Summary Under the proposed Cloud and AI Development Act (CADA), the Netherlands is required to designate one or more national competent authorities responsible for enforcing the cloud sovereignty framework within one year of the regulation's entry into force, as mandated by Article 25(1). While the specific Dutch authority has not yet been named in the proposal text, the Netherlands may designate an existing body rather than creating a new one. The European Commission will maintain a public register of these authorities under Article 25(2). Crucially, Article 25(4) establishes that exclusive competence for enforcement rests with the Member State where a cloud provider has its "main establishment," ensuring a single point of regulatory contact. The designated Dutch authority would possess robust investigative and enforcement powers under Article 26, including the ability to request information, conduct inspections, order the cessation of infringements, and impose fines or periodic penalty payments.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonized Union framework for cloud sovereignty. This framework relies heavily on national competent authorities (NCAs) to oversee compliance, recognize Union assurance levels, and enforce penalties. For legal counsel, compliance officers, and cloud providers operating in or with the Netherlands, understanding the designation process, scope of authority, and enforcement powers of the Dutch NCA is critical for navigating the upcoming regulatory landscape.

Designation of National Competent Authorities

Article 25(1) of the CADA proposal imposes a strict timeline on Member States. The Netherlands must designate one or more national competent authorities responsible for enforcing Title IV (Autonomy) of the Regulation. This designation must be completed within one year of the regulation's entry into force.

The proposal offers flexibility in the choice of authority. Article 25(1) explicitly states that Member States "may designate an existing authority or existing authorities." This means the Netherlands is not required to establish a new regulatory body from scratch. The Dutch government could potentially assign these responsibilities to an existing regulator with relevant expertise in cybersecurity, data protection, or market surveillanceβ€”such as the Authority for Consumers and Markets (ACM) or the Dutch Data Protection Authority (AP)β€”though the final decision rests with the national government.

Once designated, the Netherlands must notify the European Commission of the names of these authorities, along with their specific tasks and powers. Under Article 25(2), the Commission is required to "maintain a public register of those authorities." This register will serve as the central reference point for cloud computing service providers, auditing organizations, and other stakeholders to identify the correct regulatory contact in the Netherlands.

Exclusive Competence and the Main Establishment Rule

A cornerstone of the CADA enforcement mechanism is the principle of exclusive competence based on the provider's location. Article 25(4) states that "The Member State in which the cloud computing service provider has its main establishment... shall have exclusive competence for enforcing this Chapter."

The regulation defines "main establishment" in Article 25(4) as the location where the provider has its "head office or registered office from which the principal financial functions and operational control are exercised."

  • For providers established in the Netherlands: If a cloud provider's main establishment is in the Netherlands, the Dutch national competent authority will be the sole regulator for enforcing the sovereignty framework. This authority will handle the recognition of Union assurance levels, supervise audits, and enforce compliance. This "one-stop-shop" approach aims to reduce regulatory fragmentation and provide legal certainty for providers operating cross-border within the EU.
  • For providers established elsewhere: If a provider's main establishment is in another Member State (e.g., Germany or France), the Dutch authority generally does not have direct enforcement competence over that provider. However, under Articles 27 and 28, the Dutch authority may still cooperate with the authority of the main establishment if it suspects non-compliance affecting the Dutch market or public order.

Investigative and Enforcement Powers

The powers granted to the designated Dutch authority are extensive, designed to ensure effective supervision and enforcement. Article 26 outlines these powers, which apply to the competent authority of the establishment.

Investigative Powers (Article 26(1))

To carry out their tasks, particularly regarding the recognition of assurance levels under Article 17, competent authorities have the power to:

  • Request Information: Require cloud computing service providers, auditing organizations, and any other persons acting for purposes related to their trade to provide information relating to a suspected infringement "as soon as possible."
  • Conduct Inspections: Carry out, or request a judicial authority to order, inspections of any premises used by providers or related persons. This includes the power to "examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium."
  • Interview Staff: Ask any member of staff or representative of the provider to give explanations regarding suspected infringements. With consent, the authority may record these answers by any technical means.

Enforcement Powers (Article 26(2))

If infringements are identified, the competent authority has the power to:

  • Order Cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement to bring it effectively to an end.
  • Impose Fines: Impose fines for failure to comply with the Regulation, including for non-compliance with investigative orders.
  • Impose Periodic Penalty Payments: Impose periodic penalty payments to ensure that an infringement is terminated in compliance with a cessation order or to enforce compliance with investigative orders.

These measures must be "effective, dissuasive and proportionate," taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider (Article 26(3)). Furthermore, the exercise of these powers is subject to adequate safeguards under applicable national law, respecting the right to respect for private life and the rights of defense, including the rights to be heard and to have access to the file (Article 26(4)).

Penalties and Compensation

In addition to the specific enforcement powers of the competent authority, Article 24 requires Member States to lay down the general rules on penalties applicable to infringements by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive."

When imposing penalties, authorities must consider non-exhaustive criteria listed in Article 24(2), including:

  • The nature, gravity, scale, and duration of the infringement.
  • Any action taken to mitigate or remedy the damage.
  • Any previous infringements by the party.
  • Financial benefits gained or losses avoided due to the infringement.
  • The infringing party's annual turnover in the preceding financial year in the Union.

Crucially, Article 24(3) grants recipients of cloud computing services the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under the sovereignty framework. This civil liability aspect adds a significant layer of risk for providers who fail to comply with CADA requirements.

What this means for you

For in-house counsel, compliance officers, and cloud providers in the Netherlands, the establishment of the national competent authority under CADA presents several immediate and long-term obligations:

  1. Monitor the Designation Timeline: The Netherlands must designate its authority within one year of CADA's entry into force. This is a near-term milestone. Stakeholders should monitor official Dutch government announcements to identify which existing body (e.g., ACM, AP, or a new entity) will assume these responsibilities. The procedural guidelines and enforcement history of the designated body will inform your compliance strategy.
  2. Determine Main Establishment Status: You must determine if your cloud provider has its "main establishment" in the Netherlands. If so, you will be under the direct, exclusive supervision of the Dutch authority for all CADA matters, including assurance level recognition and audits. If your main establishment is in another Member State, your primary regulator will be there, though the Dutch authority may still engage via mutual assistance mechanisms.
  3. Prepare for Robust Investigations: Ensure your organization is prepared for the investigative powers outlined in Article 26. This includes maintaining robust data governance to provide information quickly upon request, ensuring premises are accessible for potential inspections, and training staff on how to handle inquiries from regulators.
  4. Risk Assessment and Mitigation: Given the potential for fines, periodic penalty payments, and civil compensation claims, conduct a thorough risk assessment of your cloud services against the Union assurance levels. Ensure that any claims regarding assurance levels are backed by solid audit evidence and self-assessments, as these will be scrutinized by the competent authority.
  5. Engage with the Public Register: Once the Commission's public register of competent authorities is live, verify that the Dutch authority's contact details and scope of powers are accurately listed. This register will be a key resource for resolving regulatory queries or disputes.

Common misconceptions

  • Misconception: The Netherlands has already appointed its CADA authority.
    • Reality: CADA is a proposal, not yet in force. Article 25(1) requires designation within one year of entry into force. No specific Dutch authority has been named in the proposal text.
  • Misconception: Only new authorities will be created for CADA.
    • Reality: Article 25(1) explicitly allows Member States to designate existing authorities. The Netherlands is likely to leverage existing regulatory bodies with relevant expertise rather than creating a new entity from scratch.
  • Misconception: Competent authorities have limited powers.
    • Reality: Article 26 grants significant investigative and enforcement powers, including on-site inspections, data seizure, and the ability to impose fines and periodic penalty payments. These are not merely advisory roles.
  • Misconception: Only the main establishment matters for enforcement.
    • Reality: While Article 25(4) assigns exclusive competence to the main establishment Member State, cross-border cooperation and mutual assistance (Articles 27 and 28) mean that authorities in other Member States, including the Netherlands, can still play a role if they suspect non-compliance by a provider established elsewhere.

Related

This is general information about a draft EU regulation, not legal advice.