Summary Yes, under the proposed Cloud and AI Development Act (CADA), a cloud service provider seeking Union assurance levels 2, 3, or 4 may switch auditing organisations for its mandatory annual review. Article 20(8) explicitly permits the provider to submit its audit report and associated 'positive' audit opinion to "the same or a different auditing organisation." This flexibility allows providers to change auditors annually, provided the new organisation meets the rigorous independence and competence requirements set out in Article 20(4). The new auditor retains the full authority to confirm, update, or revoke the existing audit opinion based on their assessment of continued compliance.
Detail
The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a robust sovereignty framework for cloud computing services. For providers aiming to achieve Union assurance levels 2, 3, or 4, the regulation mandates independent third-party audits. While the initial recognition requires a comprehensive audit, the regulation anticipates the need for ongoing verification to ensure that services remain compliant with the evolving criteria in Annex II.
The Annual Review Mechanism
The core of the ongoing compliance obligation is found in Article 20(8). This provision mandates that audited providers must submit their audit report and the associated 'positive' audit opinion for review on an annual basis. Crucially, the text of the proposal does not lock a provider into a single auditing firm for the duration of their recognition.
The regulation states verbatim:
"The audited provider shall annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation which shall assess the continued compliance of the audited service with the applicable criteria set out in Annex II."
This phrasing grants providers the explicit right to select a new auditor for the annual review cycle. It acknowledges that market dynamics, service quality, or strategic needs may necessitate a change in the auditing partner. However, this choice is not without constraints; the new organisation must be capable of performing the audit in accordance with the strict standards of the Act.
Powers of the New Auditor
When a different auditing organisation is engaged for the annual review, it steps into the role of the original auditor with identical powers and responsibilities. Under Article 20(8), the new organisation is empowered to take one of three specific actions based on its assessment of the provider's continued compliance:
- Confirm: The auditor may confirm the initial audit report and audit opinion, validating that the service continues to meet the criteria.
- Update: The auditor may update the initial audit report and audit opinion, reflecting necessary changes or clarifications while maintaining the positive status.
- Revoke: The auditor may revoke the initial audit report and audit opinion if the service no longer complies with the applicable criteria.
The power to revoke is significant. If a new auditor revokes the opinion, the consequences are immediate and severe. Article 23(2) requires the auditing organisation to notify the national competent authority of establishment "as soon as possible." This notification triggers a cascade of regulatory actions: the competent authority must then assess whether its recognition of the cloud computing service needs to be amended or revoked (Article 23(3)). If the recognition is revoked, the service is removed from the central repository, effectively barring it from being procured by public sector bodies under the sovereignty framework.
Independence and Competence Barriers
While the regulation allows for a change in auditor, it imposes strict barriers to ensure the integrity of the process. A provider cannot simply hire any firm; the new auditing organisation must satisfy the conditions of Article 20(4).
Independence Requirements The most critical constraint for a new auditor is the "cooling-off" period regarding prior engagements. Article 20(4)(a)(ii) stipulates that an auditing organisation cannot have provided auditing services pursuant to Article 20 to the cloud computing service provider (or any legal person connected to that provider) in the 10-year period before the beginning of the audit. This long-term restriction is designed to prevent "auditor shopping" where a provider might seek a more lenient auditor by cycling through firms that have previously worked with them.
Additionally, Article 20(4)(a)(i) prohibits the new auditor from having provided non-audit services related to the matters audited in the 12-month period before the audit begins, and they must commit to not providing such services in the 12-month period after completion. This ensures that the auditor remains independent from the provider's operational and financial interests.
Competence Requirements Beyond independence, the new auditor must demonstrate "proven expertise, technical competence and capabilities in auditing cloud computing services" (Article 20(4)(b)). They must also possess "proven objectivity and professional ethics" (Article 20(4)(c)). If a new auditor cannot meet these standards, they are disqualified from performing the review, regardless of the provider's preference.
The Provider's Duty to Cooperate
Switching auditors places a burden on the provider to ensure a seamless transition. Article 20(2) requires audited providers to cooperate with the auditing organisation and provide assistance necessary to enable the audit to be conducted effectively, efficiently, and in a timely manner. This includes giving the new auditor access to all relevant data and premises and answering oral or written questions.
The provider must also ensure that the new auditor receives the necessary documentation, including the previous audit report and opinion, to conduct the review. Failure to cooperate or provide access could lead to the auditor being unable to express an opinion, which, under Article 20(6), would result in an explanation of the circumstances in the audit report, potentially leading to a negative outcome or revocation.
What this means for you
For cloud service providers operating under the proposed CADA framework, the ability to switch auditors annually is a strategic tool, but it requires careful governance.
- Strategic Flexibility: You are not locked into a long-term contract with a single auditor. If a current auditor fails to deliver value, lacks specific sector expertise, or if fees become prohibitive, you can engage a different firm for the next annual review. This creates a competitive market for audit services.
- The 10-Year Rule is Critical: Before engaging a new auditor, you must conduct a thorough due diligence check on their history with your organisation. If they have performed any Article 20 audit for you or a connected entity within the last decade, they are legally barred from conducting your annual review. This is a hard constraint that cannot be waived.
- Risk of Revocation: Be aware that a new auditor is not obligated to simply rubber-stamp the previous year's opinion. They have the full authority to revoke the opinion if they find non-compliance. A revocation by a new auditor is just as damaging as one by the original auditor, triggering immediate notification to the competent authority and potential loss of recognition.
- Transition Management: Switching auditors requires significant administrative effort. You must ensure the new auditor has immediate access to all data, premises, and historical records. Delays in onboarding a new auditor could jeopardise the timing of your annual submission, potentially leading to a lapse in your recognised status.
- Cost Implications: While switching may offer leverage in fee negotiations, the cost of a new auditor conducting a full annual review (which includes verifying continued compliance against Annex II) will likely be comparable to the original audit. You should budget for this recurring cost.
Common misconceptions
"I must use the same auditor for the entire duration of my recognition." False. Article 20(8) explicitly states that the annual review can be submitted to "the same or a different auditing organisation." There is no requirement to maintain a single auditor for the life of the recognition.
"Any auditing firm can take over my annual review." False. The new auditor must meet the strict independence and competence criteria of Article 20(4). Most notably, they cannot have audited your service in the previous 10 years. If they fail this test, they are disqualified.
"A new auditor will just confirm the old opinion without checking." False. The new auditor must "assess the continued compliance of the audited service with the applicable criteria set out in Annex II." They have the authority to update or revoke the opinion if they find deficiencies. They are not bound by the previous auditor's conclusions.
"Switching auditors resets my compliance clock." False. The annual review is a continuous process. The new auditor reviews the existing 'positive' audit opinion and the service's current state. They do not start a new cycle from scratch but rather verify that the service has maintained its status over the past year.
"If I switch auditors, the competent authority must approve the change." False. The regulation does not require prior approval from the competent authority to switch auditors. However, the new auditor must be competent and independent. The competent authority becomes involved only if the new auditor revokes the opinion or if there are disputes regarding the recognition process.
Related
- CADA Audit Review Frequency: Annual Obligations for Levels 2-4
- CADA Annual Audit Review: How It Protects Buyers Over Time
- Can a provider hold different CADA assurance levels for different services?
- Can a CADA auditor revoke its audit opinion? Article 20 explained
- Who can act as a CADA auditing organisation?
This is general information about a draft EU regulation, not legal advice.