Summary Under the proposed Cloud and AI Development Act (CADA), transparency obligations for cloud computing service providers are continuous and ongoing, not limited to the periodic audit cycle. Article 23(1) imposes a strict, event-driven duty: providers must notify their auditing organisation and the national competent authority "as soon as possible" upon becoming aware of any information or material change in circumstances that may affect their recognised Union assurance level. This obligation is triggered immediately by the provider's awareness of a change, regardless of when the next scheduled annual audit or review occurs. Failure to report such changes between audits constitutes a breach of the regulation.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a dynamic framework for cloud sovereignty based on four "Union assurance levels" (UAL 1 to 4). While the framework relies on independent third-party audits for levels 2, 3, and 4 (and self-assessment for level 1), the regulation explicitly rejects the notion that compliance is a static, point-in-time achievement. Instead, it mandates a regime of continuous vigilance to ensure that the status of a recognised service remains accurate and reliable throughout its entire lifecycle.

The Continuous Nature of Transparency Obligations

The core mechanism for maintaining this continuous oversight is found in Article 23 of the proposal. Unlike many regulatory frameworks that rely solely on periodic reporting, CADA creates an immediate, reactive obligation. The text of Article 23(1) is unequivocal:

"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

This provision establishes three critical principles that define the continuous nature of the duty:

  1. Event-Driven Trigger: The obligation is not calendar-based. It is triggered by the provider's subjective awareness ("on becoming aware") of a change. The clock starts ticking the moment the provider knows of a relevant alteration in their operations, infrastructure, or governance.
  2. Immediate Action: The phrase "as soon as possible" imposes a duty of promptness. Providers cannot defer disclosure until their next scheduled audit, annual review, or renewal cycle. Delaying notification to align with a future audit date would violate the "as soon as possible" requirement.
  3. Broad Scope: The duty applies to any change that "may affect" the audit report, the positive opinion, or the recognition itself. This captures a wide range of potential issues, from minor operational shifts to major structural changes, provided they have the potential to impact compliance with the Union assurance level criteria.

Distinguishing Article 23 from the Annual Audit Cycle

It is vital to distinguish the continuous duty under Article 23 from the periodic review requirement under Article 20(8).

  • Article 20(8) (Annual Review): This provision requires audited providers to submit their audit report and associated "positive" audit opinion to an auditing organisation for review annually. This is a proactive, scheduled check designed to confirm that the provider continues to meet the criteria for their assurance level over time. It is a routine maintenance check.
  • Article 23 (Continuous Notification): This is a reactive, ad-hoc obligation. It exists specifically to address gaps between annual reviews. If a material change occurs on day 10 of a 365-day cycle, the provider cannot wait until day 365 to report it. They must notify immediately under Article 23.

Relying on the annual review to discharge the duty under Article 23 is legally insufficient. The two mechanisms are complementary: the annual review provides a systematic verification, while Article 23 ensures real-time transparency for unforeseen or urgent changes.

What Constitutes a "Material Change"?

While Article 23 does not provide an exhaustive definition of "material change," the context of the Union assurance levels (set out in Annex II) and the audit criteria (set out in Annex III) clarifies the scope. A material change is any alteration in the provider's operations, infrastructure, personnel, or governance that could compromise compliance with the specific cumulative criteria for their recognised Union assurance level.

Based on the criteria in Annex II, examples of potential material changes include:

  • Infrastructure Relocation: Moving data storage, processing assets, or backup systems outside the Union. This would directly violate the data localisation requirements for UAL 1, 2, and 3, and the sensitive data requirements for UAL 4.
  • Personnel Changes: Alterations in the citizenship or location of personnel involved in service provision. For UAL 2, 3, and 4, strict requirements exist regarding Union citizenship and location of personnel. A change in the nationality of key operational staff or the location of a support centre could trigger a notification.
  • Third-Country Control: Any change in ownership, shareholding, or governance that subjects the provider to the control of a third country or a legal entity established in a third country. This is a critical sovereignty criterion, particularly for UAL 3 and 4, where such control is generally prohibited unless a specific derogation under Article 18 applies.
  • Subcontractor Shifts: Engaging new subcontractors that do not meet Union establishment or location requirements, or changing the nature of support arrangements to include non-EU technical support, which is prohibited for higher assurance levels.
  • Cybersecurity Status: A breach, incident, or change in security posture that affects the validity of the European cybersecurity certificate (required for UAL 2, 3, and 4) or the demonstration of compliance with state-of-the-art standards.
  • Software Supply Chain: Changes in the software bill of materials (SBOM) or the introduction of third-country software components that lack the required controls (e.g., remote features that could disrupt service), as detailed in Annex II.

The Consequence Chain: From Notification to Revocation

The notification under Article 23(1) initiates a specific chain of assessment and potential enforcement actions:

  1. Auditor Assessment: Upon receiving the notification, the auditing organisation must assess whether the audit report or the "positive" audit opinion needs to be amended or revoked (Article 23(2)). If the auditor concludes that the provider no longer complies, they must notify the national competent authority of establishment.
  2. Authority Assessment: The national competent authority of establishment must then assess whether its recognition of the cloud computing service needs to be amended or revoked (Article 23(3)).
  3. Union-Wide Notification: If the authority amends or revokes the recognition, it must notify the national competent authorities of the other Member States and the Commission.
  4. Repository Update: This process ensures that the central repository of recognised services (established under Article 22) remains up-to-date. Public sector bodies and Union entities relying on these services can then verify the current status of the provider before procuring services.

This mechanism ensures that the "Union assurance level" is not a static badge but a dynamic status that reflects the provider's current reality.

What this means for you

For cloud service providers (CSPs) seeking or holding a Union assurance level, the continuous transparency requirement under Article 23 necessitates a fundamental shift in internal governance. Compliance is no longer a project with a start and end date (the audit); it is an ongoing operational state.

  1. Implement Real-Time Monitoring Systems: You must establish systems capable of detecting material changes in your infrastructure, personnel, supply chain, and corporate structure in real-time. This includes automated monitoring of subcontractor activities, changes in corporate registries, and shifts in data flow patterns.
  2. Define "Material Change" Internally: Develop internal guidelines that map the criteria in Annex II to your specific operations. Train your engineering, HR, legal, and procurement teams to identify what constitutes a "material change" under the specific criteria of your recognised Union assurance level. For example, HR must know that hiring a non-EU citizen for a critical role in a UAL 4 service is a reportable event.
  3. Establish Immediate Notification Protocols: Create clear, streamlined internal procedures for escalating potential material changes to the compliance team. Ensure that the legal and compliance teams are empowered to trigger the notification to the auditing organisation and the national competent authority "as soon as possible" without bureaucratic delay.
  4. Document the "Awareness" Timeline: Keep detailed records of when a change was first identified, when it was assessed, and when the notification was sent. This documentation is crucial for demonstrating that you acted "as soon as possible" and complied with the continuous duty.
  5. Contractual Obligations for Subcontractors: Ensure that your contracts with subcontractors include explicit clauses requiring them to notify you immediately of any changes that could affect your CADA compliance. You cannot fulfill your Article 23 obligation if you are unaware of a subcontractor's breach due to poor contractual terms.
  6. Prepare for Rapid Response: Be ready to provide the auditing organisation and competent authority with all necessary evidence to support your notification. This may include updated organizational charts, new lease agreements, or revised security policies.

Common misconceptions

Misconception 1: "I only need to report changes during my annual audit." This is incorrect. Article 23(1) creates a standalone, ongoing obligation that is triggered by awareness of a change, regardless of the audit schedule. Waiting for the annual review under Article 20(8) to report a change that occurred months earlier would be a violation of the "as soon as possible" requirement.

Misconception 2: "Only catastrophic failures or massive infrastructure moves are 'material'." The term "material change" is not limited to major disasters. The standard is whether the change "may affect" the audit report or recognition. This includes seemingly minor changes, such as the onboarding of a new subcontractor, a change in the location of backup data, or a shift in the citizenship of a key support engineer, if those changes impact compliance with the specific Union assurance level criteria.

Misconception 3: "If the auditor says it's fine, I don't need to tell the authority." While the auditing organisation assesses the impact of a change, the national competent authority of establishment retains the ultimate power to amend or revoke recognition (Article 23(3)). Providers must notify the authority directly under Article 23(1); they cannot rely on the auditor to act as a proxy for this notification.

Misconception 4: "This only applies to UAL 2, 3, and 4 because they require audits." While Article 23 references the audit report under Article 20 (which applies to UAL 2, 3, and 4), it also explicitly references the "recognition under Article 17." Article 17 covers recognition for all Union assurance levels, including UAL 1 (which relies on self-assessment). Therefore, providers recognised at UAL 1 also have continuous transparency obligations if a change affects their recognition status.

Misconception 5: "I can wait until the end of the quarter to report." The phrase "as soon as possible" in Article 23(1) precludes waiting for a reporting cycle (quarterly, monthly, etc.). The duty is triggered immediately upon awareness. Delaying notification to fit an internal reporting schedule could be interpreted as a failure to comply with the regulation.

Related

This is general information about a draft EU regulation, not legal advice.