Can CADA enforcement be triggered by an audit finding?

Summary Yes, as proposed, enforcement under the Cloud and AI Development Act (CADA) can be directly triggered by an audit finding. If an independent audit reveals that a cloud computing service provider no longer meets the cumulative criteria for its recognized Union assurance level, the auditing organization is legally obligated to amend or revoke its audit report and notify the national competent authority of establishment. This notification initiates a formal regulatory assessment. Under Article 26(1)(a), authorities possess the power to compel the provider and the auditing organization to provide information regarding suspected infringements. If the investigation confirms non-compliance with Annex II, the authority can revoke the service's recognition, impose fines, or order the cessation of infringements, effectively removing the provider's eligibility for public sector contracts requiring that assurance level.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a dynamic sovereignty framework where compliance is not a static certification but a continuous state of verification. For cloud computing services seeking recognition at Union assurance levels 2, 3, or 4, the regulation mandates independent third-party audits to verify adherence to the strict criteria set out in Annex II. These audits serve as the primary early-warning system for the regulatory framework, creating a direct pipeline from technical non-compliance to administrative enforcement.

The Audit as a Regulatory Trigger

The mechanism linking audit findings to enforcement is codified in Article 23 (Transparency obligations) and Article 20 (Independent audit). Under Article 20(8), audited providers must submit their audit reports and associated "positive" opinions for annual review. If an auditing organization determines that a provider no longer complies with the applicable criteria, or if it becomes aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion," it must assess whether the report needs to be amended or revoked.

Crucially, Article 23(2) mandates that if the auditing organization amends or revokes the audit report or opinion, it must notify the national competent authority of establishment "as soon as possible." This notification is not merely informational; it is a formal alert that a suspected infringement of the Regulation may exist. It shifts the burden from the provider's self-declaration to an external, verified finding of non-compliance, compelling the authority to act.

Authority Powers: Investigating the Provider and the Auditor

Once an audit finding triggers a notification, the national competent authority of establishment activates its investigative powers under Article 26. This article is the enforcement engine of the sovereignty framework.

Article 26(1)(a) explicitly grants competent authorities the power to "require any cloud computing service provider, as well as any other persons acting for purposes related to their trade, business, craft or profession, who may reasonably be expected to be aware of information relating to a suspected infringement of this Regulation, including auditing organisations, to provide that information as soon as possible."

This provision is critical for two reasons:

1. Direct Access to Auditors: Authorities can compel the auditing organization itself to provide the underlying audit evidence, methodologies, and findings. This ensures the authority is not reliant solely on the provider's summary of the audit but can examine the raw data and the auditor's professional judgment.
2. Broad Scope of Inquiry: The authority can demand information from any person involved in the service provision, ensuring a comprehensive investigation into the root cause of the non-compliance identified in the audit.

If the audit results reveal a suspected infringement—for example, a failure to maintain data localization or a breach of the personnel citizenship requirements—the authority can escalate from information gathering to active investigation. Article 26(1)(b) allows authorities to carry out inspections of premises, seize information, and obtain copies of data in any form. Article 26(1)(c) empowers them to ask staff for explanations and record their answers.

The Link to Annex II and Cross-Border Cooperation

The enforcement action is inextricably linked to the specific criteria in Annex II. The audit criteria are the benchmark against which compliance is measured. If an audit finding indicates that a provider has failed to meet a cumulative criterion—such as the requirement for Union assurance level 3 that personnel be Union citizens (Annex II, 3.1(d)), or the requirement for Union assurance level 4 that the provider not be subject to third-country control (Annex II, 4.1(g))—the authority must assess whether the service still qualifies for recognition.

Article 28 (Cross-border cooperation) ensures that audit findings in one Member State can trigger enforcement actions by the authority of establishment in another. If a competent authority of destination (where the service is used) has reason to suspect that a provider no longer fulfills the requirements under Annex II, it may request the competent authority of establishment to assess the matter. This request can be based on an audit finding made by a local auditor or a review of the central repository.

Upon receiving such a request, the authority of establishment must assess the suspected infringement and take necessary investigatory or enforcement measures within two months (Article 28(4)). If the investigation confirms that the provider no longer meets the Annex II criteria, the authority can revoke the recognition. Article 17(11) explicitly states that the evaluating national competent authority may revoke its recognition where it finds that a provider "intentionally or negligently, supplied incorrect or misleading information," a scenario often revealed by a subsequent audit.

Furthermore, Article 26(2) provides the enforcement toolkit: authorities can order the cessation of infringements, impose remedies, and impose fines or periodic penalty payments to ensure compliance. The penalties must be "effective, proportionate and dissuasive" under Article 24.

The Consequence: Revocation and Public Transparency

The ultimate consequence of an audit-triggered enforcement action is the potential loss of the Union assurance status. Article 22 establishes a central repository of recognized services. Article 22(3) mandates that "the revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This public record serves as a definitive signal to the market. Once a service is removed from the repository due to an audit-triggered revocation, contracting authorities under Article 30 are legally prohibited from procuring that service for public-order-relevant activities. The provider effectively loses its market access for the public sector until it can demonstrate renewed compliance and secure a new recognition.

What this means for you

For cloud computing service providers, the audit is not a "check-the-box" exercise but a live, high-stakes compliance mechanism. The link between Article 20 (audits), Article 23 (transparency), and Article 26 (enforcement) creates a rapid escalation path from a technical finding to a regulatory sanction.

1. Treat Audit Findings as Immediate Triggers: Do not view an audit finding as a mere recommendation for improvement. If an auditor identifies a breach of Annex II criteria, they are legally required to notify the authority. You must assume that the authority will be notified immediately and will exercise its powers under Article 26(1)(a) to demand information.
2. Prepare for Authority Scrutiny of Your Auditor: Under Article 26(1)(a), the authority can compel your auditing organization to share all audit evidence. Ensure your contract with the auditor includes provisions for cooperation with regulatory investigations, and ensure your internal documentation is robust enough to withstand a direct audit by the authority, not just the third-party auditor.
3. Monitor Subcontractors Rigorously: Annex II criteria apply to subcontractors as well. A failure in your supply chain (e.g., a subcontractor moving data processing outside the Union) can trigger an audit finding, which in turn triggers enforcement. Your due diligence processes must be continuous, not periodic.
4. Plan for Rapid Revocation: The timeline from audit finding to revocation can be swift. If your service is recognized at a high assurance level (2, 3, or 4) and is critical for your public sector clients, losing that status could breach your contracts. Have contingency plans to migrate to alternative providers or to remediate the breach within the transition periods allowed by Article 29(6) (which allows up to 12 months for migration if a risk assessment requires it).

Common misconceptions

"An audit finding leads only to a corrective action plan." Incorrect. While auditors may recommend corrective actions, the regulatory framework treats significant non-compliance as a potential infringement. If the auditor revokes the opinion, the authority is triggered to investigate. If the infringement is confirmed, the authority can revoke the recognition entirely, not just mandate a fix. The loss of recognition is immediate upon the authority's decision, potentially before a corrective plan is fully implemented.

"Auditors keep their findings confidential from the authorities." Incorrect. While auditors must maintain professional secrecy regarding trade secrets, Article 23 creates a mandatory reporting channel. If an audit finding suggests a breach of the Regulation, the auditor is legally obligated to notify the competent authority. Furthermore, Article 26(1)(a) gives the authority the power to compel the auditor to disclose specific information related to the suspected infringement, overriding general confidentiality in the context of regulatory enforcement.

"Only the authority in the provider's home country can act on an audit finding." Partially incorrect. While the authority of establishment has the exclusive competence to enforce the chapter (Article 25(4)), the trigger can come from anywhere. Article 28 allows a competent authority in a destination Member State to request an assessment if it suspects non-compliance based on an audit finding or other evidence. This ensures that a provider cannot hide non-compliance by operating across borders; a finding in one Member State can trigger an investigation by the authority of establishment.

Related

• Can CADA enforcement lead to a provider losing its assurance-level recognition?
• Can a CADA enforcement decision be enforced in another Member State?
• Can a CADA authority publish its enforcement decisions?
• Who can claim compensation under CADA? Recipients, damages and the right to seek redress
• Which CADA obligations can lead to penalties?

This is general information about a draft EU regulation, not legal advice.