Summary Yes, as proposed, the European Commission would have the power to update the specific audit evidence requirements under the Cloud and AI Development Act (CADA). Under Article 21(1), the Commission is explicitly empowered to adopt delegated acts to amend Annex III, which lists the evidence auditing organisations must request to verify compliance with the sovereignty criteria in Annex II. This mechanism ensures that the technical proof required for audits remains aligned with evolving legal standards, cybersecurity threats, and technological developments without necessitating a full legislative revision by the Parliament and Council.

Detail

The CADA proposal establishes a rigorous sovereignty framework for cloud computing services, structured around four Union assurance levels. To achieve recognition for Union assurance levels 2, 3, or 4, cloud computing service providers must undergo independent third-party audits. The integrity of this system relies entirely on the quality, relevance, and sufficiency of the "audit evidence" used by auditors to verify that a provider meets the cumulative criteria for their target level.

The Legal Basis: Article 21(1) and the Delegation of Power

Article 21 of the CADA proposal is titled "Content and quality of audit evidence." It serves as the bridge between the high-level sovereignty criteria and the practical reality of an audit.

Article 21(1) states that auditing organisations shall assess the compliance of the audited service with the criteria set out in Annex II "on the basis of the audit evidence listed in Annex III." Crucially, the provision immediately follows with a specific delegation of power:

"The Commission is empowered to adopt delegated acts in accordance with Article 45 to amend Annex III by laying down the necessary evidence needed to assess the audit criteria under Annex II."

This text confirms that the list of evidence in Annex III is not static. While the current proposal includes an indicative list of evidence types (such as software bills of materials, data flow diagrams, and ownership structures), the Commission holds the authority to expand, refine, or modify this list through delegated acts.

The Mechanism: Delegated Acts under Article 45

The power to change these requirements is exercised through the delegated acts procedure outlined in Article 45. This legislative tool is designed to allow the Commission to update technical or non-essential elements of a regulation efficiently.

The process operates as follows:

  1. Trigger: The Commission identifies a need to update the evidence requirements, perhaps due to new cybersecurity threats, the emergence of novel data centre architectures, or changes in software supply chain transparency standards.
  2. Drafting: The Commission drafts a delegated act to amend Annex III.
  3. Consultation: Before adoption, the Commission must consult experts designated by each Member State, in line with the principles of the Interinstitutional Agreement on Better Law-Making (Article 45(4)).
  4. Scrutiny: Once adopted, the act is notified simultaneously to the European Parliament and the Council. They have a period of two months (extendable by three months) to object (Article 45(6)). If no objection is raised, the act enters into force.

This mechanism allows the CADA framework to remain agile. For instance, if a new type of remote access vulnerability emerges or if the definition of a "software bill of materials" (SBOM) evolves in industry standards, the Commission can update Annex III to require specific new evidence types immediately, rather than waiting for the multi-year ordinary legislative procedure.

Alignment with Annex II Criteria

A critical constraint on this power is that any change to the audit evidence in Annex III must remain strictly aligned with the sovereignty criteria in Annex II.

The evidence serves a singular purpose: to prove that the provider meets the cumulative criteria for their target assurance level. These criteria cover fundamental aspects such as:

  • Data localisation: Ensuring customer data remains exclusively within the Union.
  • Absence of third-country control: Verifying that no third country can compel access or disrupt service.
  • Personnel requirements: Confirming Union citizenship or residency where required.
  • Cybersecurity certification: Obtaining the requisite "substantial" or "high" assurance level certificates.

The Commission cannot use delegated acts under Article 21(1) to fundamentally alter the sovereignty criteria themselves (e.g., removing the requirement for data localisation). It can only update the proof required to demonstrate compliance with those existing criteria.

Furthermore, Article 16(3) mandates that the Commission review Annex II and Annex III at least every 18 months to ensure they remain up to date with new legal or technical developments. This regular review cycle reinforces the dynamic nature of the evidence requirements, ensuring they do not become obsolete.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the ability of the Commission to amend Annex III via delegated acts introduces a dynamic compliance obligation. You cannot treat your current audit evidence repository as a permanent solution.

  1. Active Monitoring of Delegated Acts: You must establish a process to actively monitor the publication of delegated acts under Article 45. When the Commission updates Annex III, your audit scope will change. Auditors will begin requesting new types of evidence immediately upon the entry into force of these acts.
  2. Dynamic Documentation Processes: Ensure your internal documentation and evidence collection processes are flexible. For example, if Annex III is updated to require more granular data flow diagrams, specific source code audit trails for third-country software components, or new forms of ownership transparency, your IT and legal teams must be able to generate these on demand.
  3. Audit Readiness and Risk: Since audits for levels 2, 3, and 4 are mandatory for public sector procurement in sensitive areas, being unprepared for new evidence requirements can lead to failed audits. Under Article 20(1), failure to meet any requirements of a lower assurance level precludes conformity with higher levels. A failed audit results in a "negative opinion," which precludes the provider from being recognised at the desired assurance level.
  4. Cost and Resource Planning: Updating evidence collection processes has a cost. Budget for potential increases in administrative burden as the Commission refines the evidence requirements to close any identified gaps in the sovereignty framework.

Common misconceptions

"The Commission can change the sovereignty levels themselves via delegated acts." Correction: No. The Commission can amend the evidence (Annex III) via Article 21(1). While Article 16(2) also allows delegated acts to amend the criteria in Annex II, this is a separate power with distinct implications. The question specifically concerns audit evidence, which is governed by Article 21(1). The core criteria (e.g., "data must remain in the Union") are more stable and require a higher threshold to change.

"Audit evidence is fixed and defined only in the initial CADA text." Correction: The initial text provides an indicative list, but Article 21(1) explicitly empowers the Commission to amend Annex III. The list is designed to be "living" and responsive to market and technological developments.

"Only the Commission can change these requirements." Correction: While the Commission adopts the delegated acts, the process involves consultation with Member State experts (Article 45(4)). Furthermore, the European Parliament and the Council have the right to object to or revoke these delegated acts within two months of notification (Article 45(6)), providing a democratic check on the Commission's power.

Related

This is general information about a draft EU regulation, not legal advice.