CADA Transparency Obligations

Summary Yes, under the proposed Cloud and AI Development Act (CADA), transparency obligations apply universally to all cloud computing service providers recognised at any of the four Union assurance levels (1 through 4). Article 23 explicitly mandates that any provider whose service has been formally recognised must promptly notify the relevant auditing organisation (for levels 2–4) and the national competent authority of establishment of any "material change in circumstances" that could affect their audit report, audit opinion, or recognition status. This duty is not limited to the highest sovereignty tiers; it is a continuous requirement for all participants in the sovereignty framework to ensure the accuracy of the central repository and the integrity of public procurement decisions.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework to mitigate risks associated with dependence on third-country providers. Central to this framework are the four "Union assurance levels" (1, 2, 3, and 4), which categorise cloud computing services based on their compliance with specific criteria regarding establishment, data localisation, personnel citizenship, cybersecurity certification, and the absence of third-country control, as detailed in Annex II of the proposal.

While the criteria for achieving these levels vary in stringency—with Level 1 relying on self-assessment and Levels 2–4 requiring independent third-party audits—the obligation to maintain transparency once recognised is uniform. Article 23 of the CADA proposal establishes a critical "transparency obligation" that acts as a continuous compliance mechanism across the entire spectrum of assurance levels.

The Universal Scope of Article 23

The text of Article 23(1) is unequivocal in its scope. It states: "On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

This provision creates a dual-layered duty that adapts to the assurance level but applies to all:

1. For Union Assurance Levels 2, 3, and 4: These levels require an independent audit and a "positive" audit opinion under Article 20. Consequently, a material change affects both the audit report/opinion and the recognition. The provider must notify both the auditing organisation (to trigger a reassessment of the audit) and the national competent authority of establishment (to trigger a reassessment of the recognition).
2. For Union Assurance Level 1: Level 1 relies on a conformity self-assessment and an EU statement of conformity under Article 19, rather than an independent audit. While there is no "audit report" to amend, the provision explicitly links the duty to the "recognition under Article 17." Since Level 1 providers are recognised by the national competent authority (with automatic recognition for SMEs under Article 17(3)), any material change affecting the validity of their self-assessment or their recognised status must be reported to the national competent authority. The reference to the "audit report" in Article 23(1) is interpreted in context: for Level 1, the "audit report" element is inapplicable, but the "recognition" element remains fully active.

The explanatory memorandum reinforces this comprehensive approach, noting that the framework must ensure "the continued accuracy and reliability of the status of cloud computing services as offering Union assurance levels." Without a universal transparency duty, the central repository established under Article 22 could quickly become populated with outdated or inaccurate information, undermining the trust of public sector contracting authorities who rely on these recognitions for procurement decisions under Article 30.

The Trigger: "Material Change in Circumstances"

Article 23 does not provide an exhaustive list of what constitutes a "material change," leaving room for interpretation based on the specific criteria of the assurance level. However, the context of Annex II (Criteria for Union Assurance Levels) and Annex III (Audit Evidence) clarifies the scope. A "material change" is any event that could cause a provider to no longer meet the cumulative criteria for their recognised level.

Examples of material changes across the tiers include:

• Change in Control: An acquisition by a third-country entity or a change in the ultimate beneficial owner that introduces third-country control, potentially violating the criteria in Annex II for Levels 2, 3, and 4 (and the control guarantees for Level 1).
• Infrastructure Relocation: The physical movement of data centres, assets, or personnel outside the Union, which would breach the location criteria in Annex II for all levels (unless explicitly permitted by the public sector body for Level 1).
• Subcontracting Shifts: The introduction of new subcontractors outside the Union or changes in the subcontracting chain that compromise operational autonomy or data localisation.
• Cybersecurity Status: The loss or suspension of a European cybersecurity certificate (required for Levels 2, 3, and 4) or a failure to maintain state-of-the-art cybersecurity standards (required for Level 1).
• Data Flow Changes: Any alteration in data processing practices that results in customer data being transferred outside the Union or used to train third-country AI systems, violating Annex II criteria.

The obligation is proactive and immediate. The phrase "as soon as possible" imposes a duty of urgency. Providers cannot wait for the annual review cycle (required for Levels 2–4 under Article 20(8)) to disclose such changes. Failure to report immediately could be deemed a breach of the transparency obligations, triggering enforcement actions.

The Notification Chain and Consequences

The mechanism described in Article 23 ensures a rapid flow of information to maintain the integrity of the framework:

1. Provider Notification: The provider notifies the relevant bodies (auditing organisation and/or competent authority) immediately upon becoming aware of the change.
2. Auditor Assessment (Levels 2–4): Under Article 23(2), the auditing organisation must assess whether the audit report or opinion needs to be amended or revoked. If they amend or revoke the report, they must notify the national competent authority.
3. Authority Assessment: Under Article 23(3), the national competent authority of establishment must assess whether its recognition needs to be amended or revoked.
4. Union-Wide Notification: If the recognition is amended or revoked, the national competent authority must notify the competent authorities of all other Member States and the Commission.
5. Repository Update: This chain ensures that the central repository under Article 22 is updated in real-time. A revocation or amendment must be published in the repository and remain available for five years, ensuring that contracting authorities do not procure services based on invalid recognitions.

This process is critical for public procurement. Under Article 30, contracting authorities must procure services at the appropriate assurance level (Level 1 for general use; Levels 2–4 for public-order-relevant activities). If a provider's status changes but is not reported, a public body might inadvertently procure a service that no longer meets the legal requirement, exposing the authority to legal risk and the provider to penalties under Article 24.

What this means for you

For cloud service providers, data centre operators, and their legal and compliance teams, the universal application of Article 23 has significant operational implications.

1. Universal Compliance, Not Just for High Tiers

Do not assume that transparency duties are only relevant for providers seeking the highest assurance levels (3 or 4). If you are recognised at Level 1, you are equally bound by Article 23. The "self-assessment" nature of Level 1 does not exempt you from the duty to report material changes. In fact, because Level 1 relies on the provider's own declaration of compliance, the duty to self-report changes is arguably even more critical to maintain trust.

2. Establish Real-Time Monitoring Mechanisms

You must implement internal governance systems capable of detecting "material changes" in real-time. This goes beyond annual compliance audits. Your monitoring should cover:

• Corporate Governance: Changes in shareholding, board composition, or ultimate beneficial ownership.
• Operational Footprint: Any shifts in the location of servers, data storage, or key personnel.
• Supply Chain: Changes in subcontractor relationships, especially those involving third-country entities.
• Certifications: The status of cybersecurity certificates and other compliance credentials.

3. The "As Soon As Possible" Standard

The legal standard is immediate action. Delaying a report until the next scheduled audit or annual review is a compliance failure. If you become aware of a change on a Tuesday, you must notify the relevant bodies by Wednesday (or sooner, depending on the severity). Delays can lead to the revocation of your recognition, removal from the central repository, and potential penalties under Article 24 for infringements of the sovereignty chapter.

4. Coordination with Auditors (Levels 2–4)

For providers at Levels 2, 3, and 4, your relationship with your auditing organisation is central to compliance. You must have clear contractual and operational channels to notify them immediately. Remember that the auditor has a duty to reassess the audit report upon notification. If the auditor revokes their opinion, your recognition will follow suit.

5. Business Continuity and Migration Risks

A material change leading to revocation can have severe business continuity impacts. If your recognition is revoked, public sector contracting authorities relying on your service for public-order activities (requiring Levels 2–4) or general operations (requiring Level 1) may be forced to migrate their workloads. While Article 29(6) allows for a transition period of up to 12 months for migration, a sudden revocation due to non-compliance with transparency duties could disrupt this timeline and damage your reputation in the EU market.

6. Documentation is Key

Maintain a rigorous audit trail of all notifications sent to auditing organisations and competent authorities. In the event of an investigation or dispute, proof of timely compliance with Article 23 will be a critical defence against allegations of negligence or intentional non-compliance.

Common misconceptions

Misconception 1: Transparency obligations only apply to Levels 3 and 4. Correction: Article 23 applies to providers recognised at any Union assurance level (1–4). Level 1 providers, despite using a self-assessment model, are still recognised by national authorities and must report material changes that affect their conformity or recognition status. The reference to "audit reports" in the article is context-dependent; for Level 1, the duty focuses on the "recognition" aspect.

Misconception 2: "Material change" only refers to cybersecurity breaches. Correction: While cybersecurity incidents are relevant, the scope is much broader. It includes any change affecting the criteria in Annex II, such as changes in corporate control, data localisation practices, personnel citizenship, or subcontractor arrangements. Any event that undermines the provider's ability to meet the cumulative criteria for their level is material.

Misconception 3: Providers can wait for the annual audit review to disclose changes. Correction: Article 23 requires notification "as soon as possible" upon becoming aware of the change. Waiting for the scheduled annual review (required under Article 20(8) for Levels 2–4) is non-compliant. The transparency duty is continuous and immediate, not periodic.

Misconception 4: Only the national competent authority needs to be notified. Correction: For providers at Levels 2, 3, and 4, the notification must go to both the auditing organisation and the national competent authority of establishment. The auditing organisation needs the information to assess the validity of its audit report, while the authority needs it to assess the validity of the recognition. For Level 1, the notification is to the national competent authority.

Misconception 5: SMEs are exempt from transparency duties. Correction: While Article 17(3) provides an automatic recognition mechanism for SMEs at Level 1 to reduce administrative burden, it does not exempt them from the transparency obligations of Article 23. If an SME recognised at Level 1 experiences a material change, it must still notify the competent authority to ensure the accuracy of the central repository.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Who enforces CADA transparency obligations on cloud providers?
• CADA Transparency Obligations: Why Article 23 Matters for Public Buyers
• What are the transparency obligations on cloud providers under CADA?
• CADA vs GDPR: How Transparency Obligations Differ for Cloud Providers
• How do CADA transparency obligations affect cloud contracts and SLAs?

This is general information about a draft EU regulation, not legal advice.