Summary As proposed, the Cloud and AI Development Act (CADA) does not yet name a specific Polish agency as the national competent authority. Instead, Article 25 obliges Poland to designate one or more authorities within one year of the Regulation's entry into force. Poland may designate an existing authority, which will then be listed in a public register maintained by the European Commission. This authority will hold exclusive competence over cloud providers with their main establishment in Poland and will wield significant investigative and enforcement powers, including the ability to order the cessation of infringements, impose fines, and levy periodic penalty payments under Article 26.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), establishes a harmonized framework for cloud sovereignty and AI development across the EU. A central pillar of this framework is the designation of national competent authorities to supervise compliance with the Union cloud computing sovereignty framework. For Poland, as with all Member States, the process, powers, and scope of these authorities are strictly defined in Title IV, Chapter I, Section 4 of the proposal.

Designation and Timeline (Article 25)

Under Article 25(1) of the proposed CADA, Member States must designate one or more national competent authorities responsible for enforcing Chapter I (the cloud computing sovereignty framework) by the date of entry into force plus one year. The proposal explicitly allows flexibility in this designation: Member States "may designate an existing authority or existing authorities" (Article 25(1), second sentence). This suggests that Poland is not required to create a new regulatory body from scratch but can assign these duties to an existing entity, such as a current cybersecurity, data protection, or market surveillance authority, provided it meets the regulatory requirements.

Once designated, Poland must notify the European Commission of the names of these competent authorities, along with their specific tasks and powers (Article 25(2)). The Commission is then obligated to maintain a public register of these authorities, ensuring transparency for cloud computing service providers and public sector bodies across the Union.

Exclusive Competence and Main Establishment

A critical feature of CADA's enforcement mechanism is the principle of exclusive competence based on the provider's main establishment. Article 25(4) states: "The Member State in which the cloud computing service provider has its main establishment... shall have exclusive competence for enforcing this Chapter."

The "main establishment" is defined in the same paragraph as the location where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised. This means that if a cloud provider's main establishment is in Poland, the Polish competent authority is the sole national authority responsible for enforcing CADA's sovereignty requirements against that provider, even if the provider offers services in other Member States. This "single point of contact" approach is designed to reduce regulatory fragmentation and administrative burden for providers operating cross-border.

Investigative and Enforcement Powers (Article 26)

The national competent authority designated by Poland will be granted robust powers to ensure compliance. Article 26 outlines both investigative and enforcement powers that these authorities may exercise when necessary to carry out their tasks under Article 17 (recognition of cloud computing service providers).

Investigative Powers: Under Article 26(1), the competent authority may:

  • Require any cloud computing service provider, or any person reasonably expected to be aware of information relating to a suspected infringement (including auditing organizations), to provide that information as soon as possible.
  • Carry out inspections, or request a judicial authority to order inspections, of any premises used by the provider for trade, business, or profession. This includes the power to examine, seize, or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium.
  • Ask any member of staff or representative of the provider to give explanations regarding a suspected infringement and, with their consent, record their answers by any technical means.

Enforcement Powers: Under Article 26(2), the competent authority may:

  • Order the cessation of infringements and impose remedies proportionate to the infringement to bring it effectively to an end.
  • Impose fines, or request a judicial authority to do so, for failure to comply with the Regulation, including non-compliance with investigative orders.
  • Impose periodic penalty payments to ensure that an infringement is terminated in compliance with an order or to enforce compliance with investigative orders.

Article 26(3) mandates that measures taken by the national competent authority must be "effective, dissuasive and proportionate," taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider.

Penalties and Compensation (Article 24)

While Article 26 grants the power to impose fines, Article 24 sets the broader framework for penalties. Member States must lay down rules on penalties applicable to infringements of Chapter I by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive." When determining the level of penalties, Member States must consider criteria including:

  • The nature, gravity, scale, and duration of the infringement.
  • Any action taken by the infringing party to mitigate or remedy damage.
  • Any previous infringements.
  • Financial benefits gained or losses avoided.
  • The infringing party's annual turnover in the preceding financial year in the Union.

Furthermore, Article 24(3) grants recipients of cloud computing services the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under Chapter I.

What this means for you

For in-house counsel and compliance officers in Poland, or for providers with a main establishment in Poland, the designation of the national competent authority under CADA will trigger significant operational changes.

  1. Monitor the Designation: Keep a close watch on the Commission's public register (Article 25(2)) to identify the specific Polish authority designated. This will be your primary regulatory contact for sovereignty compliance.
  2. Prepare for Audits and Inspections: Polish authorities will have the power to conduct on-site inspections and request extensive documentation (Article 26(1)). Ensure your internal compliance processes, particularly those related to the Union assurance levels (Annex II), are well-documented and readily accessible.
  3. Understand the "Main Establishment" Rule: If your main establishment is in Poland, you fall under the exclusive competence of the Polish authority. This simplifies cross-border enforcement but concentrates regulatory scrutiny in one jurisdiction. Ensure your Polish legal entity is fully prepared to handle these regulatory interactions.
  4. Assess Penalty Exposure: The penalties under Article 24 are tied to your annual turnover and the severity of the infringement. Conduct a risk assessment of your current cloud services against the proposed Union assurance levels to identify potential gaps before the authority begins enforcement activities.
  5. Cooperate with Investigations: Failure to cooperate with investigative orders can itself lead to fines and periodic penalty payments (Article 26(2)). Establish clear internal protocols for responding to information requests and inspection notices from the competent authority.

Common misconceptions

  • Misconception: Poland must create a new agency.
    • Reality: Article 25(1) explicitly allows Poland to designate an existing authority. This could be an existing cybersecurity, data protection, or market surveillance authority, depending on how Poland chooses to allocate these competences.
  • Misconception: Any EU authority can investigate a provider.
    • Reality: Article 25(4) grants exclusive competence to the Member State of the provider's main establishment. While there are mechanisms for mutual assistance and cross-border cooperation (Articles 27 and 28), the primary enforcement responsibility lies with the authority in the country of the main establishment.
  • Misconception: The Commission enforces CADA directly.
    • Reality: The Commission maintains the public register and can get involved in specific dispute resolutions (e.g., if national authorities disagree on a recognition decision under Article 17(10)), but the day-to-day investigation and enforcement of the sovereignty framework are the responsibility of the national competent authorities designated by each Member State.

Related

This is general information about a draft EU regulation, not legal advice.