Can a cloud provider lose its sovereignty tier for not disclosing a change? | CADA

Summary Yes, under the proposed Cloud and AI Development Act (CADA), a cloud provider can lose its recognised sovereignty tier if it fails to disclose material changes to its service or circumstances. Article 23 imposes a strict transparency obligation requiring providers to notify their auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of any information that may affect their audit report or recognition. Failure to comply triggers a mandatory reassessment by the auditor and the authority, which can lead to the amendment or revocation of the provider's Union assurance level. Crucially, any such revocation must be published in the central repository and remain visible for five years, effectively removing the provider from the list of eligible sovereign services for public sector procurement.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a Union cloud computing sovereignty framework comprising four distinct assurance levels (Union assurance levels 1 to 4). To offer services to Union entities and public sector bodies at these levels, providers must undergo specific conformity assessments (for Level 1) or independent third-party audits (for Levels 2, 3, and 4). However, this recognition is not a one-time event; it is a dynamic status contingent upon ongoing compliance with the criteria set out in Annex II of the Regulation.

The integrity of this framework relies heavily on the continuous accuracy of the information held by auditors and regulators. Article 23 serves as the critical "early warning" mechanism, ensuring that any shift in a provider's operational reality—such as a change in data location, corporate control, or cybersecurity posture—is immediately flagged for review.

The Strict Obligation to Disclose Material Changes

Article 23(1) of the CADA proposal establishes a non-negotiable duty for recognised cloud computing service providers. It mandates that a provider must notify its auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17."

This obligation is broad in scope. A "material change" is not limited to catastrophic failures; it encompasses any alteration that could impact the cumulative criteria for the specific assurance level. This includes, but is not limited to:

• Changes in the location of infrastructure or assets.
• Shifts in the nationality or citizenship of personnel handling the service.
• New subcontracting arrangements outside the Union.
• Changes in corporate control or ownership structures that might introduce third-country influence.
• Cybersecurity incidents that compromise the "state-of-the-art" standards required.

For providers at Union assurance levels 2, 3, and 4, this notification is directly linked to the validity of the independent audit opinion. For Level 1 providers, while the mechanism is a self-assessment, the obligation to report changes affecting the "recognition" remains equally binding to ensure the central repository remains accurate.

The Reassessment and Revocation Mechanism

The notification process initiates a rigorous two-stage verification procedure designed to protect the public interest.

Article 23(2) dictates the immediate response of the auditing organisation. Upon receiving a notification (or becoming aware of a change through other means), the auditor must assess whether the existing audit report or the "positive" audit opinion needs to be amended or revoked. If the auditor concludes that the material change means the provider no longer meets the criteria for their current assurance level, they must revoke the opinion. The Regulation is explicit on the next step: if the auditing organisation amends or revokes the report or opinion, it must "as soon as possible, notify the national competent authority of establishment."

Simultaneously, Article 23(3) empowers the national competent authority of establishment to take regulatory action. Based on the notification from the provider (under paragraph 1) or the auditor (under paragraph 2), the authority must assess whether its formal recognition of the cloud computing service needs to be amended or revoked. If the authority determines that the provider no longer qualifies, it must "as soon as possible, notify the national competent authorities of the other Member States and the Commission."

This cascade ensures that a loss of status in one Member State is immediately communicated across the Union, preventing a provider from continuing to market itself as "sovereign" in other jurisdictions while being non-compliant in its home state.

The Consequence: Publication in the Central Repository

The most severe commercial consequence of failing to disclose a change is the public nature of the revocation. The CADA proposal establishes a central repository of recognised services under Article 22. This database is the definitive source for public sector contracting authorities to verify which providers meet the required assurance levels.

Article 22(3) explicitly states that "the revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This publication is not merely an administrative formality; it is a market exclusion mechanism. Under Article 30, contracting authorities are legally required to procure cloud services that meet specific assurance levels based on their risk assessments. If a provider's recognition is revoked and published in the repository, they are immediately ineligible for public sector contracts requiring that level of sovereignty. The five-year retention period ensures that the market remains aware of the provider's past non-compliance, creating a long-term reputational and commercial barrier to re-entry.

Furthermore, while Article 23 focuses on the procedural mechanism of revocation, Article 24 outlines the penalty regime. Member States must lay down rules for penalties that are "effective, proportionate and dissuasive." Non-disclosure of a material change, particularly if it leads to a breach of sovereignty criteria, could be viewed as a serious infringement, potentially attracting significant fines in addition to the loss of market access.

What this means for you

For cloud service providers, data centre operators, and their legal/compliance teams, Article 23 transforms sovereignty compliance from a static certification into a continuous operational discipline.

1. Implement Real-Time Monitoring: You cannot rely on annual audits to catch changes. You must establish internal systems to detect "material changes" the moment they occur. This includes monitoring supply chain shifts, data routing changes, and corporate governance updates.
2. Define "Material" Proactively: Given the strict criteria in Annex II (e.g., data must remain exclusively within the Union for higher tiers), almost any deviation in data flow or subcontractor location could be material. Define these thresholds clearly in your internal governance policies.
3. Adopt a "Notify Immediately" Protocol: The legal standard is "as soon as possible." Delays in notification can be interpreted as negligence or an attempt to conceal non-compliance. Your protocol must ensure that the auditing organisation and the national competent authority are informed before the change is implemented, or immediately upon discovery.
4. Prepare for Public Scrutiny: Understand that the cost of non-disclosure is not just a fine; it is public removal from the central repository. A revocation published for five years will be visible to every public sector buyer in the EU, effectively blacklisting the service for sovereign contracts.
5. Audit Cooperation is Key: Ensure your contracts with auditing organisations include clear clauses for rapid information exchange. The auditor has the power to revoke their opinion unilaterally if they deem the change material; maintaining a transparent relationship is your best defence against sudden revocation.

Common misconceptions

Misconception 1: "Once I am recognised, I am safe until my next audit." Reality: Recognition is conditional and dynamic. Article 23 requires immediate reporting of material changes. Failure to report can lead to revocation at any time, regardless of when your last audit was completed.

Misconception 2: "I only need to tell my auditor; the authority will find out later." Reality: Article 23(1) explicitly requires notification to both the auditing organisation and the national competent authority of establishment. Failing to notify either party is a direct breach of the Regulation.

Misconception 3: "Revocation is a private administrative decision." Reality: Revocation is a public event. Article 22(3) mandates that revocations be published in the central repository for five years. This public record is the primary tool for public sector buyers to verify eligibility.

Misconception 4: "Minor operational tweaks don't count as material changes." Reality: The threshold is whether the change "may affect the audit report... or the recognition." Given the strict sovereignty criteria (e.g., data localisation, personnel citizenship), even minor changes in data routing or subcontractor status can be material and trigger the Article 23 obligation.

Related

• CADA Article 23: What happens if a CSP self-reports a change lowering its sovereignty tier?
• How does a provider correct or update its CADA repository listing?
• How do I check a cloud service's sovereignty tier in the CADA repository?
• Can a private company use the CADA central repository to choose a cloud provider?
• Can a foreign or non-EU cloud provider appear in the CADA central repository?

This is general information about a draft EU regulation, not legal advice.