Does a CADA provider need a new audit to upgrade tiers?

Summary Under the proposed Cloud and AI Development Act (CADA), a cloud service provider seeking to upgrade its sovereignty tier to Union assurance levels 2, 3, or 4 must undergo a new, comprehensive independent audit. You cannot simply perform a "delta" audit covering only the new requirements. As proposed in Article 20(1), an audited provider seeking a higher level must satisfy all applicable cumulative criteria for that higher level, including those of lower tiers. Failure to meet any requirement of a lower level precludes conformity with the higher level. Consequently, the auditing organisation must issue a fresh "positive" audit opinion covering the full scope. This new opinion, along with the audit report and evidence, must then be submitted to the national competent authority for formal recognition under Article 17(4).

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a tiered sovereignty framework comprising four Union assurance levels. For providers aiming to serve public-sector bodies or high-criticality private entities, understanding the rigour required to move between these levels is essential. The proposal explicitly rejects the notion of incremental or partial audits for tier upgrades, mandating instead a holistic verification of compliance.

The Cumulative Nature of Assurance Levels

The core principle governing tier upgrades is the cumulative nature of the criteria set out in Annex II. The proposal does not allow providers to "top up" an existing audit. Instead, the regulatory text imposes a strict hierarchy where higher levels encompass all requirements of the lower levels.

Article 20(1) of the CADA proposal is definitive on this point. It states that cloud computing service providers seeking recognition as offering Union assurance level 2, 3, or 4 shall undergo independent third-party audits at their own expense. Crucially, the article continues: "An audited provider undergoing an audit procedure at a higher Union assurance level shall satisfy all the applicable cumulative criteria under Annex II applicable to the lower Union assurance levels. Failure to meet any requirements of a lower assurance level shall preclude conformity with the higher Union assurance levels."

This provision has two immediate implications for providers planning an upgrade:

1. No Partial Audits: An audit for Level 3 must verify compliance with Level 1, Level 2, and Level 3 criteria. An audit for Level 4 must verify compliance with Levels 1, 2, 3, and 4.
2. Zero Tolerance for Gaps: If a provider has a minor compliance gap in a Level 2 criterion (e.g., a specific personnel screening requirement), they cannot achieve Level 3 recognition until that gap is closed and the entire stack is re-verified.

The Requirement for a New Audit and Positive Opinion

Because the criteria are cumulative and the verification must be exhaustive, a provider already recognised at a lower level (e.g., Level 2) cannot rely on their previous audit report to claim a higher level (e.g., Level 3). The proposal requires a distinct audit procedure for the target tier.

The auditing organisation must assess the provider's service against the full set of criteria for the requested level. Upon completion, the organisation must prepare an audit report and issue an audit opinion. Article 20(5)(g) specifies that the report must include a "positive" or "negative" audit opinion. Only a "positive" opinion confirms that the audited service complies with the applicable audit criteria.

Therefore, to upgrade, a provider must commission a new audit that results in a new positive audit opinion. This opinion serves as the primary evidence that the provider meets the cumulative requirements of the new tier.

The Recognition Process Under Article 17(4)

Once the new audit is complete and the positive opinion is issued, the provider must seek formal recognition. This process is governed by Article 17, which outlines the mechanism for recognition of cloud computing service providers.

Article 17(4) explicitly states: "For Union assurance levels 2, 3 and 4, the candidate cloud computing service provider shall submit to the evaluating national competent authority the audit report, the 'positive' audit opinion referred to in Article 20 and all the evidence provided to the auditing organisation during the audit procedure."

This submission triggers a multi-stage review:

1. Evaluation: The evaluating national competent authority assesses the evidence within 60 days.
2. Union-wide Review: If the authority prepares a draft recognition decision, it notifies other Member States' competent authorities for a 60-day review period.
3. Objection Handling: Other Member States may submit reasoned objections if they believe the draft decision does not comply with the applicable Union assurance level.
4. Final Recognition: If no reasoned objections are raised, the service is recognised throughout the Union at the new assurance level.

This process ensures that a tier upgrade is not merely a private certification but a Union-wide recognition of enhanced sovereignty.

What the New Audit Must Cover

While the specific criteria vary by level, a new audit for an upgrade must cover the full spectrum of Annex II requirements. Key areas that will be scrutinised include:

• Establishment and Location: Verification that the provider and relevant subcontractors are established in the Union, and that infrastructure, assets, and personnel are located within the Union.
• Data Localisation: Ensuring customer data remains exclusively within the Union unless explicitly required otherwise by the public sector body.
• Personnel Citizenship: For Level 3 and 4, verifying that personnel are Union citizens and, where appropriate, hold necessary national security clearances. Note that for Level 2, this is conditional (only if the public body requires it), whereas for Levels 3 and 4, it is mandatory.
• Cybersecurity Certification: Confirming the service holds a European cybersecurity certificate of at least assurance level 'substantial' (for Levels 2 and 3) or 'high' (for Level 4), or meets equivalent national standards if the EU scheme is not yet available.
• Third-Country Control: Demonstrating that the provider is not subject to the control of a third country. For Level 3, a derogation is possible under Article 18 if the Commission has adopted an implementing act for that third country, but the provider must still demonstrate specific safeguards.
• Software Supply Chain: Providing a complete Software Bill of Materials (SBOM) and demonstrating controls against remote tampering and ensuring migration plans exist for third-country components.

Annual Reviews vs. Tier Upgrades

It is important to distinguish between the mandatory annual review and a tier upgrade. Article 20(8) requires that the audited provider shall annually submit for review the audit report and the associated "positive" audit opinion to the same or a different auditing organisation. This annual review assesses continued compliance with the current assurance level.

If a provider wishes to upgrade tiers during this annual cycle, the annual review is insufficient. The provider must request a full audit for the higher tier, resulting in a new report and a new positive opinion. The annual review mechanism does not replace the requirement for a new, comprehensive audit when changing assurance levels.

What this means for you

For cloud service providers and data centre operators, planning for tier upgrades requires significant preparation, budgeting, and strategic foresight.

• Budget for Full Re-Audits: Do not underestimate the cost. An upgrade from Level 2 to Level 3 is not a minor add-on; it is a full re-audit of your operations against a stricter set of cumulative rules. Ensure your financial planning accounts for the fees of independent auditing organisations for a comprehensive engagement, not a limited-scope review.
• Prepare Your Documentation: The auditing organisation will need access to all relevant data, premises, and documentation. Ensure your Software Bill of Materials (SBOM), personnel records (including citizenship and clearance status), and data flow diagrams are up-to-date and accurately reflect your operations across the entire Union. Gaps in documentation can lead to a negative opinion.
• Conduct Internal Gap Analysis: Because the criteria are cumulative, gaps in lower-level compliance will block your upgrade. Before engaging an auditor, conduct a rigorous internal gap analysis against the target tier's Annex II criteria. If you are not fully compliant with Level 2, you cannot achieve Level 3.
• Coordinate with National Competent Authorities: Once you have your new positive audit opinion, you must submit it to the national competent authority of your establishment. Be prepared for the 60-day assessment period and the subsequent 60-day review period by other Member States. Any objections must be resolved before your new tier is officially recognised Union-wide.
• Plan for Personnel Requirements: If targeting Level 3 or 4, ensure you have a workforce of Union citizens available, as this is a mandatory requirement for these levels, unlike Level 2 where it is conditional.

Common misconceptions

"I only need to audit the new requirements."

• Reality: The CADA explicitly states that criteria are cumulative. To reach Level 3, you must prove compliance with Level 1 and Level 2 criteria as well. The audit must cover the full scope. A "delta" audit is not sufficient.

"My Level 2 audit automatically counts for Level 3."

• Reality: While the evidence from a Level 2 audit may be useful as a starting point, you cannot use a Level 2 audit report to claim Level 3 status. You need a new audit report and a new "positive" opinion specifically addressing the Level 3 criteria.

"I can self-assess for Level 3."

• Reality: Self-assessment is only permitted for Union assurance level 1 under Article 19. Levels 2, 3, and 4 require mandatory independent third-party audits.

"Recognition is immediate upon audit completion."

• Reality: Recognition is not automatic. You must submit the audit report and opinion to the national competent authority, which then undergoes a formal review and notification process with other Member States before the new tier is officially recognised.

Related

• Who pays for the CADA audit? Provider costs explained
• CADA Recognition: What Public Buyers Need to Know About Sovereignty Tiers
• How should a provider prepare for a CADA audit?
• Why choose a CADA Level 1 provider? The baseline for public procurement
• Which CADA assurance levels require an independent audit?

This is general information about a draft EU regulation, not legal advice.