Summary Under the proposed Cloud and AI Development Act (CADA), the way a provider proves it meets a Union assurance level depends on the level sought. Union assurance level 1 uses a provider-declared conformity self-assessment (Article 19); levels 2, 3 and 4 require mandatory independent third-party audits (Article 20). Self-assessment is cheaper and faster but carries lower market credibility and rests entirely on the provider's own controls. Third-party audits cost more and demand reliable evidence (Article 21), but deliver higher trust and open the door to sensitive public-sector procurement. The choice is not free — it is dictated by the level you target. CADA is a proposal, not yet in force.
Detail
CADA's proposed sovereignty framework is tiered, and so is the mechanism for verifying that a cloud service meets a given "Union assurance level." The split between self-assessment and third-party audit is not a discretionary choice — it follows directly from the level a provider seeks.
Conformity self-assessment: Union assurance level 1
Article 19 would govern conformity self-assessment, and it is available only for providers seeking recognition at Union assurance level 1.
Under Article 19(1), a provider would carry out a self-assessment of compliance with the Annex II criteria for level 1. This is provider-declared. Following the self-assessment, the provider would issue an "EU statement of conformity" stating that compliance with the level 1 criteria has been demonstrated, and "by issuing such a statement … assume responsibility for the compliance" of the service (Article 19(2)).
Key characteristics:
- Public transparency. The provider must make the EU statement of conformity publicly available (Article 19(3)).
- Internal control. The assessment rests on the provider's own documented evidence and internal controls; there is no mandatory external verification.
- Cost and speed. This route avoids external-auditor fees and the preparation that external scrutiny demands, so it is faster and cheaper. It is especially accessible for SMEs: as proposed, an EU statement of conformity issued by an SME would be "directly and automatically recognised in all Member States without the need for prior recognition" by the evaluating national competent authority (Article 17(3)).
Independent third-party audits: Union assurance levels 2, 3 and 4
For Union assurance levels 2, 3 and 4, the proposal would require independent third-party audits under Article 20. This is a legal requirement for those tiers, not a voluntary upgrade.
Under Article 20(1), a provider seeking these levels must undergo, at its own expense, independent third-party audits to obtain an audit report and an audit opinion from an "auditing organisation." Because the criteria are cumulative, a provider seeking a higher level must satisfy all the lower-level criteria too; failure at a lower level precludes the higher one (Article 20(1)).
Key characteristics:
- Mandatory independence. Auditing organisations must be independent and conflict-free. As proposed, they must not have provided related non-audit services to the provider in the 12 months before the audit (and must commit not to for 12 months after), must not have provided auditing services under this Article to the provider in the 10-year period before the audit, and must not be paid fees contingent on the result (Article 20(4)(a)).
- Audit opinion. The outcome is a substantiated written audit report containing a "positive" or "negative" opinion on whether the service complies with the applicable Annex II criteria for level 2, 3 or 4; a negative opinion would carry operational recommendations and a timeframe to achieve compliance (Article 20(5)).
- Annual review. The provider must annually submit the audit report and positive opinion for review by the same or a different auditing organisation, which may confirm, update or revoke them (Article 20(8)).
- Liability and credibility. A positive opinion from an independent body carries more weight with contracting authorities than a self-declaration, shifting the burden of proof from the provider's own statement to external, expert validation.
The audit-evidence requirement: Article 21
The main driver of cost in third-party assessment is the evidence requirement under Article 21, with the evidence detailed in Annex III.
Article 21(1) would require auditing organisations to assess compliance with the Annex II criteria on the basis of the audit evidence listed in Annex III. That evidence must be:
- Relevant and sufficient to enable the auditing organisation to prepare an audit report and provide an opinion; and
- Reliable, according to the auditing organisation's "professional judgment and scepticism" (Article 21(2)).
Annex III maps evidence to each Annex II criterion (and its strictness varies by assurance level). In practice, that means assembling evidence to support criteria such as: that infrastructure, assets and personnel are located in the Union; that customer data — including metadata and telemetry data — remains within the Union; software supply-chain measures including a complete and up-to-date software bill of materials (SBOM) and dependency list, with controls over third-country software components; and, at the higher levels, that the provider and its subcontractors are not subject to third-country control. Providers must cooperate fully, giving auditors access to relevant data and premises and answering questions (Article 20(2)); hampering the audit, or supplying incorrect or misleading evidence, can lead to a negative opinion or revocation (Article 20(7)).
Cost and credibility comparison
| Feature | Self-assessment (level 1) | Third-party audit (levels 2-4) |
|---|---|---|
| Legal basis | Article 19 | Article 20 |
| Cost | Low (internal resources) | High (auditor fees, preparation, annual reviews) |
| Time | Fast (internal process) | Slower (scheduling, evidence-gathering, review) |
| Credibility | Moderate (provider-declared) | High (independently verified) |
| Liability | Provider responsible for its declaration | Provider responsible; auditing organisation bound by independence/competence duties |
| Market access | Public-sector activities not tied to public order | Public-order-relevant activities (levels 2-4) |
| Evidence | Internal documentation | Annex III-based evidence assessed under Article 21 |
What this means for you
For cloud service providers and data-centre operators, the choice between self-assessment and third-party audit is strategic.
If you target less sensitive public-sector bodies, Union assurance level 1 may suffice. The self-assessment route under Article 19 lets you enter quickly with low regulatory overhead — but you bear responsibility for the accuracy of your EU statement of conformity, and a false declaration can attract penalties under Article 24 (which Member States must make "effective, proportionate and dissuasive") and reputational harm.
If you aim to serve public-order-relevant activities, you would need levels 2, 3 or 4 and therefore an independent audit. Budget for the upfront cost of assembling the Annex III evidence — mapping your software supply chain, evidencing data flows and Union location, and documenting your ownership and control structure to show the absence of third-country control at the higher tiers.
Invest in audit readiness early. If you start at level 1 but later seek level 3, you will have to produce audit-grade evidence. Strong internal controls and detailed records from the outset reduce the cost and time of moving to a third-party audit.
Select auditors carefully. For levels 2-4, choose auditing organisations that meet the independence and competence requirements of Article 20(4) and have proven expertise in cloud services. Because a negative opinion can damage your market position, the relationship should be transparent and cooperative.
Common misconceptions
"Self-assessment is 'less strict' than a third-party audit." The verification is lighter, but the obligations are not. The level 1 criteria in Annex II are still binding, and a false EU statement of conformity is an infringement subject to penalties. The difference lies in how compliance is verified, not in the underlying legal duties.
"Third-party audits are a one-time event." No. Article 20(8) would require annual review of the audit report and positive opinion by an auditing organisation. It is an ongoing cost, not a one-off certification.
"You can pick a third-party audit for level 1 to boost credibility." The proposal structures recognition so that level 1 is reached via self-assessment (Article 19) and levels 2-4 via third-party audit (Article 20). To obtain the credibility of an independent audit, you would aim for level 2 or higher.
"Audit evidence is just a formality." No. Article 21 requires evidence to be "relevant and sufficient" and "reliable" under the auditor's professional judgment and scepticism, and auditors may access premises and data. Superficial documentation is likely to draw a negative opinion or a request for further information, delaying recognition and raising costs.
Related
- CADA self-assessment vs NCA recognition: how the two paths differ
- CADA self-assessment vs independent audit: which applies to my tier?
- CADA sovereign cloud vs DORA's critical third-party regime for banks
- Third-country recognition vs Union assurance level 4 under CADA: what is the ceiling?
- CADA sovereignty risk assessment vs a NIS2 risk assessment
This is general information about a draft EU regulation, not legal advice.