Summary No. Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider cannot act as its own auditor for Union assurance levels 2, 3 or 4. As proposed, those levels would require an independent third-party audit by an auditing organisation that is independent from, and free of conflicts of interest with, the provider and any connected legal person (Article 20). A provider may self-assess only for Union assurance level 1 (Article 19). A connected entity — parent, subsidiary or sister company — could not stand in as the independent auditor.
Detail
CADA, as proposed, would build a tiered sovereignty framework in which the level of verification scales with the sensitivity of the activity. A central pillar is how compliance is checked: self-assessment at the lowest level, independent audit above it.
The defined roles Article 2 defines the relationship between provider and auditor. Article 2(17) defines an "auditing organisation" as "an individual organisation, a consortium or other combination of organisations, including any subcontractors, that the audited cloud computing service provider has contracted to perform an independent audit." Article 2(18) defines an "audited service" as "a cloud computing service being audited for the purpose of receiving an audit report and an audit opinion." The auditing organisation is, by definition, an external party engaged to perform an independent audit — not an internal function of the provider.
Independence requirements for levels 2, 3 and 4 Article 20 ("Independent audit") sets the rules. Article 20(1) requires providers seeking recognition at Union assurance level 2, 3 or 4 to undergo, at their own expense, independent third-party audits to obtain an audit report and an audit opinion. Article 20(4)(a) requires that auditing organisations "are independent from, and do not have any conflicts of interest with, the cloud computing service provider concerned, and any legal person connected to that provider." In particular:
- Article 20(4)(a)(i): the auditing organisation must not have provided non-audit services related to the matters audited to the provider, or any connected legal person, in the 12-month period before the audit begins, and must have committed not to provide them in the 12-month period after the audit completes.
- Article 20(4)(a)(ii): it must not have provided auditing services under Article 20 to the same provider or connected legal person in the 10-year period before the audit begins.
- Article 20(4)(a)(iii): it must not perform the audit in return for fees contingent on the result of the audit.
Article 20(4)(b) and (c) add that the auditing organisation must have proven expertise and technical competence in auditing cloud computing services, and proven objectivity and professional ethics. The organisation prepares an audit report (Article 20(5)) and issues a "positive" or "negative" opinion; a "positive" opinion identifies the Union assurance level to be recognised (Article 20(5)(g), (i)).
Contrast with Union assurance level 1 Self-assessment is permitted only at level 1. Article 19(1) provides that providers seeking recognition as offering Union assurance level 1 "shall carry out a conformity self-assessment of compliance with the criteria for Union assurance level 1 set out in Annex II." Under Article 19(2), the provider then issues an "EU statement of conformity" and, by doing so, assumes responsibility for the service's compliance. This is a self-declaration, not an independent verification, and Article 19(3) requires it to be made publicly available.
Why a connected entity cannot audit Because Article 20(4)(a) extends the independence requirement to "any legal person connected to that provider," a parent, subsidiary or sister company within the same corporate group could not act as the auditing organisation. The audit must come from an entity that is genuinely independent and conflict-free.
What this means for you
If you are a provider aiming for Union assurance level 2, 3 or 4, you would have to engage an external auditing organisation; your internal audit or quality-assurance function cannot produce the required report and opinion. Select an organisation that meets the Article 20(4) independence criteria — no recent or committed future non-audit services related to the matters audited (the 12-month windows), no Article 20 audit services to you in the previous 10 years, and no fees contingent on the result.
Review your corporate structure to confirm the prospective auditor is not a connected legal person. And ensure the engagement does not tie fees to the outcome, which Article 20(4)(a)(iii) prohibits.
For Union assurance level 1, you may self-assess and issue an EU statement of conformity under Article 19 — but be aware this carries less market assurance than an independent audit, and you assume responsibility for the service's compliance.
Common misconceptions
"Internal audits satisfy CADA." Not for levels 2, 3 and 4. Article 20 requires an independent third-party audit; an internal audit function does not meet the independence test for those levels.
"A subsidiary can audit the parent." Article 20(4)(a) extends independence to any legal person connected to the provider, so a group company cannot perform the audit.
"Self-assessment is available for any level to save cost." Article 19 limits self-assessment to Union assurance level 1. Levels 2, 3 and 4 require an independent audit under Article 20.
Related
- Can a reseller or broker be a cloud computing service provider under CADA?
- What is a cloud computing service provider (CSP) under CADA?
- Is a colocation provider a data centre operator or a data centre service provider under CADA?
- Does a public sector body that builds its own cloud become a CSP under CADA?
- Who can act as an auditing organisation under CADA?
This is general information about a draft EU regulation, not legal advice.