Who pays compensation if a cloud provider breaches CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), the cloud computing service provider that breaches the regulation is directly liable for any damage or loss suffered by the recipient of the service. Article 24(3) explicitly grants recipients the right to seek compensation from the infringing provider. While CADA establishes this statutory right to redress, the actual legal proceedings, jurisdiction, and determination of damages must be pursued through applicable national law and Union law. The EU does not act as a payer or guarantor; the financial burden falls entirely on the non-compliant provider.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem, with a specific focus on sovereignty and public order. A critical, yet often overlooked, component of this framework is the enforcement mechanism regarding civil liability. For public-sector bodies, Union entities, and any recipient of cloud services, understanding who bears the financial burden when a provider fails to meet CADA's strict assurance levels is essential for risk management and procurement strategy.

The Legal Basis: Article 24 on Penalties and Compensation

The primary legal basis for compensation in the event of a CADA breach is Article 24, titled "Penalties and compensation." This article is situated in Title IV, Chapter I (the sovereignty framework), distinguishing it from general administrative penalties. It creates a dual-track enforcement system: one for public sanctions (fines) and one for private redress (compensation).

Article 24(1) mandates that Member States must lay down rules on penalties applicable to infringements of the sovereignty chapter by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive." However, these administrative fines are paid to the Member State's competent authority, not to the victimized entity.

The specific provision addressing financial restitution to the injured party is Article 24(3). It states:

"Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This provision creates a direct, statutory right of action for the "recipient" of the service. In the context of CADA, "recipients" typically include Union entities, Member States, and public sector bodies that have procured cloud services. If a cloud provider fails to maintain the required Union assurance level (e.g., Level 2, 3, or 4 as determined by a risk assessment under Article 29) or breaches other obligations in Title IV, the recipient can claim compensation for the resulting harm.

Who Is Liable?

The liability falls squarely on the cloud computing service provider that committed the infringement. CADA defines a "cloud computing service provider" as a legal entity which provides a cloud computing service (Article 2(2)).

It is crucial to distinguish between the two types of financial consequences under Article 24:

1. Administrative Penalties: Under Article 24(1) and (2), Member States impose fines on the provider. These are punitive measures paid to the state treasury. The criteria for these fines include the gravity, duration, and turnover of the provider.
2. Civil Compensation: Under Article 24(3), the provider is liable to the recipient for the actual harm caused. This is a compensatory measure, not punitive. The provider must pay for the "damage or loss suffered" by the recipient.

Therefore, a provider could face a significant fine from a national authority and be required to pay full compensation to a public-sector body for the same breach. The two liabilities are separate and cumulative.

The Role of National Law in Enforcement

CADA does not create a standalone EU civil court system for these disputes, nor does it establish a specific EU compensation fund. Instead, Article 24(3) explicitly states that the right to seek compensation is exercisable "in accordance with Union and national law."

This phrasing is deliberate and has significant practical implications:

• Procedural Rules: The mechanism for filing a claim, the court jurisdiction, and the statute of limitations are governed by the national laws of the Member State where the claim is filed.
• Evidentiary Standards: The burden of proof required to demonstrate that a breach occurred and that it caused specific damage will follow national civil procedure rules.
• Calculation of Damages: CADA does not define a formula for calculating damages. The scope of recoverable losses (e.g., direct damages, indirect losses, consequential damages, or loss of reputation) depends on the specific civil code or tort law of the relevant Member State.

Consequently, while CADA provides the right to compensation, the enforcement of that right relies on the existing national legal infrastructure. Procurement officers must ensure that their contracts with cloud providers do not contain clauses that unfairly limit liability or contradict the mandatory right to compensation established by Article 24(3).

The Context of Assurance Levels and Breaches

The likelihood of a breach—and thus a compensation claim—is closely tied to the Union assurance levels (Levels 1–4) established in Article 16. Public-sector bodies are required to conduct risk assessments (Article 29) to determine which assurance level is necessary for their specific activities. For instance, activities contributing to the preservation of public order in sectors like defense, justice, or law enforcement may require Level 3 or 4 assurance.

If a provider is recognized as offering Level 3 but subsequently fails to maintain the criteria (e.g., regarding data localization, third-country control, or cybersecurity certification as detailed in Annex II), and this failure causes damage to the public-sector body, Article 24(3) provides the legal hook for compensation. The breach must be an infringement of the obligations under Title IV (Autonomy).

For example, if a provider recognized at Level 3 allows a third country to access customer data in violation of Annex II, Section 3.1(g), and this leads to a security incident causing operational disruption for a public body, the provider is liable for the resulting loss under Article 24(3).

What this means for you

For public-sector procurement officers, legal teams, and risk managers, the inclusion of Article 24(3) in the proposed CADA offers a significant layer of financial protection, but it requires proactive management. Here is how you should prepare:

1. Contractual Alignment: Review your cloud service contracts to ensure they do not exclude or limit liability in ways that would contradict the mandatory right to compensation under CADA. While national law governs the procedure, the contract should explicitly acknowledge the provider's obligation to compensate for breaches of sovereignty criteria and reference Article 24(3).
2. Risk Assessment Documentation: Maintain rigorous records of your risk assessments (per Article 29). If a breach occurs, you must demonstrate that the service was supposed to meet a specific assurance level and that the provider's failure to meet that level directly caused your loss. This causal link is essential for a successful claim under national law.
3. Monitor Recognition Status: Regularly check the central repository of recognized services (Article 22) to ensure your provider maintains their recognized assurance level. A loss of recognition due to non-compliance could be the first indicator of a breach that might lead to a compensation claim.
4. Legal Preparedness: Since claims are pursued under national law, ensure your organization has access to legal counsel familiar with both the new CADA provisions and the local civil procedure rules for claiming damages from technology providers. Understand the specific statute of limitations and evidentiary requirements in your jurisdiction.

Common misconceptions

"The EU pays for the damages." No. The EU does not provide a compensation fund for CADA breaches. The liability rests entirely with the cloud computing service provider. Article 24(3) grants the right to seek compensation from the provider, not from the Union budget.

"Administrative fines go to the victim." No. Fines imposed under Article 24(1) and (2) are administrative penalties paid to the Member State's competent authority. They are distinct from civil compensation, which is paid to the recipient of the service under Article 24(3). A provider may pay both a fine to the state and compensation to the public-sector body.

"CADA automatically dictates the amount of damages." No. CADA establishes the right to compensation but does not set fixed damages or a formula for calculation. The amount recoverable depends on the actual "damage or loss suffered" and is determined according to national civil law.

"Only public sector bodies can claim compensation." While the primary focus of Title IV is on public procurement and Union entities, Article 24(3) refers broadly to "recipients of the cloud computing services." However, the mandatory procurement obligations (Article 30) specifically target contracting authorities and Union entities, making them the most likely and clearly defined claimants in practice. Private sector entities may also have rights if they are recipients, but the enforcement context is heavily weighted toward public order protection.

Related

• Does CADA protect whistleblowers who report cloud-provider breaches?
• Who is liable for a CADA infringement within a provider group?
• Who can claim compensation under CADA? Recipients, damages and the right to seek redress
• Who is eligible for compensation under the proposed CADA?
• How do I claim compensation from a cloud provider under CADA?

This is general information about a draft EU regulation, not legal advice.