Who is Slovakia's national competent authority under CADA?

Summary As proposed in the Cloud and AI Development Act (CADA), Slovakia has not yet designated its specific national competent authority. Under Article 25 of the proposal, Slovakia is required to designate one or more national competent authorities within one year of the Regulation's entry into force. These authorities will hold exclusive competence for enforcing the cloud sovereignty framework against providers whose main establishment is in Slovakia. They possess robust investigative powers—including information requests, inspections, and the ability to seize data—and enforcement powers to order cessation of infringements, impose fines, and levy periodic penalty payments.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised EU-wide framework for cloud computing sovereignty, centred on the "Union assurance levels" defined in Article 16. However, the Regulation relies on national competent authorities (NCAs) for day-to-day supervision, recognition of providers, and enforcement. For Slovakia, this means a specific public body will be tasked with overseeing compliance with the sovereignty framework, managing the recognition process for Union assurance levels, and investigating potential infringements.

Designation and Timing: The One-Year Window

Under Article 25(1) of the CADA proposal, Slovakia is legally obligated to designate one or more national competent authorities responsible for enforcing Title IV (Autonomy) of the Regulation. The deadline for this designation is strict: it must occur within one year of the Regulation's entry into force.

The proposal is designed to avoid unnecessary administrative duplication. Article 25(1) explicitly states that Slovakia "may designate an existing authority or existing authorities." This means the Commission does not mandate the creation of a new, standalone agency. Slovakia could designate an existing body with relevant expertise, such as the Office for Personal Data Protection, the National Cyber and Information Security Authority (NÚKIB), or a market surveillance body, provided that body is granted the specific powers required by the Regulation.

Once designated, Slovakia must notify the European Commission of the names of these authorities, along with their specific tasks and powers. As per Article 25(2), the Commission will maintain a public register of these authorities. This register will ensure transparency for cloud providers and public sector buyers across the EU, allowing them to identify the correct regulator for any provider established in Slovakia.

Exclusive Competence: The "Main Establishment" Rule

A critical feature of the CADA governance model is the principle of exclusive competence based on the provider's main establishment. Article 25(4) states that the Member State in which the cloud computing service provider has its main establishment holds exclusive competence for enforcing Title IV.

The Regulation defines "main establishment" as the place where the provider has its head office or registered office from which the principal financial functions and operational control are exercised.

This creates a "one-stop-shop" dynamic for enforcement:

• If a cloud provider is headquartered in Slovakia, the Slovak national competent authority is the sole EU authority responsible for supervising that provider's compliance with the Union assurance levels (1 through 4).
• Other Member States cannot directly enforce these specific sovereignty obligations against that provider. If a public sector body in Germany or France suspects a Slovak provider of non-compliance, they cannot fine or inspect the provider directly. Instead, they must rely on the Slovak authority to act.

Investigative and Enforcement Powers

To ensure effective oversight, Article 26 grants the Slovak national competent authority significant investigative and enforcement powers. These measures must be effective, dissuasive and proportionate (Article 26(3)).

Investigative Powers (Article 26(1))

The competent authority has the power to:

• Require information: It can demand that any cloud computing service provider, as well as any other persons acting for purposes related to their trade (including auditing organisations), provide specific information regarding suspected infringements as soon as possible.
• Conduct inspections: It can carry out, or request a judicial authority to order, inspections of any premises used by the provider for trade or business purposes. This includes the power to examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium.
• Request explanations: It can ask any member of staff or representative of the provider to give explanations regarding suspected infringements. With their consent, the authority may record these answers by any technical means.

Enforcement Powers (Article 26(2))

If an infringement is found, the authority can:

• Order cessation: It can order the cessation of the infringement and, where appropriate, impose remedies proportionate to the infringement to bring it effectively to an end.
• Impose fines: It can impose fines for failure to comply with the Regulation, including for failure to comply with investigative orders (e.g., refusing an inspection or failing to provide information).
• Impose periodic penalty payments: It can impose periodic penalty payments to ensure that an infringement is terminated in compliance with a cessation order, or for failure to comply with investigative orders.

These measures are subject to strict procedural safeguards. Article 26(4) mandates that measures must be taken in accordance with the right to respect for private life and the rights of defence, including the rights to be heard and to have access to the file. All measures are subject to the right of all affected parties to an effective judicial remedy.

Cross-Border Cooperation and Mutual Assistance

While the Slovak authority has exclusive competence for providers established in Slovakia, it must cooperate closely with authorities in other Member States.

• Mutual Assistance (Article 27): Competent authorities and the Commission must cooperate closely. A competent authority in another Member State may request the Slovak authority to provide specific information in its possession to exercise investigative powers. The Slovak authority must comply with such requests and inform the requesting authority of the action taken no later than two months after receipt.
• Cross-Border Cooperation (Article 28): If a competent authority in a "destination" Member State (where the service is used) suspects that a cloud provider established in Slovakia no longer fulfils the requirements of the Union assurance levels, it may request the Slovak authority to assess the matter. The Slovak authority must communicate its assessment and any investigatory or enforcement measures taken no later than two months after receipt of the request.

What this means for you

For in-house counsel, compliance officers, and cloud computing service providers with a main establishment in Slovakia, the designation of the national competent authority under CADA will define your primary regulatory interface for sovereignty compliance.

1. Identify Your Regulator Early

Although the specific authority is not yet named, you should begin preparing for engagement with the body that Slovakia ultimately designates. Given the allowance to use existing authorities, this is likely to be an entity already involved in digital oversight, such as the Office for Personal Data Protection, the National Cyber and Information Security Authority (NÚKIB), or a relevant market surveillance body. Monitor the Commission's public register of competent authorities once the Regulation is adopted to confirm the exact entity.

2. Prepare for Enhanced Scrutiny

The powers granted under Article 26 are robust. You should ensure that your internal compliance frameworks can withstand rigorous third-party audits and regulatory inspections. This includes maintaining up-to-date documentation on your supply chain, subcontractors, and data localisation practices, as these are key criteria for Union assurance levels. Your legal and technical teams must be ready to provide immediate access to premises and data upon request from the Slovak authority.

3. Understand the "One-Stop-Shop" Dynamic

Because the Slovak authority has exclusive competence for providers established in Slovakia, you will not face fragmented enforcement actions from other EU Member States regarding your sovereignty status. However, this also means the Slovak authority bears the responsibility of defending your compliance status across the EU. If a public sector body in Germany or France questions your Union assurance level, the Slovak authority will be the one to investigate and respond. Therefore, maintaining a transparent and cooperative relationship with the Slovak regulator is crucial to protect your market access across the entire Union.

4. Budget for Penalties and Compliance Costs

Article 26 allows for significant financial penalties, including periodic penalty payments for non-compliance with cessation orders. Ensure that your risk management processes include strict adherence to transparency obligations (Article 23) and audit requirements (Article 20). Failure to cooperate with the Slovak authority's investigative requests can trigger immediate fines, separate from the underlying sovereignty infringement.

Common misconceptions

Misconception: Slovakia must create a brand-new agency. Reality: Article 25(1) explicitly states that Slovakia "may designate an existing authority or existing authorities." This is a common feature in EU regulations to reduce administrative burden. It is highly probable that Slovakia will leverage an existing body with relevant expertise in cybersecurity or data protection.

Misconception: Any EU authority can fine a Slovak provider for sovereignty breaches. Reality: Article 25(4) establishes exclusive competence for the Member State of the main establishment. If your main establishment is in Slovakia, only the Slovak national competent authority can enforce Title IV obligations against you. Other Member States must refer concerns to the Slovak authority.

Misconception: The national competent authority handles all CADA obligations. Reality: The national competent authority under Article 25 is specifically responsible for enforcing the cloud computing sovereignty framework (Title IV). Other aspects of CADA, such as data centre deployment (Title III) or research initiatives (Title II), may involve different national bodies or the Commission directly. Do not assume the sovereignty regulator is the sole point of contact for all CADA-related matters.

Misconception: Designation happens immediately upon the law's passage. Reality: There is a one-year implementation period from the entry into force of the Regulation for Slovakia to designate its authority (Article 25(1)). Providers should not expect the authority to be operational or named on day one of the Regulation's application.

Related

• Who is Sweden's national competent authority under CADA?
• Who is Spain's national competent authority under CADA?
• Who is Slovenia's national competent authority under CADA?
• Who is Romania's national competent authority under CADA?
• Who is Portugal's national competent authority under CADA?

This is general information about a draft EU regulation, not legal advice.