Summary As proposed in the Cloud and AI Development Act (CADA), Slovenia is required to designate one or more national competent authorities responsible for enforcing the Union cloud computing sovereignty framework. This designation must occur no later than one year after the Regulation enters into force, as stipulated in Article 25(1). The designated authority will hold exclusive competence over cloud computing service providers whose main establishment is located in Slovenia, granting it significant investigative and enforcement powers under Article 26, including the ability to impose fines, order the cessation of infringements, and conduct inspections. The Commission will maintain a public register of these authorities under Article 25(2).

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous regulatory framework for cloud computing sovereignty within the European Union. For Slovenia, as for all Member States, the cornerstone of this enforcement mechanism is the designation of a national competent authority. The proposal outlines specific timelines, structural requirements, and extensive powers for these bodies to ensure the integrity of the EU's cloud ecosystem.

Designation and Timing (Article 25)

Under Article 25(1) of the CADA proposal, Member States are obligated to designate one or more national competent authorities responsible for enforcing Chapter I of Title IV, which establishes the Union cloud computing sovereignty framework. The deadline for this designation is strict: it must be completed by the date of entry into force of the Regulation plus one year.

Slovenia has the flexibility to utilize existing administrative structures. Article 25(1) explicitly states that Member States "may designate an existing authority or existing authorities" to fulfill this role. This suggests that Slovenia could potentially assign these responsibilities to an existing body, such as a national cybersecurity authority, a data protection supervisor, or a dedicated digital agency, rather than creating a new entity from scratch.

Once designated, transparency is paramount. Article 25(2) requires Slovenia to notify the European Commission of the names of the competent authorities and their specific tasks and powers. The Commission is then mandated to maintain a public register of these authorities. This public register ensures that cloud computing service providers, auditors, and other stakeholders can easily identify the correct regulatory contact point in Slovenia.

Exclusive Competence and Main Establishment

A critical aspect of CADA's enforcement architecture is the principle of exclusive competence based on the provider's location. Article 25(4) establishes that the Member State in which the cloud computing service provider has its "main establishment" has exclusive competence for enforcing the sovereignty chapter.

The "main establishment" is defined in the text as the place where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised. For a cloud provider operating across the EU but headquartered in Slovenia, the Slovenian national competent authority would be the sole regulator responsible for overseeing that provider's compliance with the Union assurance levels. This "single-entry-point" approach aims to reduce regulatory fragmentation and ensure consistent supervision across the Union, preventing multiple Member States from imposing conflicting requirements on the same provider.

Investigative and Enforcement Powers (Article 26)

The national competent authority in Slovenia will not merely be an advisory body; it will wield substantial investigative and enforcement powers under Article 26. These powers are designed to be effective, dissuasive and proportionate.

Investigative Powers: Under Article 26(1), the competent authority has the power to:

  • Require Information: Demand that any cloud computing service provider, or any person acting for purposes related to their trade (including auditing organisations), provide information relevant to a suspected infringement as soon as possible.
  • Conduct Inspections: Carry out, or request a judicial authority to order, inspections of any premises used by the provider for trade-related purposes. This includes the power to examine, seize, or obtain copies of information relating to a suspected infringement, regardless of the storage medium.
  • Question Staff: Ask members of staff or representatives of the provider to give explanations regarding suspected infringements and, with consent, record their answers.

Enforcement Powers: Under Article 26(2), the competent authority can take decisive action to halt non-compliance:

  • Cessation Orders: Order the cessation of infringements and impose remedies proportionate to the infringement to bring it effectively to an end. If necessary, the authority can request a judicial authority to enforce these orders.
  • Fines: Impose fines for failure to comply with the Regulation, including for failing to comply with investigative orders.
  • Periodic Penalty Payments: Impose periodic penalty payments to ensure that an infringement is terminated in compliance with an order, or to compel compliance with investigative orders.

These measures must be exercised in an impartial, transparent and timely manner, as required by Article 25(3). Furthermore, Article 25(3) mandates that Slovenia ensures its competent authorities have all necessary resources, including sufficient technical, financial and human resources, to adequately supervise all cloud computing service providers within their competence.

Penalties and Compensation (Article 24)

While Article 26 outlines the powers to impose fines, Article 24 provides the framework for the penalties themselves. Article 24(1) requires Slovenia to lay down rules on penalties applicable to infringements by cloud computing service providers. These penalties must be effective, proportionate and dissuasive.

When determining the severity of penalties, Article 24(2) lists several criteria Slovenia must consider, including:

  • The nature, gravity, scale and duration of the infringement.
  • Any action taken to mitigate or remedy the damage.
  • Previous infringements by the same party.
  • Financial benefits gained or losses avoided due to the infringement.
  • The infringing party's annual turnover in the Union.

Additionally, Article 24(3) grants recipients of cloud computing services the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under the sovereignty framework.

What this means for you

For in-house counsel and compliance officers operating in Slovenia or managing Slovenian-headquartered cloud providers, the establishment of the national competent authority under CADA signals a shift from voluntary best practices to mandatory regulatory oversight.

  1. Identify Your Regulator: Monitor the official EU registers and Slovenian government announcements to identify the designated national competent authority. Once published, this body will be your primary point of contact for all matters related to Union assurance levels.
  2. Prepare for Scrutiny: If your main establishment is in Slovenia, your company falls under the exclusive jurisdiction of the Slovenian authority. Ensure your internal compliance processes are robust enough to withstand the investigative powers outlined in Article 26, including on-site inspections and data seizures.
  3. Resource Allocation: Compliance is no longer optional. Ensure your organization has the technical and legal resources to respond to information requests and to maintain the documentation required for Union assurance levels. Failure to cooperate with investigations can result in additional fines under Article 26(2).
  4. Risk Management: Understand that non-compliance carries significant financial risks, including fines based on global turnover and periodic penalty payments. Implement rigorous internal audits to detect potential infringements before they attract regulatory attention.

Common misconceptions

"CADA only applies to EU-based providers." Incorrect. While the enforcement is tied to the location of the main establishment, the sovereignty framework applies to cloud computing services provided to Union entities and public sector bodies. A provider established in a third country but with a main establishment in Slovenia would still be subject to the Slovenian authority's jurisdiction.

"Slovenia must create a brand new agency." Not necessarily. Article 25(1) allows Slovenia to designate an existing authority. This could mean that an existing body, such as the Slovenian Network and Information Security Agency or the Information Commissioner, may take on these additional responsibilities.

"The Commission enforces CADA directly in Slovenia." No. The Commission maintains a public register and facilitates cooperation, but Article 25(4) grants exclusive competence to the Member State where the provider has its main establishment. The Slovenian national competent authority is the primary enforcer for providers based in Slovenia.

Related

This is general information about a draft EU regulation, not legal advice.