Can a CADA auditor revoke its audit opinion? Article 20 explained

Summary Yes, under the proposed Cloud and AI Development Act (CADA), an independent auditing organisation has the explicit power to revoke its audit report and audit opinion. This power is triggered if the audited cloud computing service provider has intentionally or negligently supplied incorrect or misleading audit evidence. Such a revocation is not merely a technical correction; it initiates a mandatory notification chain to the national competent authority, which may then revoke the provider's formal recognition as offering a specific Union assurance level. Consequently, the provider becomes ineligible for public sector procurement requiring that assurance level.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous sovereignty framework for cloud computing services. A cornerstone of this framework is the requirement for independent third-party audits for services seeking recognition at Union assurance levels 2, 3, or 4. These audits are not static, one-time events but constitute an ongoing compliance obligation, reinforced by mandatory annual reviews.

The integrity of this system relies heavily on the accuracy of the evidence provided by the cloud computing service provider. If that integrity is compromised, the Act provides specific mechanisms for the auditor to withdraw their validation.

The Power to Revoke: Article 20(7)

Article 20 of the proposal governs the independent audit process for Union assurance levels 2, 3, and 4. While the article primarily details the conduct of the audit and the issuance of a "positive" or "negative" opinion, it explicitly addresses the scenario where the foundation of the audit is found to be flawed due to the provider's conduct.

Article 20(7) states:

"The auditing organisation may revoke its audit report and audit opinion where the audited provider, intentionally or negligently, supplied incorrect or misleading audit evidence."

This provision grants the auditor a critical, discretionary tool to maintain the credibility of the sovereignty framework. The scope of this power is broad:

• Intentional Misconduct: This covers deliberate deception, such as fabricating logs to conceal third-country access, falsifying personnel citizenship records, or hiding the existence of a controlling third-country entity.
• Negligence: Crucially, the provision also covers negligence. This includes failures arising from poor internal controls, such as failing to provide complete data lineage documentation, submitting outdated software bills of materials (SBOMs), or overlooking critical dependencies in the supply chain.

The revocation is not limited to a specific time window following the initial audit. It can occur whenever the misleading nature of the evidence is discovered, including during the mandatory annual review process described in Article 20(8).

The Chain Reaction: From Audit Revocation to Recognition Loss

The revocation of an audit opinion is not an isolated administrative act; it directly impacts the legal status of the cloud computing service provider and triggers a cascade of regulatory consequences.

1. Mandatory Notification: Under Article 23(2), once an auditing organisation amends or revokes an audit report or opinion, it is obligated to notify the national competent authority of establishment "as soon as possible."
2. Authority Assessment: Upon receiving this notification, the national competent authority must assess whether its recognition of the cloud computing service needs to be amended or revoked, as mandated by Article 23(3).
3. Revocation of Recognition: If the authority determines that the provider no longer meets the criteria for the specific Union assurance level, it may revoke the recognition. This aligns with the independent power granted to the evaluating national competent authority under Article 17(11), which states:

   "The evaluating national competent authority may revoke its recognition where it finds that a cloud computing service provider, whose service was recognised across the Union as providing a specific Union assurance level, intentionally or negligently, supplied incorrect or misleading information."

This creates a dual path for losing status: the auditor revokes the technical validation (the audit opinion), and the competent authority revokes the legal status (the recognition). Both actions result in the provider being removed from the central repository of recognised services established under Article 22. Once removed, the provider is effectively barred from the public sector market for that assurance level.

Impact on Procurement and Penalties

For in-house counsel and compliance officers, the implications of a revoked opinion are severe and immediate.

Procurement Ineligibility: Public sector contracting authorities are mandated by Article 30 to procure only from services recognised at the appropriate Union assurance level.

• Article 30(2) requires a minimum of Union assurance level 1 for general public sector activities.
• Article 30(3) requires Union assurance levels 2, 3, or 4 for activities contributing to the preservation of public order (e.g., law enforcement, defence, critical infrastructure).

If a provider's recognition is revoked due to a revoked audit opinion, any ongoing contracts may be jeopardised, and the provider becomes immediately ineligible for future tenders in that tier. The public sector body would be in breach of Article 30 if it continued to procure from a provider no longer listed in the central repository.

Penalties: Furthermore, Article 24 outlines that Member States must lay down rules on penalties for infringements of Title IV, Chapter I (the sovereignty framework). Supplying misleading audit evidence constitutes an infringement of this chapter.

• Article 24(1) requires that penalties be "effective, proportionate and dissuasive."
• Article 24(2) lists non-exhaustive criteria for imposing penalties, including the nature, gravity, scale, and duration of the infringement, as well as any financial benefits gained or losses avoided.
• Article 24(3) explicitly grants recipients of the cloud computing services the right to seek compensation for any damage or loss suffered due to an infringement by the provider.

What this means for you

For in-house counsel, compliance officers, and risk managers at cloud computing service providers, the ability of an auditor to revoke an opinion under Article 20(7) necessitates a robust internal governance framework around audit evidence.

• Audit Evidence Integrity: Ensure that all data submitted to auditing organisations—from software bills of materials (SBOMs) and personnel citizenship records to data flow diagrams—is accurate, complete, and verifiable. Implement internal controls to verify this data before submission to the auditor.
• Transparency with Auditors: If errors are discovered in previously submitted evidence, proactively notify the auditing organisation immediately. While voluntary correction does not remove the auditor's power to revoke if the evidence was fundamentally misleading, it may mitigate the perception of "intent" or "negligence," potentially influencing the severity of the outcome or subsequent penalties.
• Annual Review Preparation: Treat the annual review under Article 20(8) as a fresh audit. Past compliance does not shield against current or historical inaccuracies. Ensure that your documentation reflects the current state of your service, especially regarding third-country control, data localisation, and software supply chain measures.
• Contractual Risk Management: Review contracts with public sector clients for clauses related to the loss of Union assurance level recognition. A revoked audit opinion could trigger termination rights for the public sector client, as the provider would no longer meet the mandatory procurement requirements of Article 30.
• Supply Chain Oversight: Given that auditors assess the entire supply chain (including subcontractors), ensure that your subcontractors are also compliant. Under Article 20(2), the audited provider must cooperate and provide access to all relevant data, including that of subcontractors.

Common misconceptions

"Only intentional fraud leads to revocation."

• Reality: Article 20(7) explicitly includes "negligently" supplied incorrect evidence. Poor data management, oversight errors, or failure to update documentation can lead to revocation just as easily as deliberate deception. The standard is not just fraud; it is the integrity of the evidence.

"A 'negative' opinion is the only adverse outcome."

• Reality: A provider can receive a "positive" opinion initially, only to have it revoked later if misleading evidence is uncovered. The revocation carries the same weight as an initial negative opinion in terms of losing recognition and market access.

"The auditor's revocation is final and automatic."

• Reality: While the auditor revokes the audit opinion, the recognition is revoked by the national competent authority. The provider may have rights to appeal the authority's decision under national law, but the technical basis for recognition (the audit) is already nullified. The authority is not bound to wait for a court ruling to act on the auditor's notification.

"Revocation only happens once."

• Reality: The provision applies whenever misleading evidence is discovered, including during the annual review mandated by Article 20(8). A provider cannot assume that once a year has passed without issue, the evidence is safe from future scrutiny.

Related

• CADA Audit Report vs. Audit Opinion: Key Differences Explained
• Can a CADA recognition application be rejected? Article 17 explained
• Who pays for the CADA audit? Provider costs explained
• CADA Auditor Independence: What Non-Audit Services Disqualify an Auditor?
• CADA Auditing Independence: Article 20 Conflict Rules Explained

This is general information about a draft EU regulation, not legal advice.