Summary Yes. As proposed in the Cloud and AI Development Act (CADA), Article 22(3) requires that the revocation of an audit report and audit opinion by an auditing organisation, or the revocation of a recognition by a competent authority, be published in the central repository, where it must remain available for five years. The publication is a transparency measure, not a temporary flag: the record persists for the full period regardless of any later re-recognition. CADA is a draft proposal, so this requirement is not yet in force.

Detail

CADA's sovereignty framework relies on the central repository as the authoritative record of which cloud computing services have been recognised at which Union assurance level. To stay reliable, that record must show not only current recognitions but also losses of status.

The repository

Under Article 22(1), the Commission must establish and maintain a dedicated repository of services recognised under Article 17. Under Article 22(4), the repository must be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated, easily accessible website.

What Article 22(3) requires

Article 22(3) provides:

"The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

Two kinds of revocation fall within this:

  1. Revocation by an auditing organisation. Under Article 20(7), an auditing organisation may revoke its audit report and opinion where the audited provider, intentionally or negligently, supplied incorrect or misleading audit evidence. The annual review under Article 20(8) can also lead the organisation to revoke an initial report and opinion. And under Article 23(2), where a provider notifies a material change, the organisation must assess whether to amend or revoke the report or opinion.
  2. Revocation by a competent authority. Under Article 17(11), the evaluating national competent authority may revoke a recognition where it finds the provider, intentionally or negligently, supplied incorrect or misleading information. Under Article 23(3), the authority may also amend or revoke a recognition following a notification under Article 23(1) or (2).

It is worth being precise about scope. What Article 22(3) publishes is the revocation of a (previously positive) audit report/opinion or of a recognition. A "negative" audit opinion on a fresh application is a different matter: it means the service was not recognised at the level sought, rather than that a recognition was revoked.

The five-year retention period

The five-year period is a fixed statutory requirement. It keeps historical information about loss of sovereignty status accessible for due-diligence purposes even after the immediate legal effect of the revocation has passed. A provider cannot quietly drop off the list and reappear without its recent revocation history remaining visible.

The retention period is significant for two practical reasons. First, it outlasts a typical public-procurement cycle, so a buyer assessing a provider for a multi-year contract can see whether the provider lost recognised status during the period in which competing bids were last evaluated. Second, it sits alongside the annual review cycle for audited levels: under Article 20(8), the audit report and positive opinion are submitted annually to the same or a different auditing organisation, which may confirm, update or revoke them. A revocation arising from that annual review — not only one arising from misconduct — falls within Article 22(3) and is published for the full five years.

How a revocation reaches the repository

Article 22(3) does not stand alone; it is the end point of mechanisms elsewhere in the framework:

  • An auditing organisation revokes its report and opinion under Article 20(7) (incorrect or misleading evidence) or following the Article 20(8) annual review, and notifies the competent authority under Article 23(2).
  • A national competent authority revokes a recognition under Article 17(11) (incorrect or misleading information) or under Article 23(3) after assessing a notified material change.
  • The authority of establishment, where it amends or revokes a recognition, also notifies the other Member States and the Commission (Article 23(3)) — and the repository, maintained jointly by the Commission and the national authorities of establishment (Article 22(4)), is updated to reflect the revocation.

The publication requirement therefore ensures the visible record matches the underlying enforcement and review actions, rather than lagging behind them.

Link to the transparency obligations

The publication mechanism is closely tied to Article 23. A recognised provider must, as soon as possible, notify the auditing organisation and the national competent authority of establishment of any information or material change in circumstances that may affect the audit report, the positive opinion (Article 20) or the recognition (Article 17). Those notifications feed the assessments that can result in revocation — and therefore in publication under Article 22(3). Failure to notify, or discovery of undisclosed changes, can itself be the kind of incorrect or misleading conduct that grounds revocation.

What this means for you

For in-house counsel and compliance officers at providers, publication of a revocation carries reputational and contractual weight.

Market access. Under Article 30, public-sector buyers must procure recognised services at the appropriate level. A revocation published in the repository removes eligibility for contracts requiring that level, and the five-year visibility means the loss of status remains on the public record even after any subsequent re-recognition.

Due diligence by counterparties. Public-sector bodies — and private entities in NIS2 critical sectors that run similar assessments under Article 31 — are likely to check the repository as part of vendor due diligence, and to write status-change triggers into contracts. You may need to monitor not only your own status but, where your recognition depends on the supply chain, that of relevant subcontractors.

Internal governance. Because revocation follows from incorrect or misleading information (Articles 17(11), 20(7)) and from failure to act on material changes (Article 23), robust internal monitoring and clear escalation triggers are the practical defence. Treat "as soon as possible" notification as a hard operational requirement.

Penalties run alongside. Publication is a public consequence, but it is not the only one: Member States must lay down effective, proportionate and dissuasive penalties for infringements by providers (Article 24), which can accompany a revocation.

Common misconceptions

"A revocation can be removed once the underlying issue is fixed." No. Article 22(3) sets a fixed five-year retention. The record stays public for that period regardless of any later re-recognition.

"Only the competent authority can revoke status." The auditing organisation can revoke its audit report and opinion (Article 20(7)). Because recognition at levels 2 to 4 depends on a positive opinion, that revocation undermines the recognised status and triggers publication under Article 22(3).

"The repository only shows active recognitions." It shows both. Article 22(3) brings revocations expressly within the published data, giving a fuller picture of the market.

"Revocation only concerns the highest levels." Audit-based revocation arises at levels 2 to 4 (which require audits under Article 20). But a level 1 recognition can also be revoked by a competent authority for incorrect or misleading information (Article 17(11)), and that revocation is likewise published for five years.

Related

This is general information about a draft EU regulation, not legal advice.