Who is responsible for monitoring how CADA is applied?

Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission holds primary responsibility for monitoring the broad application of the regulation and evaluating its overall effectiveness, as mandated by Article 47. This article requires a comprehensive review and report to the European Parliament and the Council five years after the regulation enters into force, and every five years thereafter. While the Commission drives this high-level strategic evaluation, the day-to-day enforcement, investigation of infringements, and imposition of penalties are delegated to national competent authorities designated by each Member State. These national bodies operate under the penalty framework of Article 24, ensuring that the sovereignty rules are enforced with "effective, proportionate and dissuasive" measures.

Detail

The monitoring and evaluation architecture of the proposed CADA is designed to balance centralized EU-level oversight with decentralized national enforcement. As proposed, the regulation establishes a dual-layer system: the European Commission monitors the strategic application and effectiveness of the act across the Union, while national competent authorities enforce compliance and manage penalties at the Member State level.

The Commission's Monitoring and Review Role

The cornerstone of EU-level monitoring is Article 47 of the proposed regulation. This article explicitly charges the Commission with the duty to monitor the application of the proposed Regulation and evaluate its effectiveness over time. The explanatory memorandum accompanying the proposal reinforces this mandate, stating clearly that "the Commission should monitor the application of the proposed Regulation and evaluate its effectiveness over time."

Article 47 establishes a strict timeline and scope for this evaluation:

• First Review: The Commission must review the functioning of the Regulation and submit a report to the European Parliament and the Council five years after the Regulation's entry into force.
• Subsequent Reviews: Following the initial review, the Commission must conduct further evaluations every five years.
• Public Reporting: These reports are required to be public and must "detail the effective application and enforcement of the proposed Regulation."
• Amendment Proposals: Where appropriate, the report may be accompanied by a proposal for amendment of the Regulation, ensuring the framework remains responsive to technological and market developments.

This review mechanism is critical for ensuring that CADA remains fit for purpose in a rapidly evolving technological landscape. It allows the EU to assess whether the sovereignty framework, data centre acceleration zones, and procurement rules are delivering the intended strategic autonomy and market integration. The Commission's role is not to investigate individual providers but to assess the systemic health of the ecosystem, the consistency of national enforcement, and the achievement of the Regulation's general objectives.

The Role of National Competent Authorities

While the Commission handles high-level monitoring, the practical enforcement of CADA's obligations falls to national competent authorities. Under Article 25, each Member State is required to designate one or more national competent authorities responsible for enforcing the Regulation's provisions, particularly those related to the cloud computing sovereignty framework.

These authorities are granted significant investigative and enforcement powers to ensure compliance. The Regulation empowers them to:

• Investigate: Require cloud computing service providers and auditing organisations to provide information relevant to suspected infringements.
• Inspect: Carry out inspections of premises and seize or obtain copies of information relating to suspected infringements.
• Remedy: Order the cessation of infringements and impose remedies proportionate to the infringement.
• Penalize: Impose fines or periodic penalty payments for failure to comply with the Regulation or investigative orders.

The explanatory memorandum emphasizes that these authorities must have "all necessary resources to carry out their tasks, including sufficient technical, financial and human resources to adequately supervise all cloud computing service providers within their competence." This ensures that monitoring is not just theoretical but backed by the capacity to investigate and penalize violations effectively. The Member State where the provider has its main establishment holds exclusive competence for enforcing the sovereignty chapter, ensuring a clear "one-stop-shop" for supervision.

Penalties and Compensation: Article 24

To ensure that monitoring leads to meaningful compliance, CADA introduces a robust framework for penalties under Article 24. This article outlines the rules on penalties applicable to infringements of the sovereignty framework chapter by cloud computing service providers.

Key aspects of Article 24 include:

• Effective, Proportionate, and Dissuasive Penalties: Member States must lay down rules on penalties that are "effective, proportionate and dissuasive." They must notify the Commission of these rules as soon as possible and of any subsequent amendments.
• Criteria for Imposition: When imposing penalties, authorities must consider a non-exhaustive list of criteria, including:
  • The nature, gravity, scale, and duration of the infringement.
  • Any action taken by the infringing party to mitigate or remedy the damage.
  • Any previous infringements by the infringing party.
  • The financial benefits gained or losses avoided due to the infringement.
  • The infringing party's annual turnover in the preceding financial year in the Union.
• Compensation Rights: Crucially, Article 24(3) establishes that recipients of cloud computing services "shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This penalty framework ensures that national competent authorities have the tools to enforce the Regulation's requirements rigorously. It shifts the burden of compliance onto providers, making non-compliance financially risky and operationally disruptive.

Coordination and Mutual Assistance

Monitoring is not conducted in isolation. CADA establishes mechanisms for mutual assistance and cross-border cooperation between national competent authorities to ensure consistent application across the single market.

Article 27 mandates that competent authorities and the Commission cooperate closely and provide each other with mutual assistance to apply the Regulation in a consistent and efficient manner. This includes the exchange of information. A competent authority may request specific information from another authority to exercise its investigative powers.

Article 28 further facilitates cross-border cooperation. If a competent authority in a "destination" Member State (where the service is used) suspects that a provider no longer fulfils the requirements, it may request the competent authority of "establishment" (where the provider is based) to assess the matter and take necessary investigatory and enforcement measures. The authority of establishment must communicate its assessment and any measures taken within two months. This ensures that monitoring is effective across the single market, preventing providers from exploiting jurisdictional gaps.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, understanding the monitoring landscape of CADA is essential for building a robust compliance program.

1. Prepare for Dual-Layer Scrutiny: Recognize that your organization will be subject to direct enforcement by national competent authorities in your Member State of establishment, while the Commission monitors the broader ecosystem. Ensure that your internal audit and compliance functions are aligned with the requirements of the sovereignty framework, particularly if you are seeking recognition for Union assurance levels.
2. Understand the Penalty Framework: Familiarize yourself with Article 24. The penalties for non-compliance are not trivial. They are designed to be dissuasive and take into account your organization's turnover and the gravity of the infringement. Implement clear internal protocols to detect and remediate potential violations before they escalate to enforcement actions.
3. Engage with National Authorities: Identify the national competent authority in your Member State of establishment. Build a relationship with them and understand their specific investigative powers under Article 26. Be prepared to provide information and cooperate with inspections promptly, as these authorities have the power to request data and conduct on-site inspections.
4. Monitor the Commission's Reviews: Keep an eye on the reports published under Article 47. These reports will signal whether the Commission is tightening enforcement, identifying systemic gaps, or adjusting expectations. Early awareness of these trends can help you proactively adjust your compliance strategies.
5. Document Everything: Given the emphasis on evidence-based audits and the potential for cross-border investigations, maintain comprehensive records of your compliance efforts. This includes conformity self-assessments, audit reports, and any communications with authorities. This documentation will be critical if you need to demonstrate compliance or if a recipient seeks compensation under Article 24.

Common misconceptions

"The Commission directly fines non-compliant providers." No. The Commission monitors the overall application and effectiveness of CADA and publishes periodic reports, but it does not directly impose fines on individual cloud providers. Enforcement and penalty imposition are the exclusive responsibility of national competent authorities, as outlined in Article 24 and the enforcement powers in Article 26.

"Monitoring only happens after a violation is reported." No. Monitoring is continuous and proactive. National competent authorities have investigative powers to request information and conduct inspections without waiting for a specific complaint. The Commission's periodic reviews under Article 47 also involve active evaluation of the Regulation's effectiveness, not just reactive reporting.

"Penalties are fixed and predictable." No. While Article 24 provides specific criteria for penalties, the exact amount is not fixed. It depends on various factors, including the severity of the infringement, the provider's turnover, and any mitigating actions taken. This means penalties can vary significantly from case to case, allowing authorities to tailor sanctions to the specific circumstances.

"CADA replaces existing cybersecurity enforcement." No. CADA focuses on sovereignty and operational autonomy, complementing existing frameworks like NIS2 and the Cybersecurity Act. National competent authorities under CADA will likely coordinate with existing cybersecurity authorities, but CADA creates a distinct enforcement track for sovereignty-specific infringements.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Who sits on the CADA comitology committee?
• Who receives the CADA review report? Parliament, Council & EESC
• Who does the Commission consult before adopting a CADA delegated act?
• What monitoring, evaluation and reporting arrangements does CADA set up?
• Will existing cloud contracts be affected when CADA starts to apply?

This is general information about a draft EU regulation, not legal advice.