Does a change of ownership trigger a CADA transparency notification?

Summary Yes, a change of ownership or control of a cloud computing service provider would trigger a mandatory transparency notification under the proposed Cloud and AI Development Act (CADA). As proposed in Article 23(1), providers must notify their auditing organisation and national competent authority "as soon as possible" upon becoming aware of any "material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17." Because ownership changes directly impact the sovereignty criteria regarding third-country control, establishment, and personnel, they constitute a material change requiring immediate reporting to maintain the validity of the Union assurance level.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous, dynamic framework for cloud computing sovereignty, designed to mitigate risks associated with dependence on non-European providers. Central to this framework is the Union cloud computing sovereignty framework, which categorises services into four Union assurance levels (Article 16). To maintain recognition at any of these levels, a provider must continuously comply with strict cumulative criteria, particularly regarding establishment, infrastructure location, data localisation, and, crucially, the absence of third-country control.

Unlike static compliance regimes, CADA recognises that corporate structures and market conditions are fluid. Consequently, Article 23(1) imposes a specific, proactive transparency obligation on recognised providers. The text mandates that a cloud computing service provider shall, "as soon as possible, notify the auditing organisation and the national competent authority of establishment" upon becoming aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17."

A change of ownership is inherently a "material change in circumstances" because it directly impacts the core sovereignty criteria set out in Annex II. The criteria for Union assurance levels 2, 3, and 4 explicitly require that the audited provider and its subcontractors are not subject to the control of a third country or a legal entity established in a third country (with a specific derogation mechanism for Level 3 under Article 18). The definition of "control" in the CADA corpus is broad, encompassing not just majority shareholding but also the ability to exercise decisive influence over strategic objectives, significant decisions, or the appointment of management.

If a change in ownership results in a third-country entity gaining such control, the provider may immediately cease to meet the cumulative criteria for its current assurance level. For example, Annex II, Section 3.1(g) for Level 3 and Section 4.1(g) for Level 4 state that the provider and subcontractors must not be subject to third-country control. If a non-EU parent company acquires a controlling stake, the provider would likely fail these criteria unless the Commission has adopted a specific implementing act under Article 18 identifying that third country as providing sufficient assurances.

The notification mechanism is designed to ensure real-time regulatory oversight. The provider does not wait for the next scheduled annual audit cycle to report this change. Instead, the obligation is triggered by the provider's awareness of the change. Once notified, the auditing organisation must assess whether the audit report or opinion needs to be amended or revoked (Article 23(2)). Subsequently, the national competent authority assesses whether the formal recognition of the service needs to be amended or revoked (Article 23(3)). If the recognition is amended or revoked, the competent authority must notify other Member States and the Commission, ensuring the central repository of recognised services is updated (Article 22(3)).

This process ensures that the dynamic nature of corporate ownership does not undermine the static assurance provided by the initial audit. The CADA framework recognises that sovereignty is not a one-time achievement but a continuous state of compliance. Therefore, any shift in the corporate structure that alters the provider's independence from third-country jurisdictions must be immediately transparent to the regulatory ecosystem. The recitals further emphasise that the framework aims to address risks such as "unauthorised access to Union data" and "disruption of service continuity," which are directly linked to who controls the provider.

What this means for you

For cloud service providers and data centre operators seeking or holding a Union assurance level, a change of ownership is not merely a corporate governance issue; it is a regulatory trigger with immediate compliance implications.

1. Immediate Notification Duty: If your company undergoes a merger, acquisition, or significant shareholding change, you must evaluate whether this alters your status regarding third-country control. If it does, you must notify your auditing organisation and the national competent authority of establishment "as soon as possible" under Article 23(1). Delaying this notification could be viewed as a failure to meet transparency obligations, potentially leading to penalties under Article 24.
2. Impact on Assurance Level: Be prepared for the possibility that your current Union assurance level may be downgraded or revoked. For example, if a US-based parent company acquires a majority stake in your EU-based provider, you may lose eligibility for Union assurance level 3 or 4, which generally prohibit third-country control. You might only remain eligible for Union assurance level 2 (if specific safeguards are met) or Level 1, depending on the specific criteria in Annex II and whether the new owner is subject to a derogation under Article 18.
3. Audit Re-assessment: The notification will likely trigger a re-assessment by your auditing organisation. They will examine the new ownership structure to determine if the "positive" audit opinion remains valid. This may involve reviewing shareholder agreements, board composition, veto rights, and financial links to ensure no third-country entity can compel actions that compromise EU data sovereignty or service continuity. The auditing organisation has the power to revoke its audit report if it finds the provider supplied incorrect or misleading information (Article 20(7)).
4. Procurement Consequences: Public sector bodies rely on the central repository to make procurement decisions. If your recognition is amended or revoked due to an ownership change, public sector contracts that require a specific assurance level (e.g., Level 3 for high-risk public order activities under Article 30(3)) may be at risk. Contracting authorities may be required to migrate to a different provider if your service no longer meets the required assurance level, potentially disrupting service continuity.
5. Documentation and Evidence: Maintain up-to-date documentation of your corporate structure, including shareholding registers, governance documents, and records of strategic decision-making powers. Auditing organisations will require this evidence to verify compliance with the "absence of third-country control" criteria during the re-assessment process. Annex III details the specific evidence required, including cap tables, articles of association, and records of board decisions.

Common misconceptions

• "Only physical infrastructure changes matter." This is incorrect. While the location of servers and data is critical, the CADA framework places equal weight on corporate control and governance. A change in ownership that introduces third-country influence can disqualify a provider from higher assurance levels even if the physical infrastructure remains entirely within the EU. The criteria in Annex II explicitly separate "location of infrastructure" from "control" and "ownership."
• "Notification is only required at the next annual audit." Article 23(1) requires notification "as soon as possible" upon becoming aware of the material change. Waiting for the next scheduled audit cycle is non-compliant. The framework is designed for real-time transparency to protect public order and data sovereignty, as highlighted in the recitals regarding the risks of "unauthorised access" and "service disruption."
• "Minority shareholding changes don't count." The definition of "control" in the CADA corpus is broad and includes not just majority ownership but also strategic decision-making power, veto rights, and significant influence. Annex III, Section 7 explicitly instructs auditors to assess "veto rights," "appointment rights," and "financial links" that could confer control. Even a minority stake that grants veto power over strategic decisions could constitute "control" by a third-country entity, thereby triggering a material change notification.
• "Private sector providers are exempt from this." While Article 23 applies specifically to providers recognised under the Union assurance levels (which are primarily procured by the public sector), the transparency obligations are tied to the recognition itself. If you are a private provider seeking recognition to sell to the public sector, you are bound by these rules. Furthermore, the recitals note that public procurement requirements often drive market alignment, meaning private sector entities may face similar expectations.

Related

• What evidence supports a CADA transparency notification decision?
• CADA Transparency Notification Chain: How Article 23 Works
• CADA Transparency & Audits: How Material Changes Trigger Reassessment
• Does a security incident require a CADA transparency notification?
• Who sets the penalties for CADA transparency infringements?

This is general information about a draft EU regulation, not legal advice.