Summary Under the proposed Cloud and AI Development Act (CADA), auditing organisations cannot charge fees that depend on the outcome of an audit. Article 20(4)(a)(iii) of the proposal explicitly prohibits fees that are "contingent on the result of the audit" to safeguard the independence and objectivity of the assessment. For Union assurance levels 2, 3, and 4, cloud providers must bear the cost of independent third-party audits, but the fee structure must be fixed or based on effort, never on whether the provider receives a "positive" or "negative" opinion.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous sovereignty framework for cloud computing services. A critical component of this framework is the requirement for independent third-party audits for providers seeking Union assurance levels 2, 3, or 4. To ensure these audits are credible, the proposal imposes strict independence requirements on auditing organisations, including a specific ban on performance-based remuneration.

The Prohibition on Contingent Fees

The core rule governing audit remuneration is found in Article 20(4)(a)(iii) of the CADA proposal. This provision outlines the conditions an auditing organisation must meet to be eligible to perform an audit. It states that the organisation must:

"not be performing the audit in return for fees that are contingent on the result of the audit"

This prohibition is absolute and non-negotiable. An auditing organisation cannot structure its engagement contract with a cloud computing service provider such that the fee increases if the audit results in a "positive" opinion (indicating compliance) and decreases or is waived if the result is "negative" (indicating non-compliance). Such an arrangement would create a direct financial incentive for the auditor to overlook deficiencies or soften their findings to secure payment. This would fundamentally undermine the integrity of the Union assurance framework, which relies on unbiased verification to protect public order and strategic autonomy.

Connection to Independence and Conflict of Interest Rules

The ban on contingent fees is one pillar of a broader independence regime defined in Article 20(4)(a). To perform an audit, an organisation must be independent from the cloud provider and free from conflicts of interest. The proposal defines this through three cumulative criteria:

  1. No Recent Non-Audit Services: The auditor must not have provided non-audit services related to the audited matters to the provider in the 12 months prior to the audit, nor commit to doing so in the 12 months following completion (Article 20(4)(a)(i)).
  2. Firm Rotation: The auditor must not have provided auditing services pursuant to Article 20 to the same provider in the 10-year period before the audit begins (Article 20(4)(a)(ii)).
  3. No Contingent Fees: Fees cannot be tied to the audit result (Article 20(4)(a)(iii)).

These rules collectively ensure that the auditor's judgment is not compromised by a desire to retain a lucrative client, secure a bonus based on a favorable outcome, or avoid the loss of future consulting work. The objective is to guarantee that the audit opinion is based solely on professional ethics, objectivity, and adherence to high professional standards, as further required by Article 20(4)(c), which mandates that auditors possess "proven objectivity and professional ethics."

Who Bears the Cost?

While the fee structure cannot be contingent on the outcome, Article 20(1) clarifies that cloud computing service providers seeking recognition for Union assurance levels 2, 3, or 4 must undergo these audits "at their own expense." This means the cloud provider is financially responsible for paying the auditing organisation. However, the payment must be for the service of auditing itself, based on factors such as the scope, complexity, and duration of the audit, not on the binary result of compliance.

The proposal distinguishes between the source of the funds (the provider) and the structure of the fee (non-contingent). The provider pays for the audit, but the auditor cannot condition that payment on the provider passing the test. This ensures that the financial burden of compliance does not create a conflict of interest where the auditor is incentivized to help the provider "pass" rather than objectively assess compliance.

Consequences of Non-Compliance

If an auditing organisation accepts a contingent fee arrangement, it violates the core independence requirements of CADA. This would likely render the audit report and opinion invalid, as the auditor would fail to meet the eligibility criteria set out in Article 20(4).

Under Article 20(7), an auditing organisation may revoke its audit report and opinion if the audited provider supplied incorrect or misleading evidence. However, a breach of independence by the auditor itselfβ€”such as accepting a contingent feeβ€”would trigger supervisory action by the national competent authorities. These authorities, designated under Article 25, have the power to supervise and enforce these obligations. Under Article 26, they can impose fines or periodic penalty payments for failures to comply with the Regulation, including violations of investigative or procedural orders. Furthermore, Article 24 requires Member States to lay down rules on penalties for infringements, ensuring they are "effective, proportionate and dissuasive."

What this means for you

For in-house counsel, compliance officers, and procurement teams at cloud computing service providers, this provision dictates how you must structure your engagements with external auditors.

  1. Contract Drafting: When negotiating engagements for Union assurance level 2, 3, or 4 audits, ensure the fee clause is fixed, based on time-and-materials, or tied to deliverables (e.g., the submission of the draft report) rather than the final opinion. Explicitly exclude any language linking payment to the receipt of a "positive" audit opinion or a specific assurance level.
  2. Vendor Due Diligence: Verify that your chosen auditing organisation complies with the independence criteria in Article 20(4). Request written confirmation that they have not provided non-audit services to your entity in the preceding 12 months, have not audited you in the last 10 years, and do not operate on a contingent fee basis.
  3. Budgeting: Recognize that audit costs are a compliance expense borne by the provider. Budget for these costs as part of your sovereignty certification strategy. Do not attempt to shift the financial risk of a failed audit onto the auditor through contingent fee structures, as this is prohibited under the proposal and would invalidate the audit.
  4. Monitoring Changes: Under Article 23, you must report material changes to the auditing organisation. If your relationship with the auditor changes in a way that might affect independence (e.g., you begin hiring them for non-audit consulting that falls within the 12-month cooling-off period), you must cease the audit engagement or replace the auditor to maintain compliance.

Common misconceptions

  • Misconception: "We can pay the auditor a bonus if we get a Level 3 certification."
    • Reality: This is strictly prohibited by Article 20(4)(a)(iii). Any financial reward tied to the audit outcome compromises independence and invalidates the process. The fee must be for the work of auditing, not the result.
  • Misconception: "Only the cloud provider pays; the auditor has no financial stake."
    • Reality: While the provider pays, the auditor's fee must still be structured correctly. The prohibition is on the contingency of the fee, not the existence of a fee. The auditor must be paid, but the amount cannot fluctuate based on the pass/fail outcome.
  • Misconception: "This only applies to large hyperscalers."
    • Reality: Any cloud computing service provider seeking recognition for Union assurance levels 2, 3, or 4 must comply. Level 1 allows for self-assessment, but levels 2-4 require independent audits subject to these strict fee rules.
  • Misconception: "If the audit fails, I don't have to pay."
    • Reality: The provider is responsible for the cost of the audit regardless of the outcome. A "negative" opinion does not absolve the provider of the obligation to pay for the audit services rendered, provided the fee was not contingent on the result.

Related

This is general information about a draft EU regulation, not legal advice.