Summary As proposed in the Cloud and AI Development Act (CADA), Romania is required to designate one or more national competent authorities responsible for enforcing the cloud sovereignty framework within one year of the Regulation's entry into force. The specific Romanian authority has not yet been named, as CADA is currently a proposal; however, Article 25(2) mandates that the European Commission maintain a public register of these designated authorities. Once designated, the authority in the Member State where a cloud provider has its "main establishment" holds exclusive competence for enforcement across the EU, wielding significant investigative and sanctioning powers under Article 26, including the ability to order inspections, demand information, and impose fines.

Detail

The Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a harmonised EU framework for cloud sovereignty. A critical pillar of this framework is the enforcement mechanism, which relies on designated national bodies in each Member State. For in-house counsel, compliance officers, and cloud providers operating in or from Romania, understanding the structure, timeline, and powers of these authorities is essential for navigating the new regulatory landscape.

Designation and Timeline (Article 25)

Under Article 25(1) of the CADA proposal, Member States, including Romania, are legally obligated to designate one or more national competent authorities. The deadline for this designation is strict: Member States must act by [P.O. insert date of entry into force plus 1 year].

The text explicitly allows Member States to designate existing authorities, referred to as "competent authorities," rather than creating entirely new administrative bodies from scratch. This flexibility suggests that Romania may leverage existing entities with relevant expertise in cybersecurity, data protection, or digital infrastructure. Potential candidates could include the National Agency for the Supervision of Personal Data Processing (ANSPDCP), the National Cybersecurity Directorate (DNSC), or the National Authority for Management and Regulation in Communications (ANCOM), potentially acting in coordination or as a designated lead. However, the final choice rests with the Romanian government.

Once designated, Romania must notify the European Commission of the names of these authorities, along with their specific tasks and powers. Article 25(2) stipulates that the Commission shall maintain a public register of these authorities. This register will serve as the primary reference point for cloud computing service providers to identify the correct supervisory body for their jurisdiction and for other Member States to coordinate enforcement actions.

Exclusive Competence and the "Main Establishment" Rule

A pivotal aspect of the CADA enforcement mechanism is the principle of exclusive competence based on the location of the provider's main establishment. Article 25(4) states that the Member State in which the cloud computing service provider has its "main establishment" has exclusive competence for enforcing Chapter IV (the sovereignty framework) of the Regulation.

The Regulation defines the "main establishment" as the place where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised.

This rule has profound implications for cross-border operations:

  • If a provider's main establishment is in Romania: The Romanian national competent authority is the sole body responsible for enforcing the sovereignty framework against that provider across the entire EU. Other Member States must defer to Romania for enforcement actions, though they may request assistance.
  • If a Romanian entity uses a cloud provider headquartered elsewhere: The enforcement jurisdiction lies with the authority of the Member State where that provider is established. The Romanian authority would not have direct enforcement power over that foreign provider, though it could request cooperation under Article 28.

Investigative and Enforcement Powers (Article 26)

The national competent authorities designated by Romania will be granted robust powers to ensure compliance with the CADA sovereignty framework. Article 26 outlines these powers, which are divided into investigative and enforcement categories. These powers are necessary to verify compliance with the recognition procedures under Article 17 and the risk assessment obligations under Article 29.

Investigative Powers (Article 26(1)): To carry out their tasks, the competent authority of establishment has the power to:

  • Require Information: Demand that any cloud computing service provider, auditing organisations, or other persons acting for trade-related purposes provide specific information as soon as possible if they are reasonably expected to be aware of information relating to a suspected infringement.
  • Conduct Inspections: Carry out, or request a judicial authority in their Member State to order, inspections of any premises used for trade-related purposes. This includes the power to examine, seize, take, or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium.
  • Request Explanations: Ask any member of staff or representative of the provider to give explanations regarding suspected infringements and, with their consent, record their answers by any technical means.

Enforcement Powers (Article 26(2)): If infringements are identified, the national competent authority has the power to:

  • Order Cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end.
  • Impose Fines: Impose fines, or request a judicial authority to do so, for failure to comply with the Regulation, including failure to comply with investigative orders.
  • Impose Periodic Penalty Payments: Impose periodic penalty payments to ensure that an infringement is terminated in compliance with an order, or for continued failure to comply with investigative orders.

Proportionality and Safeguards (Article 26(3)-(4)): Measures taken by the Romanian authority must be effective, dissuasive and proportionate. The authority must have regard to the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider.

Member States must set out specific rules and procedures for the exercise of these powers, ensuring they are subject to adequate safeguards under national law. These safeguards must comply with the general principles of Union law, including the right to respect for private life and the rights of defence (such as the right to be heard and to have access to the file). All measures are subject to the right of all affected parties to an effective judicial remedy.

Penalties and Compensation (Article 24)

While Article 26 grants the power to impose fines, Article 24 provides the framework for determining the severity and criteria for penalties. Member States must lay down rules on penalties applicable to infringements by cloud computing service providers. These penalties must be effective, proportionate and dissuasive.

When imposing penalties, authorities must consider a non-exhaustive list of criteria, including:

  • The nature, gravity, scale, and duration of the infringement.
  • Any action taken by the infringing party to mitigate or remedy the damage.
  • Any previous infringements by the infringing party.
  • The financial benefits gained or losses avoided by the infringing party.
  • The infringing party's annual turnover in the Union for the preceding financial year.

Furthermore, Article 24(3) grants recipients of cloud computing services the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under the sovereignty framework.

What this means for you

For in-house counsel and compliance officers in Romania, the designation of the national competent authority under CADA represents a significant shift in regulatory oversight.

  1. Monitor the Public Register: Keep a close watch on the Commission's public register of competent authorities (mandated by Article 25(2)). Once Romania designates its authority, this will be your primary point of contact for recognition applications under Article 17 and for receiving guidance on risk assessments under Article 29.
  2. Prepare for Enhanced Scrutiny: If your organisation provides cloud computing services and has its main establishment in Romania, you will fall under the exclusive competence of the Romanian authority (Article 25(4)). Ensure your internal compliance procedures are robust enough to withstand the investigative powers outlined in Article 26(1), including on-site inspections, data seizures, and requests for detailed explanations from staff.
  3. Document Everything: Given the potential for fines and periodic penalty payments under Article 26(2), maintain meticulous records of your compliance efforts, audit trails, and any actions taken to mitigate infringements. These records will be crucial if you need to demonstrate proportionality or good faith during an enforcement action, as required by Article 24(2).
  4. Engage with National Strategy: Align your compliance efforts with Romania's national cloud and AI strategy, which must be adopted within one year of the Regulation's entry into force (Article 7). The national competent authority will likely coordinate with the bodies overseeing this strategy, ensuring that procurement and sovereignty requirements are harmonised.

Common misconceptions

  • "The authority is already named." CADA is a proposal. While the legal framework for designation is clear, the specific Romanian authority has not yet been officially designated. It may be an existing body, but this remains to be confirmed by the Romanian government.
  • "Only the provider's location matters." While the main establishment rule (Article 25(4)) is key, cross-border cooperation is mandatory. Article 27 and Article 28 require mutual assistance and cross-border cooperation between competent authorities. If a Romanian provider operates in other Member States, the Romanian authority may receive requests for information or enforcement assistance from other EU bodies.
  • "Fines are fixed." There are no fixed fine amounts in the CADA text for cloud sovereignty infringements. Instead, Article 24 requires Member States to establish rules for penalties that are effective, proportionate, and dissuasive, taking into account factors like turnover and severity. The exact penalty structure will depend on Romanian national law transposing these requirements.
  • "It's only about cybersecurity." The CADA sovereignty framework goes beyond technical cybersecurity. It addresses operational autonomy, data confidentiality, and protection from third-country legal extraterritorial effects. The competent authority's role is to assess these broader sovereignty risks, not just technical vulnerabilities.

Related

This is general information about a draft EU regulation, not legal advice.