Who is Spain's national competent authority under CADA?

Summary As proposed in the Cloud and AI Development Act (CADA), Spain is required to designate one or more national competent authorities responsible for enforcing the cloud sovereignty framework within one year of the Regulation's entry into force (Article 25(1)). While the specific Spanish authority has not yet been named in the proposal, Spain may designate an existing body, and the European Commission will maintain a public register of these authorities (Article 25(2)). Crucially, enforcement jurisdiction lies exclusively with the Member State where the cloud provider has its "main establishment" (Article 25(4)). These authorities would wield significant investigative and enforcement powers, including the ability to order the cessation of infringements, impose fines, and levy periodic penalty payments (Article 26).

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised EU-wide framework for cloud computing sovereignty, centred on four "Union assurance levels." To enforce this framework, CADA imposes strict obligations on Member States to designate and empower national competent authorities. For Spain, as for all Member States, this creates a new layer of regulatory oversight that in-house counsel and compliance officers must monitor closely.

Designation and Timeline

Under Article 25(1) of the CADA proposal, Member States must designate one or more national competent authorities responsible for enforcing the sovereignty chapter of the Regulation. The deadline for this designation is set at one year after the Regulation's entry into force. The proposal explicitly allows Member States to designate existing authorities rather than creating new bodies from scratch, stating that "Member States may designate an existing authority or existing authorities" (Article 25(1), second sentence). This suggests that Spain could assign these duties to an existing cybersecurity, data protection, or telecommunications regulator, provided it grants them the specific powers outlined in CADA.

Once designated, Spain must notify the European Commission of the names of these authorities and their specific tasks and powers (Article 25(2)). The Commission is then required to maintain a public register of these authorities, ensuring transparency for cloud providers and public sector buyers across the Union.

Exclusive Competence and Main Establishment

A critical aspect of CADA's enforcement mechanism is the principle of exclusive competence. Article 25(4) stipulates that the Member State in which the cloud computing service provider has its "main establishment" has exclusive competence for enforcing the sovereignty chapter. The main establishment is defined as the head office or registered office from which the principal financial functions and operational control are exercised.

This "single-point-of-contact" approach is designed to prevent fragmented enforcement across the EU. For a cloud provider operating in Spain, if its main establishment is in Madrid, the Spanish national competent authority would be the sole body responsible for investigating and enforcing CADA obligations, regardless of where the provider's customers or infrastructure are located within the EU.

Investigative and Enforcement Powers

The national competent authorities designated by Spain would not merely be advisory bodies; they would possess robust investigative and enforcement powers under Article 26. These powers are necessary to ensure that cloud providers genuinely meet the criteria for Union assurance levels 1 through 4.

• Investigative Powers (Article 26(1)): Authorities can require cloud providers and related persons to provide specific information regarding suspected infringements. They also have the power to carry out inspections of premises used for trade or business, or to request judicial authorities to order such inspections. During these inspections, they can examine, seize, or take copies of information relating to suspected infringements, irrespective of the storage medium. Furthermore, they can question staff or representatives and record their answers.
• Enforcement Powers (Article 26(2)): If an infringement is found, the authority can order the cessation of the infringement and impose proportionate remedies to bring it to an end. Critically, they have the power to impose fines for failure to comply with the Regulation or investigative orders. They can also impose periodic penalty payments to ensure compliance with cessation orders or investigative demands.

Cooperation and Cross-Border Issues

While the main-establishment state has exclusive competence, Article 27 and Article 28 establish mechanisms for mutual assistance and cross-border cooperation. If a Spanish authority suspects that a provider established in another Member State is non-compliant, it can request the competent authority of that other state to investigate. Conversely, if a Spanish authority receives a request from another Member State, it must comply within two months unless duly justified otherwise (Article 27(3)). This ensures that while enforcement is centralised, the EU-wide integrity of the sovereignty framework is maintained.

What this means for you

For in-house counsel and compliance officers at cloud providers operating in or serving the Spanish public sector, the designation of Spain's national competent authority is a pivotal compliance milestone.

1. Identify Your Regulator Early

Since the competent authority is determined by the location of your main establishment, you must identify which national body will regulate you. If your main establishment is in Spain, you will deal exclusively with the Spanish designated authority. If your main establishment is in Germany, for example, you will deal with the German authority, even if you have significant operations or customers in Spain. Monitor the Commission's public register (once established) to confirm the specific Spanish entity.

2. Prepare for Enhanced Scrutiny

Be prepared for rigorous investigations under Article 26. The authority's power to inspect premises and seize data means that your internal documentation, particularly regarding your sovereignty claims (e.g., data localisation, third-country control), must be impeccable. Ensure that your "EU statement of conformity" (for Level 1) or audit reports (for Levels 2–4) are readily accessible and defensible.

3. Understand the Penalty Regime

Non-compliance carries significant financial risk. Under Article 26(2), authorities can impose fines and periodic penalty payments. While CADA leaves the specific fine amounts to Member States (via Article 24), the powers to levy them are explicit. Compliance officers should integrate CADA obligations into their existing risk management frameworks, treating sovereignty compliance with the same rigour as GDPR or AI Act compliance.

4. Monitor the One-Year Deadline

Spain has one year from the Regulation's entry into force to designate its authority. Use this period to engage with industry groups to advocate for clear guidance from the Spanish government on which existing body will take on these roles. Early engagement can help shape the practical implementation of these powers.

Common misconceptions

Misconception 1: Spain will create a brand-new regulator for CADA. Reality: Article 25(1) explicitly allows Member States to designate existing authorities. Spain is likely to assign these powers to an existing body, such as the National Cybersecurity Institute (INCIBE) or the Data Protection Agency (AEPD), or a combination thereof, rather than creating a new agency from scratch.

Misconception 2: Any EU authority can investigate a cloud provider. Reality: Article 25(4) establishes exclusive competence for the Member State of the provider's main establishment. While cross-border cooperation exists (Article 27–28), the primary investigative and enforcement power rests solely with the authority in the country of the main establishment.

Misconception 3: The competent authority only handles technical cybersecurity. Reality: The CADA sovereignty framework is distinct from pure cybersecurity. As noted in the Explanatory Memorandum, the Cybersecurity Act addresses technical cybersecurity, while CADA addresses sovereignty, operational autonomy, and public order risks. The national competent authority under CADA will assess criteria like third-country control, data localisation, and personnel citizenship, which go beyond traditional cybersecurity metrics.

Misconception 4: Fines are fixed at the EU level. Reality: While Article 26 grants the power to impose fines, Article 24 requires Member States to lay down the specific rules on penalties, which must be effective, proportionate and dissuasive. The exact fine amounts will be determined by Spanish national law transposing or implementing these provisions, not by a fixed EU schedule.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Who is Sweden's national competent authority under CADA?
• Who is Slovenia's national competent authority under CADA?
• Who is Slovakia's national competent authority under CADA?
• Who is Romania's national competent authority under CADA?
• Who is Portugal's national competent authority under CADA?

This is general information about a draft EU regulation, not legal advice.