Who sets the penalties for CADA transparency infringements?

Summary Under the proposed Cloud and AI Development Act (CADA), the European Union does not set fixed fine amounts for transparency infringements. Instead, Article 24(1) explicitly mandates that individual Member States are responsible for laying down the specific rules on penalties applicable to infringements of the sovereignty and transparency chapters. These national rules must be "effective, proportionate and dissuasive." While the Commission receives notifications of these rules to ensure consistency, the actual calculation of fines and administrative procedures are determined at the national level. Additionally, Article 24(3) grants service recipients a direct right to seek compensation for damages caused by such infringements.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous framework for cloud sovereignty and transparency. A critical component of this framework is the enforcement mechanism for providers who fail to meet their obligations, particularly regarding the reporting of material changes to their Union assurance levels. Unlike some EU regulations that prescribe specific maximum fines (e.g., the AI Act's Article 99), CADA adopts a decentralized approach to penalty setting, relying on national legal systems to enforce the "effective, proportionate and dissuasive" standard.

The Decentralized Penalty Framework

The primary authority for setting penalties lies with the Member States. Article 24(1) of the proposal states: "Member States shall lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence and shall take all measures necessary to ensure that they are implemented."

This provision creates a dual-layer obligation for Member States:

1. Legislative Action: They must enact national laws or regulations that define the specific sanctions for breaches of the CADA sovereignty chapter (Title IV, Chapter I). This includes transparency failures, such as the failure to notify competent authorities of material changes under Article 23.
2. Notification Duty: Member States are required to notify the European Commission of these rules "as soon as possible" and must also notify the Commission of "any subsequent amendment affecting them." This ensures the Commission can monitor the harmonization of enforcement across the single market, even if the specific fine amounts vary.

Crucially, the proposal does not establish a single EU-wide fine cap (e.g., a fixed percentage of turnover) for these infringements. Instead, it sets a qualitative standard that national penalties must meet.

The "Effective, Proportionate and Dissuasive" Standard

While Member States have discretion in the specific amounts, Article 24(1) imposes a strict qualitative constraint: "The penalties provided for shall be effective, proportionate and dissuasive."

• Effective: The penalty must be capable of actually achieving the regulatory objective, which is to ensure compliance with transparency and sovereignty rules. A penalty that is too low to impact a large hyperscaler would fail this test.
• Proportionate: The sanction must be commensurate with the severity of the infringement. A minor administrative delay in reporting a non-critical change should not incur the same penalty as a deliberate concealment of third-country control that undermines public order.
• Dissuasive: The penalty must be significant enough to deter both the infringing provider and other market participants from violating the rules.

Criteria for Determining Penalties

To guide Member States in designing penalty regimes that meet the "effective, proportionate and dissuasive" standard, Article 24(2) provides a non-exhaustive list of criteria that must be taken into account when imposing penalties. These criteria ensure that enforcement is nuanced and fact-specific. The criteria include:

• Nature, gravity, scale and duration: The severity of the breach, how widespread it was, and how long it persisted.
• Mitigation actions: Any steps taken by the provider to mitigate or remedy the damage caused by the infringement.
• Recidivism: Any previous infringements by the same party.
• Financial benefits: The financial benefits gained or losses avoided by the infringing party due to the infringement, "insofar as such benefits or losses can be reliably established." This is particularly relevant for transparency breaches where a provider might have avoided the cost of migrating to a compliant service by hiding a non-compliant status.
• Aggravating or mitigating factors: Any other circumstances specific to the case.
• Turnover: The infringing party's annual turnover in the preceding financial year in the Union. This criterion allows Member States to calibrate fines relative to the provider's economic size, ensuring that penalties are meaningful for large multinational corporations.

These criteria are directly applicable to transparency infringements under Article 23, which requires providers to notify authorities of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion." For example, if a provider fails to disclose a change in third-country control that would have downgraded their assurance level, the "financial benefits avoided" (by continuing to serve public bodies that require higher assurance) and the "gravity" of the breach would be central to the penalty calculation.

Right to Compensation

Beyond administrative penalties imposed by national authorities, Article 24(3) establishes a private right of action for service recipients. The text states: "Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This provision creates a dual-risk environment. A provider failing to meet transparency obligations faces not only regulatory fines from the Member State but also potential civil liability from public sector bodies or Union entities that suffer operational disruption, data loss, or reputational harm due to the infringement. The compensation claim is subject to national procedural rules but is grounded in the EU-level right established by the proposal.

What this means for you

For legal counsel, compliance officers, and risk managers at cloud computing service providers, the decentralized penalty structure of CADA requires a sophisticated, multi-jurisdictional strategy.

1. Map National Transposition Landscapes

Because Article 24(1) delegates penalty setting to Member States, there is no single "CADA fine schedule." You must monitor the legislative transposition in every Member State where you provide services to public sector bodies. A transparency breach in one country might result in a fixed administrative fine, while in another, it could trigger a turnover-based penalty. Your compliance team must track the specific national laws implementing Article 24 to understand the precise financial exposure in each jurisdiction.

2. Prioritize "Material Change" Detection

The most immediate trigger for penalties is the failure to report under Article 23. Your internal governance must include robust mechanisms to detect "material changes" in real-time. This includes changes in:

• Ownership structures (e.g., acquisition by a third-country entity).
• Infrastructure location (e.g., data moving outside the Union).
• Subcontractor arrangements.
• Cybersecurity status or audit opinions. Failure to report these changes "as soon as possible" is a direct infringement of the chapter covered by Article 24. The "dissuasive" nature of penalties means that delayed reporting will likely be treated as a serious aggravating factor.

3. Quantify "Benefits Avoided" for Risk Modeling

When conducting internal risk assessments, do not just look at the potential fine. Under Article 24(2), regulators will consider the "financial benefits gained or losses avoided." If a provider continues to serve a high-assurance public contract by hiding a non-compliant status, the "losses avoided" (i.e., the revenue from that contract that would have been lost if they had migrated to a compliant provider) could be a significant component of the penalty. Your financial models must account for this potential clawback.

4. Prepare for Dual Liability

Be aware that Article 24(3) creates a separate avenue for liability. Even if a national authority decides not to impose a fine (or imposes a low one), a public sector client can sue for damages. Your contracts with public bodies should include clear indemnity clauses and service level agreements, but recognize that these may not fully shield you from statutory compensation claims if a transparency failure causes demonstrable harm.

Common misconceptions

"The European Commission sets the fine amounts for CADA violations." Correction: The Commission does not set specific fine amounts. As per Article 24(1), Member States lay down the rules on penalties. The Commission's role is limited to receiving notifications of these national rules and ensuring they meet the EU standard of being "effective, proportionate and dissuasive."

"Transparency infringements are minor administrative errors with low penalties." Correction: The requirement for penalties to be "dissuasive" under Article 24(1), combined with the inclusion of "annual turnover" and "financial benefits avoided" in Article 24(2), indicates that penalties for serious transparency breaches (such as hiding third-country control) could be substantial. The proposal treats sovereignty and transparency as critical to public order, not merely administrative formalities.

"Only the state can penalize a provider for transparency failures." Correction: While Member States impose administrative penalties, Article 24(3) explicitly grants recipients of the service the right to seek compensation for damages. This creates a dual-risk environment involving both regulatory fines and private civil liability.

"CADA penalties are the same as AI Act penalties." Correction: The AI Act (Regulation (EU) 2024/1689) sets specific maximum fines (e.g., up to €35 million or 7% of turnover under Article 99). CADA, as proposed, does not set these fixed caps. Instead, it relies on Member States to determine the specific amounts based on the criteria in Article 24(2), ensuring flexibility but requiring national implementation.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Who enforces CADA transparency obligations on cloud providers?
• Who registers a cloud service in the CADA central repository?
• Who must cloud providers notify of changes under CADA?
• Who maintains the CADA central repository of cloud services?
• CADA Central Repository: Who can access it and is it public?

This is general information about a draft EU regulation, not legal advice.