Can CADA authorities investigate an auditing organisation?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) empowers national competent authorities to investigate auditing organisations directly. Article 26(1)(a) explicitly grants investigative powers to require information from "any other persons acting for purposes related to their trade... including auditing organisations." Because these organisations are the gatekeepers for verifying Union assurance levels 2, 3, and 4, they are subject to the same oversight as cloud service providers to ensure the integrity of the sovereignty framework. This authority links directly to the transparency and reporting obligations in Article 23, creating a closed loop of accountability for the audit process.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous Union cloud computing sovereignty framework. Unlike Level 1, which relies on self-assessment, Levels 2, 3, and 4 require independent third-party audits to verify compliance with strict criteria regarding establishment, infrastructure location, personnel, and third-country control. To prevent these audits from becoming a "box-ticking" exercise, the proposal grants national competent authorities broad investigative powers that extend beyond the cloud service providers themselves to the auditing organisations that verify them.

Investigative Powers Explicitly Extend to Auditing Organisations

The cornerstone of this enforcement capability is Article 26(1)(a). This provision empowers the national competent authority of establishment to require information from a wide range of actors. Crucially, the text states that authorities can require:

"any cloud computing service provider, as well as any other persons acting for purposes related to their trade, business, craft or profession, who may reasonably be expected to be aware of information relating to a suspected infringement of this Regulation, including auditing organisations, to provide that information as soon as possible."

This phrasing is deliberate and expansive. It places auditing organisations squarely within the enforcement perimeter of CADA. If a competent authority suspects an infringement of the sovereignty framework—whether committed by the cloud provider, the auditor, or both—it can compel the auditing organisation to produce relevant data, documents, and explanations. This ensures that authorities can trace the audit trail and verify whether the auditing process itself was conducted in accordance with the regulation's strict requirements.

The Critical Role of Auditing Organisations in the Sovereignty Framework

Auditing organisations are not merely service providers to cloud companies; they are the mechanism by which the Union assurance framework functions. Under Article 20, cloud computing service providers seeking recognition at Union assurance levels 2, 3, or 4 must undergo independent third-party audits to obtain an audit report and a "positive" audit opinion.

The integrity of the entire framework depends on the independence and competence of these auditors. Article 20(4) sets out rigorous conditions for auditing organisations:

• Independence: They must be independent from the provider and free from conflicts of interest. Specifically, they cannot have provided non-audit services to the provider in the 12 months before or after the audit, nor can they have audited the same provider in the previous 10 years (Article 20(4)(a)).
• Competence: They must possess proven expertise and technical competence in auditing cloud computing services (Article 20(4)(b)).
• Objectivity: They must adhere to high professional ethics and objectivity (Article 20(4)(c)).

If an auditing organisation fails to meet these standards, or if it issues a "positive" audit opinion based on insufficient or fabricated evidence, it undermines the entire sovereignty framework. This is why Article 26 empowers authorities to investigate them directly. Without this power, an auditor could theoretically collude with a provider to bypass sovereignty criteria, leaving the public sector with a false sense of security.

Scope of Investigation: Beyond Information Requests

The investigative powers under Article 26(1) are comprehensive and designed to allow authorities to conduct deep-dive investigations into the audit process. In addition to demanding information under paragraph (a), authorities can:

• Inspect Premises: Authorities can carry out, or request a judicial authority to order, inspections of any premises used by the auditing organisation for professional purposes (Article 26(1)(b)). This allows regulators to verify that the audit was actually performed by qualified staff in a controlled environment.
• Examine and Seize Data: They can examine, seize, or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium (Article 26(1)(b)). This is critical for retrieving audit working papers, evidence logs, and internal communications.
• Record Explanations: Authorities can ask any member of staff or representative of the auditing organisation to give explanations regarding suspected infringements and, with their consent, record their answers (Article 26(1)(c)).

These powers are designed to ensure that the audit evidence cited in Annex III of CADA is genuine and that the auditing organisation has performed its due diligence. For instance, if an auditor claims to have verified the location of infrastructure as required by Annex II, authorities can investigate whether that verification was actually performed on-site or merely based on provider assurances.

The Link to Article 23: Transparency and Reporting Obligations

The investigative powers of Article 26 are tightly linked to the transparency obligations in Article 23. While Article 23(1) primarily obliges the cloud computing service provider to notify authorities of material changes, Article 23(2) places a direct duty on the auditing organisation.

If an auditing organisation becomes aware of information or material changes that may affect the validity of their audit report or opinion, they must assess whether the report needs to be amended or revoked. If they decide to amend or revoke the report, they must notify the national competent authority of establishment "as soon as possible."

Failure to comply with this notification duty could constitute an infringement, triggering the investigative powers of Article 26. Furthermore, if an authority suspects that an auditor has failed to detect a material change or has issued a report based on incorrect evidence, Article 26 provides the legal basis to investigate the auditor's internal processes and decision-making. This creates a continuous feedback loop: the auditor must report issues, and the authority must have the power to verify that reporting is accurate and complete.

Penalties and Enforcement Consequences

While Article 26 outlines the powers to investigate, Article 24 sets out the penalties for infringements. Member States must lay down rules on penalties that are "effective, proportionate and dissuasive." Although Article 24 explicitly mentions infringements by cloud computing service providers, the investigative reach into auditing organisations means that auditors cannot operate in a regulatory vacuum.

If an auditor is found to have negligently or intentionally supplied incorrect audit evidence, or violated independence rules, they could face legal consequences under national laws implementing CADA. Additionally, Article 24(3) provides that recipients of cloud computing services have the right to seek compensation for damage suffered due to an infringement. If a public body relies on a flawed audit opinion and suffers harm (e.g., data breach or service disruption due to non-sovereign infrastructure), the auditor could be liable for damages.

Furthermore, Article 20(7) states that an auditing organisation may revoke its audit report if the provider supplied incorrect evidence. However, if the auditor itself failed to detect obvious non-compliance or violated independence rules, the competent authority can use its powers under Article 26 to investigate and potentially sanction the auditor, or at least report them to relevant professional bodies, effectively removing their ability to operate under CADA.

What this means for you

For in-house counsel, compliance officers at auditing firms, and cloud service providers managing audit relationships, CADA introduces a new layer of regulatory scrutiny that extends to the audit function itself.

1. Document Retention is Critical: Ensure your auditing organisations retain comprehensive records of their audit methodologies, evidence collected, communications with providers, and internal decision-making logs. Under Article 26(1)(b), authorities can seize data from any storage medium, including private servers or cloud storage used by the audit firm.
2. Strict Independence Checks: Rigorously enforce the independence requirements of Article 20(4). Maintain detailed records of all services provided to audited providers to prove compliance with the 12-month and 10-year cooling-off periods. Any breach here is a direct target for investigation.
3. Cooperation Protocols: Develop internal protocols for responding to information requests from competent authorities. Article 26(1)(a) requires information to be provided "as soon as possible." Delay, obstruction, or failure to cooperate could exacerbate penalties and be treated as a separate infringement.
4. Audit Quality Assurance: Implement robust quality assurance processes for audits of Union assurance levels 2–4. If an audit is found to be flawed, the auditor may be investigated for its role in the infringement. The "positive" audit opinion is a legal declaration of compliance, not just a commercial opinion.
5. Training and Liability Awareness: Train audit staff on their potential liability and the scope of Article 26 powers. They must understand that they are "persons acting for purposes related to their trade" and are directly addressable by regulators, not just by the client who hired them.

Common misconceptions

• Misconception: Only cloud service providers are subject to CADA enforcement.
  • Reality: Article 26(1)(a) explicitly includes auditing organisations within the scope of investigative powers. Authorities can demand information and inspect premises of auditors directly.
• Misconception: Auditing organisations are only responsible to the cloud provider that hired them.
  • Reality: Auditors have direct obligations to the competent authority. Article 23 requires them to notify authorities if audit reports need amendment or revocation. They are a key part of the public oversight mechanism.
• Misconception: Investigative powers only apply after a formal penalty decision.
  • Reality: Article 26 grants powers to investigate suspected infringements. Authorities can act proactively if they have reason to suspect non-compliance, not just after a final determination of guilt.
• Misconception: Auditors are shielded by client confidentiality.
  • Reality: While Article 20(3) requires auditors to maintain confidentiality, this does not prevent them from sharing information with competent authorities under Article 26 or Article 23. The regulation prioritizes the integrity of the sovereignty framework over commercial secrecy in the context of enforcement.

Related

• What remedies can CADA authorities impose on providers?
• What evidence can CADA authorities collect during an investigation?
• Can the Commission ask a CADA authority to investigate a provider?
• Can CADA authorities seize a cloud provider's data?
• Can CADA authorities require information from a provider's suppliers?

This is general information about a draft EU regulation, not legal advice.