Who sets the penalty rules under CADA? Article 24 explained

Summary Under the proposed Cloud and AI Development Act (CADA), the European Union does not prescribe fixed fine amounts for infringements of the cloud computing sovereignty framework. Instead, Article 24(1) explicitly mandates that Member States are responsible for laying down the specific rules on penalties applicable to cloud computing service providers within their competence. Member States must ensure these penalties are "effective, proportionate and dissuasive" and are required to notify the European Commission of these rules and any subsequent amendments as soon as possible. While the framework is harmonized, the enforcement mechanics remain national.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a unified Union cloud computing sovereignty framework comprising four assurance levels. However, the legislative design deliberately separates the definition of the sovereignty criteria from the enforcement of penalties. This approach respects the principle of subsidiarity in administrative enforcement while ensuring a consistent baseline of deterrence across the single market.

The Decentralized Penalty Framework: Article 24(1)

The primary provision governing sanctions is Article 24, titled "Penalties and compensation." Paragraph 1 of this article establishes the fundamental division of responsibility. It states:

"Member States shall lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence and shall take all measures necessary to ensure that they are implemented."

This text confirms that the CADA proposal does not contain a schedule of fixed fines (e.g., "€10 million for Level 3 breaches"). Instead, it imposes a duty on Member States to transpose the sovereignty obligations into their national legal systems and to define the corresponding sanctions. The phrase "within their competence" refers to the jurisdiction of the Member State where the cloud computing service provider has its main establishment, as defined in Article 25(4), which grants exclusive competence to the Member State of the provider's head office or registered office.

The regulation imposes a strict qualitative standard on these national rules. Article 24(1) further mandates that:

"The penalties provided for shall be effective, proportionate and dissuasive."

This triad of criteria—"effective, proportionate and dissuasive"—is a standard formulation in EU law, ensuring that penalties are not merely symbolic but capable of actually preventing infringements and punishing those that occur, while remaining commensurate with the severity of the breach.

The Notification Obligation

To prevent regulatory fragmentation and ensure the Commission can monitor the consistency of the sovereignty framework, Article 24(1) includes a specific transparency mechanism. Member States are not free to implement these rules in isolation without oversight. The text requires:

"Member States shall, as soon as possible, notify the Commission of those rules and of those measures and shall notify the Commission of any subsequent amendment affecting them."

This obligation serves two purposes. First, it allows the Commission to verify that national rules meet the "effective, proportionate and dissuasive" threshold. Second, it enables the Commission to track the evolution of national enforcement regimes. If a Member State were to adopt rules that are too lenient (failing the "dissuasive" test) or too harsh (failing the "proportionate" test), the Commission could potentially initiate infringement proceedings or issue guidance to correct the divergence. The "as soon as possible" timeline underscores the urgency of aligning national enforcement with the Union's strategic autonomy goals.

Criteria for Imposing Penalties: Article 24(2)

While Member States define the specific penalty structures (e.g., whether they use administrative fines, criminal sanctions, or a combination), Article 24(2) provides a non-exhaustive list of criteria that national authorities shall take into account when imposing penalties. This ensures that even with decentralized rules, the application of penalties follows a harmonized logic based on the severity of the infringement.

The criteria listed in Article 24(2) include:

• Nature, gravity, scale and duration: The specific characteristics of the infringement.
• Mitigation: Any action taken by the infringing party to mitigate or remedy the damage caused.
• Recidivism: Any previous infringements by the infringing party.
• Financial gain: The financial benefits gained or losses avoided by the infringing party due to the infringement, provided these can be reliably established.
• Aggravating or mitigating factors: Any other relevant circumstances.
• Turnover: The infringing party's annual turnover in the Union in the preceding financial year.

The inclusion of "annual turnover" is significant. It suggests that Member States are expected to design penalty regimes that can scale with the size of the provider, potentially mirroring the turnover-based fine structures found in other major EU regulations like the GDPR or the AI Act, even if CADA itself does not set a specific percentage cap.

Civil Liability and Compensation: Article 24(3)

Beyond administrative penalties imposed by public authorities, Article 24(3) establishes a distinct civil remedy for private parties. This provision ensures that the sovereignty framework has teeth not just in the courtroom of the regulator, but also in civil litigation.

The text states:

"Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This creates a direct cause of action for public sector bodies, Union entities, or private entities (where applicable under the scope of the sovereignty framework) that suffer harm because a provider failed to meet the required Union assurance level or violated other sovereignty obligations. The right to compensation is exercised "in accordance with Union and national law," meaning the procedural aspects (burden of proof, statute of limitations) will be governed by the national legal system, but the substantive right is established by CADA.

What this means for you

For legal counsel, compliance officers, and cloud service providers, the decentralized nature of CADA's penalty regime requires a nuanced, multi-jurisdictional strategy.

1. No Single "CADA Fine" Table

You cannot look to the CADA text to find a maximum fine amount. Unlike the AI Act, which sets specific caps (e.g., €35 million or 7% of turnover), CADA leaves this to national discretion. A provider operating in multiple Member States must map the penalty regimes of each jurisdiction where it has a main establishment or where infringements might be prosecuted. A breach of the same sovereignty criterion could result in vastly different financial consequences depending on the national transposition.

2. The Critical Role of Notification

The obligation for Member States to notify the Commission means that the specific rules will eventually be public. However, the "as soon as possible" requirement implies a dynamic landscape. Compliance teams should monitor the Commission's registers and national official journals for these notifications. Failure to update internal compliance policies based on new national rules could be interpreted as a lack of due diligence, potentially acting as an aggravating factor under Article 24(2)(e).

3. Mitigation is a Strategic Defense

Article 24(2)(b) explicitly lists "action taken... to mitigate or remedy the damage" as a criterion for penalty imposition. This makes robust incident response and remediation plans a critical component of risk management. If a provider discovers a breach of the sovereignty framework (e.g., an unauthorized data transfer outside the Union), immediately halting the breach, notifying the competent authority, and implementing corrective measures could significantly reduce the final penalty.

4. Contractual Risk Transfer

Article 24(3) creates a direct right to compensation for service recipients. Public sector bodies, which are the primary targets of the sovereignty framework, will likely demand stronger indemnity clauses in their contracts. Providers must review their standard terms and conditions to ensure they adequately address the risk of compensation claims arising from sovereignty infringements. This is particularly relevant for providers seeking recognition at higher assurance levels (2, 3, or 4), where the stakes for public order are higher.

5. Turnover as a Multiplier

The explicit mention of "annual turnover" in Article 24(2)(f) signals that Member States are expected to consider the economic scale of the provider. Large hyperscalers should anticipate that national authorities may adopt turnover-based fine structures similar to those in the GDPR or AI Act to ensure the penalties remain "dissuasive." Small and medium-sized enterprises (SMEs) should also be aware that while their turnover is lower, the "proportionate" requirement does not exempt them from penalties, but rather scales them to their capacity.

Common misconceptions

"The European Commission sets the fines for CADA." This is incorrect. The Commission oversees the framework and the recognition of assurance levels, but Article 24(1) explicitly assigns the power to "lay down the rules on penalties" to Member States. The Commission's role is limited to receiving notifications and ensuring the national rules meet the "effective, proportionate and dissuasive" standard.

"CADA has fixed maximum fines like the AI Act." Unlike the AI Act, which specifies fines up to €35 million or 7% of turnover for certain breaches, CADA does not enumerate specific monetary caps in the text. The maximum penalty is determined by the national law of the Member State where the provider is established, subject only to the qualitative criteria of Article 24.

"Only administrative authorities can punish providers." Article 24(3) clarifies that private parties (recipients of the service) have a right to seek compensation for damages. This creates a dual enforcement mechanism: administrative penalties imposed by the state and civil liability claims brought by affected customers.

"Once a Member State sets the rules, they never change." Article 24(1) requires Member States to notify the Commission of "any subsequent amendment affecting them." The penalty landscape is dynamic, and providers must remain vigilant for updates to national laws that could alter their liability exposure.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• Are CADA periodic penalty payments capped? Article 24 & 26 explained
• Do Member States notify the Commission of their CADA penalty rules?
• Do CADA inspections need a court order? Article 26 explained
• Who pays compensation if a cloud provider breaches CADA?
• Who is liable for a CADA infringement within a provider group?

This is general information about a draft EU regulation, not legal advice.