Can a CADA recognition be revoked? Grounds, process and consequences

Summary Yes, as proposed under the Cloud and AI Development Act (CADA), a Union assurance recognition for a cloud computing service can be revoked. The national competent authority of establishment holds the power to withdraw this recognition if it determines that the provider "intentionally or negligently, supplied incorrect or misleading information" during the application or audit process. Furthermore, ongoing transparency obligations under Article 23 require providers to report material changes; failure to do so, or changes that invalidate the assurance criteria, can trigger a reassessment and subsequent revocation. Any revocation is published in the central repository for five years.

Detail

Under the proposed CADA framework, obtaining a Union assurance level (ranging from Level 1 to Level 4) is not a permanent, static status. It is a conditional recognition that depends on the continued accuracy of the information provided to the authorities and the auditing organisations. The mechanism for revocation is a critical safeguard designed to maintain the integrity of the Union's cloud sovereignty framework. The primary provisions governing this process are found in Article 17 (Recognition of cloud computing service providers), Article 20 (Independent audit), Article 23 (Transparency obligations), and Article 22 (Central repository).

Grounds for Revocation by Competent Authorities

The most direct ground for the immediate revocation of a recognition by a national competent authority is explicitly set out in Article 17(11). This provision empowers the evaluating national competent authority to revoke its recognition where it finds that a cloud computing service provider, whose service was recognised across the Union as providing a specific Union assurance level, has "intentionally or negligently, supplied incorrect or misleading information."

This clause is significant because it establishes a dual standard of liability. It covers both:

1. Intentional misconduct: Deliberate fraud, such as fabricating evidence of infrastructure location or falsifying ownership structures to bypass third-country control criteria.
2. Negligence: Careless errors, such as submitting outdated organisational charts, failing to update the software bill of materials (SBOM), or overlooking a material change in subcontractor status that affects the assurance level.

If a provider makes a mistake in their application or fails to correct known inaccuracies, the authority responsible for the initial recognition (the authority of the Member State where the provider has its main establishment) has the discretion to withdraw the status. This ensures that the central repository of recognised services remains a trusted source of truth for public sector buyers across the Union.

The Role of Transparency and Material Changes

Revocation is not limited to the initial application phase; it is deeply intertwined with the ongoing transparency obligations set out in Article 23. Once a service is recognised, the provider has a continuous duty to monitor its compliance. Article 23(1) mandates that the recognised cloud computing service provider must, "as soon as possible," notify the auditing organisation and the national competent authority of establishment upon becoming aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17."

When such a notification occurs, or if the authority discovers a material change independently, the process follows a strict cascade:

1. Audit Reassessment: The auditing organisation assesses whether the existing audit report or opinion needs to be amended or revoked based on the new information (Article 23(2)).
2. Audit Notification: If the auditing organisation amends or revokes the audit report or opinion, it must notify the national competent authority of establishment "as soon as possible" (Article 23(2)).
3. Recognition Assessment: The national competent authority then assesses whether its recognition needs to be amended or revoked (Article 23(3)).

If the authority determines that the material change means the service no longer complies with the cumulative criteria for its specific Union assurance level (as defined in Annex II), it will revoke the recognition. The authority must then notify the competent authorities of the other Member States and the Commission. This notification ensures that the revocation is effective across the entire Union, preventing a provider from operating under a revoked status in one Member State while being recognised in another.

Revocation by Auditing Organisations

While Article 17 deals with the authority's revocation of the legal recognition, Article 20(7) grants auditing organisations the power to revoke their own audit reports and opinions. This can happen if the audited provider "intentionally or negligently, supplied incorrect or misleading audit evidence."

This creates a critical dependency: the formal recognition by the competent authority is predicated on a valid audit report and a "positive" audit opinion. If an auditing organisation revokes its positive opinion because the provider failed to provide accurate evidence (e.g., hiding a third-country subsidiary or failing to disclose a change in data location), the foundational evidence for the recognition disappears. Consequently, the competent authority is likely to revoke the formal recognition, as the service can no longer be verified as meeting the assurance criteria.

Publication and the Five-Year Rule

To maintain market transparency and protect public order, Article 22(3) mandates that the revocation of an audit report, an audit opinion, or a recognition by a competent authority must be published in the central repository. Crucially, this information "shall remain available there for five years."

This five-year retention period serves as a significant deterrent and a transparency mechanism. It ensures that public sector contracting authorities, Union entities, and other stakeholders are immediately aware that a service no longer holds a specific assurance level. It prevents the procurement of services that no longer meet the required sovereignty or security standards and allows for historical tracking of provider compliance.

What this means for you

For cloud service providers and data centre operators seeking or holding a Union assurance level, the possibility of revocation underscores the critical importance of data accuracy, rigorous internal controls, and proactive communication.

1. Rigorous Internal Controls are Essential Because Article 17(11) penalises both intentional and negligent supply of incorrect information, you must implement robust internal verification processes before submitting any application or evidence to the competent authority or auditing organisation. A simple clerical error, such as an outdated list of subcontractors or a misstated location of a backup server, could theoretically lead to the loss of your recognised status. The standard of care required is high; negligence is not a valid defence against revocation.

2. Treat Transparency Obligations as Continuous Do not view the recognition process as ending once you receive the decision. Under Article 23, you have a continuous duty to monitor your operations. If you undergo a significant change in infrastructure, subcontractor arrangements, data processing locations, or ownership structure that affects your compliance with the assurance level criteria, you must report it immediately. Failure to report material changes can be construed as supplying misleading information, exposing you to revocation.

3. Prepare for the Impact of Revocation If your recognition is revoked, it will be published in the central repository for five years. This public record can damage your reputation and may disqualify you from existing or future public procurement tenders that require a specific Union assurance level. Ensure your contracts with public sector clients include clauses that address the transition or termination of services in the event of a loss of certification or recognition.

4. Engage Proactively with Authorities If you discover an error in your submitted information, do not ignore it. Proactively correcting the record and notifying the authority under Article 23 may mitigate the severity of the situation compared to having the error discovered during an inspection or audit. Engage early with your national competent authority to understand how best to remedy the issue and potentially avoid revocation.

Common misconceptions

Misconception: Recognition is a one-time certification. Many providers assume that once they pass the audit and receive recognition, they are "certified" for a fixed period without further scrutiny. In reality, CADA establishes a dynamic framework. The recognition is contingent on continuous compliance and the accuracy of the underlying data. Material changes in your business operations can invalidate your status if not properly managed and reported.

Misconception: Only intentional fraud leads to revocation. Providers often believe that only deliberate deception will trigger penalties. However, Article 17(11) explicitly includes "negligently" supplied incorrect information. This means that sloppy documentation, outdated records, or failure to update authorities on minor but relevant changes can lead to revocation. The standard of care required is high.

Misconception: Revocation is an internal matter. Some providers think that losing recognition is a private issue between the provider and the national authority. In fact, Article 22(3) requires the revocation to be published in a central, publicly accessible repository for five years. This transparency is designed to protect public order and ensure that other Member States and public buyers are aware of the change in status.

Misconception: Revocation only happens at the application stage. While the initial application is a high-risk period for errors, revocation can occur at any time during the validity of the recognition. The ongoing duty to report material changes under Article 23 means that a provider can lose their status years after initial recognition if their operations drift out of compliance or if they fail to report a change.

Related

• CADA Recognition Process: Step-by-Step Guide for Cloud Providers
• CADA Recognition Clock: How Long Can the Assessment Be Suspended?
• CADA Recognition Timeline: How long does the process take?
• Can the Commission request information during CADA recognition?
• Can the Commission overrule a CADA recognition dispute?

This is general information about a draft EU regulation, not legal advice.