter I of Title IV (the Cloud Computing Sovereignty Framework). This designation must occur by the date of entry into force plus one year.

Crucially, CADA provides flexibility for Malta to leverage existing institutional structures rather than mandating the creation of a new body. Article 25(1) explicitly states that "Member States may designate an existing authority or existing authorities." This suggests that Malta could assign these duties to its current data protection authority, cybersecurity authority, or a dedicated digital regulator, provided that the designated body is granted the necessary resources and powers.

Once designated, the authority must be notified to the European Commission. Under Article 25(2), the Commission is required to maintain a public register of these authorities, ensuring transparency for cloud service providers and public sector bodies across the Union. This register will serve as the definitive source for identifying the regulator in each Member State.

Exclusive Competence and Main Establishment

A key principle in CADA is the "main establishment" rule, which simplifies cross-border supervision and prevents regulatory fragmentation. Article 25(4) establishes that the Member State in which a cloud computing service provider has its main establishment has exclusive competence for enforcing the sovereignty framework.

The proposal defines "main establishment" as the place where the provider has its head office or registered office from which the principal financial functions and operational control are exercised. For a cloud provider headquartered in Malta, the Maltese competent authority would be the sole regulator for sovereignty compliance, even if the provider offers services across the entire EU. This prevents multiple national authorities from duplicating efforts or issuing conflicting rulings on the same provider.

Conversely, if a provider is established in another Member State (e.g., Germany) but offers services to Maltese public bodies, the Maltese authority would not have enforcement jurisdiction over that provider's compliance; it would rely on the German authority under the mutual assistance mechanisms.

Investigative and Enforcement Powers (Article 26)

The national competent authority in Malta would be granted substantial powers to ensure compliance with the Union assurance levels. Article 26 outlines these powers, which are divided into investigative and enforcement categories.

Investigative Powers (Article 26(1)): To carry out its tasks, particularly regarding the recognition of cloud services under Article 17, the Maltese authority would have the power to:

  • Information Requests: Require any cloud computing service provider, as well as any other persons acting for purposes related to their trade, business, craft or profession (including auditing organisations), to provide information as soon as possible regarding a suspected infringement.
  • Inspections: Carry out, or request a judicial authority in Malta to order, inspections of any premises used for trade or business purposes. This includes the power to examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium.
  • Explanations: Ask any member of staff or representative of those providers to give explanations in respect of any information relating to a suspected infringement and, with their consent, to record their answers by any technical means.

Enforcement Powers (Article 26(2)): If infringements are identified, the authority would have the power to:

  • Cessation Orders: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end.
  • Fines: Impose fines, or request a judicial authority in Malta to do so, for failure to comply with the Regulation, including with any of the investigative orders issued pursuant to paragraph 1.
  • Periodic Penalty Payments: Impose a periodic penalty payment, or request a judicial authority to do so, to ensure that an infringement is terminated in compliance with an order, or for failure to comply with any investigative orders.

These measures must be effective, dissuasive and proportionate, having regard, in particular, to the nature, gravity, recurrence and duration of the infringement, as well as the economic, technical and operational capacity of the service provider concerned (Article 26(3)).

Cooperation and Mutual Assistance

While the Maltese authority has exclusive competence for providers based in Malta, CADA mandates close cooperation with other Member States to ensure consistent application across the single market. Article 27 outlines mutual assistance provisions, requiring authorities to exchange information and assist each other in investigations. Article 28 sets out cross-border cooperation principles, allowing a "competent authority of destination" (e.g., a French authority using a Maltese-based service) to request the Maltese authority to assess suspected non-compliance and take necessary measures. The Maltese authority must communicate its assessment and any enforcement measures taken within two months.

What this means for you

For in-house counsel, compliance officers, and public sector bodies in Malta, the following actions are critical as the proposal moves through the legislative process:

  1. Monitor the Designation: Keep a close watch on the official designation of Malta's competent authority once the regulation enters into force. The Commission's public register will be the definitive source for this information. Until then, no specific Maltese body has the power to enforce CADA.
  2. Prepare for Audits and Inspections: If your company is a cloud provider with its main establishment in Malta, ensure your internal compliance processes are robust. The Maltese authority would have the power to conduct on-site inspections and demand access to data, premises, and staff explanations. Ensure your documentation regarding Union assurance levels (self-assessments for Level 1, audit reports for Levels 2-4) is readily accessible and verifiable.
  3. Understand the Penalty Regime: Be aware that non-compliance can lead to significant financial penalties. Article 26(2) allows for fines and periodic penalty payments. While the specific maximum amounts are determined by Member States under Article 24, the enforcement mechanism lies with the national authority. Ensure your risk management frameworks account for these potential liabilities, which could be substantial given the "effective, proportionate and dissuasive" requirement.
  4. Cross-Border Coordination: If you are a public sector body in Malta, you will need to engage with the national competent authority when conducting risk assessments (Article 29) to determine the required Union assurance level for your cloud procurements. The authority's guidance will be essential in mapping your public order needs to the correct assurance level.
  5. Leverage Existing Authorities: As the Maltese government designates its authority, consider how this aligns with existing regulatory bodies. If an existing authority (such as the Information and Data Protection Commissioner or the National Cyber Security Agency) is designated, your existing compliance relationships may streamline the transition to CADA obligations. However, note that these bodies would need to acquire specific expertise in cloud sovereignty criteria and the new investigative powers granted by Article 26.

Common misconceptions

  • "Malta does not need a new regulator." While true that a new regulator may not be created, the role is new. Existing authorities will need to acquire specific expertise in cloud sovereignty criteria, Union assurance levels, and the new investigative powers granted by Article 26.
  • "Only EU-based providers are affected." CADA's sovereignty framework applies to cloud computing service providers offering services to Union entities and public sector bodies. If a provider is established in Malta, it falls under the exclusive competence of the Maltese authority, regardless of where its customers are located within the EU.
  • "The Commission directly fines providers." No. The Commission maintains the central repository of recognised services and provides guidance, but the investigative and enforcement powers, including the imposition of fines, lie with the national competent authority of the provider's main establishment (Article 26).
  • "The authority can act immediately." No. The authority can only exercise these powers after Malta has formally designated it and notified the Commission, which must happen within one year of the regulation's entry into force.

Related

This is general information about a draft EU regulation, not legal advice.