Summary The proposed Cloud and AI Development Act (CADA) does not pre-select a specific Swedish body as the national competent authority. Instead, Article 25(1) mandates that Sweden must designate one or more national competent authorities within one year of the Regulation's entry into force. Sweden may designate an existing authority (such as the Swedish Post and Telecom Authority or the Data Protection Authority) or establish a new one. Crucially, Article 25(4) establishes that the authority in the Member State where a cloud provider has its main establishment holds exclusive competence for enforcement. Once designated, this Swedish authority would wield significant powers under Article 26, including the right to conduct inspections, order the cessation of infringements, and impose fines or periodic penalty payments.

Detail

The Designation Requirement and Timeline

Under the proposed CADA, the oversight of the Union cloud computing sovereignty framework is decentralized to the Member States. Article 25(1) explicitly requires that "Member States shall designate one or more national competent authorities responsible for enforcing this Chapter."

The timeline for this designation is rigid and tied to the Regulation's entry into force. Article 48 states that the Regulation shall enter into force on the twentieth day following its publication in the Official Journal of the European Union. Article 25(1) then sets the deadline: Member States must complete their designation "by [date of entry into force plus one year]."

This creates a critical window for Sweden. The government must finalize its choice of authority well before the substantive obligations for cloud providers (such as obtaining Union assurance levels) and public sector bodies (such as conducting risk assessments) become fully operational. The text of Article 25(1) clarifies that Sweden "may designate an existing authority or existing authorities." This flexibility suggests that Sweden is not required to create a new bureaucratic entity from scratch. Instead, the Swedish government could assign these responsibilities to a regulator with existing expertise in telecommunications, data protection, or cybersecurity, provided that body is granted the necessary resources and powers.

Exclusive Competence and the "Main Establishment" Rule

A defining feature of CADA's enforcement architecture is the principle of exclusive competence based on the location of the provider's "main establishment." Article 25(4) states:

"The Member State in which the cloud computing service provider has its main establishment, that is, where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised, shall have exclusive competence for enforcing this Chapter."

This provision has profound implications for Swedish cloud providers and foreign providers operating in Sweden:

  1. Swedish-Based Providers: If a cloud computing service provider has its main establishment in Sweden, the Swedish national competent authority is the sole body responsible for recognizing the provider's Union assurance level and enforcing compliance. Other Member States cannot independently investigate or sanction that provider for CADA sovereignty violations.
  2. Foreign-Based Providers: Conversely, if a provider is established in another Member State (e.g., Ireland or Germany), Swedish authorities have no direct enforcement power over that provider's CADA compliance. They cannot issue fines or orders directly to that provider. Instead, they must rely on the authority of the provider's home Member State, utilizing the mutual assistance and cross-border cooperation mechanisms outlined in Articles 27 and 28.

This "one-stop-shop" approach is designed to prevent fragmented enforcement and regulatory arbitrage, ensuring that a provider is subject to a single supervisory regime based on its operational center.

Powers of the National Competent Authority

Once designated, the Swedish national competent authority would be granted extensive investigative and enforcement powers under Article 26 to carry out its tasks. These powers are necessary to verify compliance with the strict criteria of the Union assurance levels (Annex II) and to ensure the integrity of the sovereignty framework.

Investigative Powers (Article 26(1))

To uncover suspected infringements, the authority would have the power to:

  • Request Information: Require any cloud computing service provider, auditing organizations, and other persons acting for purposes related to their trade to provide information "as soon as possible" if they are reasonably expected to be aware of a suspected infringement.
  • Conduct Inspections: Carry out, or request a judicial authority to order, inspections of any premises used by the provider for business purposes. This includes the power to "examine, seize, take or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium."
  • Interview Staff: Ask members of staff or representatives to give explanations regarding suspected infringements and, with their consent, record their answers by any technical means.

Enforcement Powers (Article 26(2))

If an infringement is confirmed or suspected, the authority would have the power to:

  • Order Cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end.
  • Impose Fines: Impose fines, or request a judicial authority to do so, for failure to comply with CADA, including failure to comply with investigative orders.
  • Impose Periodic Penalty Payments: Impose periodic penalty payments to ensure that an infringement is terminated in compliance with an order, or for failure to comply with any investigative orders.

Article 26(3) mandates that these measures must be "effective, dissuasive and proportionate." In determining the appropriate measure, the authority must consider the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider.

The Public Register and Transparency

To ensure legal certainty and facilitate cooperation across the Union, Article 25(2) requires Member States to notify the Commission of the names of the competent authorities and their tasks and powers. The Commission is then required to "maintain a public register of those authorities."

This register will serve as the definitive source for cloud providers, public sector bodies, and auditing organizations to identify the correct supervisory body for inquiries, complaints, or recognition applications. It ensures that the designation is transparent and that the scope of the authority's powers is publicly known.

Resources and Independence

Article 25(3) imposes a strict obligation on Sweden to ensure that its designated competent authorities perform their tasks in an "impartial, transparent and timely manner." Crucially, the Member State must ensure that the authorities have "all necessary resources to carry out their tasks, including sufficient technical, financial and human resources to adequately supervise all cloud computing service providers within their competence."

Given the technical complexity of cloud infrastructure, the high stakes of sovereignty compliance, and the need to assess criteria ranging from data localization to personnel citizenship, this implies a need for specialized expertise in cybersecurity, data governance, and cloud architecture. The authority cannot be under-resourced; it must be capable of handling complex audits and technical inspections.

What this means for you

For in-house counsel, compliance officers, and public sector bodies in Sweden, the designation of the national competent authority is a pivotal event in the CADA timeline.

1. Identify Your Regulator Early

As soon as CADA is adopted and enters into force, monitor official Swedish government communications (e.g., from the Ministry of Enterprise and Innovation or the Ministry of Justice) to identify which body has been designated. If an existing authority like the Swedish Post and Telecom Authority (PTS) or the Swedish Data Protection Authority (IMY) is chosen, immediately assess how their current procedures align with CADA's new mandates. If a new body is created, track its establishment and the appointment of its leadership.

2. Prepare for Exclusive Jurisdiction

If your company's main establishment is in Sweden, you are under the exclusive jurisdiction of the Swedish authority. This means you will deal solely with this body for recognition applications, audits, and compliance checks. Ensure your internal compliance programs for Union assurance levels (especially Levels 2–4, which require independent third-party audits) are robust. The authority has the power to inspect your premises and seize data; therefore, your internal documentation of compliance with Annex II criteria must be impeccable and readily available.

3. Establish Cooperation Protocols

Under Article 26(1), failure to provide information or cooperate with investigations can lead to significant penalties. Establish clear internal protocols for responding to official requests from the competent authority. Ensure that your legal and technical teams understand the balance between CADA compliance duties, data protection obligations, and legal privilege.

4. Monitor Penalty Frameworks

While CADA does not fix specific fine amounts, Article 24 requires Member States to lay down their own rules on penalties, which must be "effective, proportionate and dissuasive." Sweden will define the specific fine structures and compensation rules. Keep a close watch on Swedish legislative updates regarding these penalty rules, as they will determine your financial exposure in the event of non-compliance.

5. Public Sector Procurement

For Swedish public sector bodies, the national competent authority will be a key partner in the risk assessment process (Article 29) and procurement decisions (Article 30). Ensure your risk assessments align with the guidance provided by the Commission and are communicated to the authority as required. The authority's recognition of cloud services will directly impact your ability to procure services at the required assurance levels.

Common misconceptions

"CADA names a specific Swedish agency."

  • Reality: CADA is a harmonizing EU Regulation. It sets the framework, deadlines, and powers but leaves the specific choice of authority to each Member State. Sweden has the flexibility to designate an existing body or create a new one.

"Any EU authority can investigate a cloud provider."

  • Reality: Article 25(4) establishes exclusive competence for the Member State of the provider's main establishment. If a provider is based in France, Swedish authorities cannot directly enforce CADA against them; they must work through the French authority via mutual assistance mechanisms.

"The competent authority only handles cybersecurity."

  • Reality: While cybersecurity is a component, the CADA sovereignty framework covers broader issues including data localization, personnel citizenship (for higher assurance levels), absence of third-country control, and operational autonomy. The competent authority oversees all these criteria.

"Penalties are fixed at the EU level."

  • Reality: Article 24 requires Member States to lay down their own rules on penalties. Sweden will define the specific fine structures and compensation rules, though they must be effective, proportionate, and dissuasive.

Related

This is general information about a draft EU regulation, not legal advice.