Summary Yes. Under the proposed Cloud and AI Development Act (CADA), recognition of a cloud service at a Union assurance level would not be a permanent licence; it would depend on continuous compliance with the criteria for the claimed level. A service could be downgraded or have its recognition revoked if it fails to maintain those criteria, if a material change occurs, if an annual audit review fails, or if the provider supplied incorrect or misleading information. The mechanism rests on transparency obligations (Article 23), annual audit reviews (Article 20(8)), and the powers of national competent authorities (Article 17).

Detail

Under the proposal, recognition at a Union assurance level (1, 2, 3 or 4) would be a dynamic status, not a static certificate. The framework is meant to keep the sovereignty guarantees — data localisation, personnel citizenship, absence of third-country control — valid over time, so loss of recognition is a core enforcement mechanism.

Material changes and re-assessment

The principal trigger for amending or revoking recognition is Article 23. It requires a recognised provider, on becoming aware of any information or material change in circumstances that may affect the audit report, the positive audit opinion (under Article 20) or the recognition (under Article 17), to notify the auditing organisation and the national competent authority of establishment "as soon as possible."

A "material change" is any shift in operations, legal structure or technical environment that could affect compliance with Annex II. Examples include:

  • a change in ownership or control introducing a third-country entity able to access data or disrupt service continuity;
  • relocation of infrastructure or personnel outside the Union in breach of the level's localisation requirements;
  • adoption of subcontractors that do not meet the required sovereignty or cybersecurity criteria;
  • changes in the laws of a controlling third country that could enable extraterritorial data access.

On notification, the auditing organisation assesses whether the audit report or opinion needs to be amended or revoked, and if it amends or revokes them, notifies the national competent authority of establishment (Article 23(2)).

The role of national competent authorities

Under Article 23(3), the national competent authority of establishment then assesses whether its recognition needs to be amended or revoked; if it revokes recognition, it notifies the competent authorities of the other Member States and the Commission.

Separately, Article 17(11) empowers the evaluating national competent authority to revoke recognition where it finds that a provider "intentionally or negligently, supplied incorrect or misleading information." This deters misrepresentation and lets the authority act on inaccurate data behind the original recognition.

Ongoing audit and supervision

Recognition is subject to proactive monitoring as well as reactive revocation. For levels 2, 3 and 4, Article 20(8) requires the audited provider to submit the audit report and the associated positive opinion for annual review by the same or a different auditing organisation, which assesses continued compliance with Annex II and may "confirm, update, or revoke" the initial report and opinion. (An auditor may also revoke its report and opinion where the provider intentionally or negligently supplied incorrect or misleading audit evidence — Article 20(7).)

National competent authorities also have supervisory and investigative powers under Article 26 to verify compliance.

The Commission maintains a central repository of recognised services under Article 22. Under Article 22(3), the revocation of an audit report and opinion by an auditing organisation, or the revocation of a recognition by a competent authority, must be published in the repository and remain available there for five years — so buyers see any loss of status.

What this means for you

For cloud providers and data-centre operators, losing recognition would carry real commercial consequences, so treat sovereignty status as something to maintain continuously, not a one-time hurdle.

  1. Establish change-management protocols. Build internal processes to detect "material changes" in operations, supply chain or legal structure quickly, including changes in subcontractors' jurisdictions or ownership.
  2. Prioritise transparency. Under Article 23, notify your auditor and competent authority as soon as possible. Proactive notification is your best protection; supplying incorrect or misleading information can itself ground revocation under Article 17(11).
  3. Prepare for annual reviews. For levels 2–4, ensure documentation and operational reality align for the Article 20(8) annual review, where non-compliance can lead to revocation of the audit opinion and, in turn, loss of recognition.
  4. Monitor third-country laws. If you are under third-country control, track legal developments there; new laws enabling data access or service disruption could be a material change requiring reassessment.

Common misconceptions

Misconception 1: "Recognition is permanent once granted." Incorrect. As proposed, recognition is conditional and ongoing, and can be revoked for material changes, failed annual reviews, or misleading information.

Misconception 2: "Only the auditor can revoke my status." The auditor revokes the audit report and opinion; the national competent authority revokes the recognition (Article 23(3)). The authority can also act under Article 17(11) where incorrect or misleading information was supplied, and has investigative powers under Article 26.

Misconception 3: "I can keep recognition if I fix the issue after it's found." Once recognition is revoked, fixing the issue would not automatically restore it; you would generally need to apply again and undergo a new assessment or audit. The revocation stays visible in the central repository for five years (Article 22(3)), which may affect public-sector contract opportunities in that period.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.