Summary Under the proposed Cloud and AI Development Act (CADA), Portugal is required to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework within one year of the regulation's entry into force. As CADA is currently a proposal (COM(2026) 502 final), no specific Portuguese authority has been officially named yet; however, the proposal allows Member States to designate an existing body rather than creating a new one. Once designated, this authority will hold exclusive competence for cloud providers with their main establishment in Portugal and will wield significant investigative and enforcement powers, including the ability to order the cessation of infringements, conduct inspections, and impose fines and periodic penalty payments.

Detail

The Cloud and AI Development Act (CADA) establishes a harmonised EU framework to strengthen technological sovereignty, reduce dependencies on third-country cloud providers, and ensure the resilience of public sector digital infrastructure. A cornerstone of this framework is the national enforcement mechanism, primarily governed by Article 25 and Article 26 of the proposal. These articles define how Member States like Portugal will operationalise the Union cloud computing sovereignty framework.

Designation of the National Competent Authority (Article 25)

Article 25 mandates that each Member State, including Portugal, must designate one or more national competent authorities responsible for enforcing the provisions of Title IV (Autonomy) of the Regulation. The key requirements for this designation are:

  • Deadline: Member States must designate these authorities by the date of entry into force plus one year. Given that CADA is scheduled to apply one year after its entry into force, the designation must occur early in the implementation phase to ensure operational readiness.
  • Existing Authorities: The proposal allows flexibility in administration. Article 25(1) states that Member States "may designate an existing authority or existing authorities." This suggests that Portugal is likely to assign these responsibilities to an existing regulatorβ€”potentially within the scope of the National Authority for Data Protection (ANPD), the Portuguese Institute for Cybersecurity (CNCS), or a dedicated unit within the Ministry of Digital Affairsβ€”rather than establishing a wholly new bureaucratic entity.
  • Public Register: To ensure transparency and legal certainty for cloud providers operating across the EU, Article 25(2) requires Member States to notify the European Commission of the names, tasks, and powers of these authorities. The Commission is then obligated to maintain a public register of these designated authorities. This register will serve as the primary reference for cloud providers to identify the correct supervisory body for their operations.
  • Exclusive Competence: A critical feature of CADA is the "main establishment" principle. Article 25(4) establishes that the Member State in which the cloud computing service provider has its main establishment (defined as the head office or registered office from which principal financial functions and operational control are exercised) has exclusive competence for enforcing the Chapter. This means that for a cloud provider headquartered in Lisbon, the Portuguese competent authority will be the lead regulator, even if the provider offers services to customers in other Member States.

Investigative and Enforcement Powers (Article 26)

Once designated, the Portuguese national competent authority will be granted robust powers to ensure compliance with the Union assurance levels and sovereignty criteria. Article 26 outlines two categories of powers: investigative and enforcement.

Investigative Powers To carry out their tasks, particularly regarding the recognition of cloud services under specific Union assurance levels, the competent authority will have the power to:

  • Request Information: Require any cloud computing service provider, or any person acting for purposes related to their trade, to provide relevant information regarding a suspected infringement as soon as possible (Article 26(1)(a)).
  • Conduct Inspections: Carry out inspections of premises used by providers for their trade, business, or profession. This includes the power to examine, seize, take, or obtain copies of information relating to a suspected infringement, irrespective of the storage medium (Article 26(1)(b)).
  • Question Staff: Ask members of staff or representatives of the provider to give explanations regarding suspected infringements and, with their consent, record their answers (Article 26(1)(c)).

Enforcement Powers If infringements are identified, the competent authority can take decisive action:

  • Cessation Orders: Order the cessation of infringements and impose remedies proportionate to the infringement to bring it effectively to an end (Article 26(2)(a)).
  • Fines: Impose fines for failure to comply with the Regulation, including for non-compliance with investigative orders (Article 26(2)(b)).
  • Periodic Penalty Payments: Impose periodic penalty payments to ensure that an infringement is terminated in compliance with an order or to enforce compliance with investigative orders (Article 26(2)(c)).

These measures must be effective, dissuasive and proportionate, taking into account the nature, gravity, recurrence and duration of the infringement, as well as the economic, technical and operational capacity of the service provider concerned (Article 26(3)).

Penalties and Compensation (Article 24)

While Article 26 grants the authority the power to fine, Article 24 sets out the broader framework for penalties within the sovereignty chapter. Member States must lay down rules on penalties applicable to infringements by cloud service providers. These penalties must be effective, proportionate and dissuasive. When determining the penalty amount, authorities must consider criteria such as the nature and gravity of the infringement, any previous infringements, financial benefits gained, and the infringing party's annual turnover in the Union. Furthermore, Article 24(3) grants recipients of cloud services the right to seek compensation for any damage or loss suffered due to a provider's infringement of their obligations.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, particularly those with a main establishment in Portugal, the implications of Article 25 and Article 26 are significant and require proactive preparation.

  1. Monitor the Public Register: As the CADA legislative procedure progresses and eventually enters into force, you must monitor the European Commission's public register of national competent authorities. Once Portugal designates its authority, this will be your primary point of contact for all matters related to Union assurance level recognition and sovereignty compliance.
  2. Prepare for Scrutiny: The investigative powers under Article 26 are extensive. Ensure your internal governance, data residency controls, and subcontractor oversight mechanisms are documented and readily accessible. You may be required to provide immediate information or grant premises inspections regarding your compliance with Union assurance levels 1–4.
  3. Understand Exclusive Jurisdiction: If your company's main establishment is in Portugal, the Portuguese authority will be the sole regulator for your sovereignty framework compliance across the EU. This simplifies the regulatory landscape by avoiding multiple national investigations for the same issue, but it concentrates risk. Ensure your compliance program is robust enough to satisfy a single, centralized authority that may coordinate with other Member States under the mutual assistance provisions of Article 27.
  4. Risk Assessment and Remediation: Be prepared for the possibility of cessation orders and periodic penalty payments if non-compliance is detected. Your legal and compliance teams should develop incident response protocols specifically tailored to regulatory inquiries from the national competent authority, ensuring that any remedial actions are taken promptly to mitigate potential fines.
  5. Engage Early: As Portugal develops its national cloud and AI strategy (required under Article 7), there may be opportunities for industry dialogue. Engaging with the designated authority early can help clarify expectations regarding the interpretation of Union assurance levels and the practical application of investigative powers.

Common misconceptions

  • "Portugal has already named its CADA authority."
    • Correction: CADA is a proposal. While Portugal may have existing bodies that will likely be designated, the formal designation under Article 25 has not yet occurred. The specific authority and its precise mandate will be confirmed once the regulation is adopted and the one-year deadline for designation approaches.
  • "Only the Portuguese authority can investigate providers based in Portugal."
    • Correction: While the main-establishment Member State has exclusive competence for enforcement under Article 25(4), other Member States' competent authorities can request assistance and cooperation under Article 27 (Mutual Assistance) and Article 28 (Cross-border Cooperation). If a provider in Portugal is suspected of non-compliance affecting services in France, the French authority can request the Portuguese authority to assess the matter and take necessary measures.
  • "Fines are fixed amounts."
    • Correction: Article 24 and Article 26 emphasize that penalties must be proportionate. The competent authority will consider multiple factors, including the provider's turnover, the gravity of the infringement, and any mitigating actions taken. There are no fixed fine schedules in the proposal; each case is assessed individually.
  • "CADA replaces the GDPR or NIS2."
    • Correction: CADA complements existing frameworks. While it introduces sovereignty-specific criteria and enforcement powers, it does not replace data protection or cybersecurity obligations. The national competent authority under CADA may cooperate with Data Protection Authorities and cybersecurity bodies, but the mandates remain distinct.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.