Does a security incident require a CADA transparency notification?

Summary Under the proposed Cloud and AI Development Act (CADA), a security incident does not automatically trigger a specific "incident report" to regulators. Instead, it triggers a transparency notification obligation only if the incident constitutes a "material change in circumstances" that affects the validity of your Union assurance level recognition. As proposed in Article 23(1), cloud computing service providers must notify the auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of such changes. This duty is distinct from, and often runs parallel to, sector-specific incident reporting obligations under the NIS2 Directive or the Digital Operational Resilience Act (DORA).

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous sovereignty framework for cloud computing services, centred on four "Union assurance levels." A critical component of maintaining this status is the continuous transparency obligation outlined in Article 23 of the proposal. For cloud service providers (CSPs) and data centre operators, understanding when a security breach or incident crosses the threshold from a standard operational event to a regulatory notification requirement is essential for compliance.

Unlike the AI Act or NIS2, which mandate reporting based on the impact of an incident on operations or fundamental rights, CADA's notification trigger is tied to the validity of the sovereignty criteria themselves.

The Trigger: Material Changes, Not Just Incidents

CADA does not prescribe a blanket "security incident reporting" mechanism in the same manner as the NIS2 Directive or DORA. Instead, Article 23(1) mandates that recognised cloud computing service providers notify the relevant authorities if they become aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17."

The key legal test is whether the security incident constitutes a material change. A material change is one that impacts the cumulative criteria used to grant the Union assurance level. For example, under Annex II of the CADA proposal, higher assurance levels (2, 3, and 4) require strict controls over third-country access, personnel location, and software supply chain integrity. If a security incident reveals that:

1. Data Localisation Breach: Data was accessed by an unauthorised third party outside the Union, violating the data localisation criteria (Annex II, points 1(c), 2(c), 3(c), 4(c));
2. Supply Chain Integrity Failure: The incident resulted from a vulnerability in software components that were supposed to be subject to source code audits or migration plans (Annex II, points 2(i), 3(i), 4(i)); or
3. Loss of Operational Autonomy: The incident compromises the operational autonomy of the provider by exposing control mechanisms to third-country entities, or reveals that a third-country entity is exercising control in a manner that restricts service delivery (Annex II, points 2(g), 3(g), 4(g));

...then the incident is a material change affecting the audit criteria. In such cases, the provider has a duty to notify.

Conversely, a security incident that is contained, does not result in data exfiltration, and does not alter the provider's establishment, infrastructure location, or control structure may not constitute a material change under CADA, even if it is a significant cybersecurity event.

The Notification Chain

The notification process under Article 23 is sequential and involves two primary recipients, reflecting the dual nature of CADA's governance (audit-based recognition and national enforcement):

1. The Auditing Organisation: The provider must notify the auditing organisation that issued the audit report and the "positive" audit opinion. This is because the auditor needs to assess whether the audit report or opinion needs to be amended or revoked based on the new information.
2. The National Competent Authority of Establishment: The provider must also notify the competent authority in the Member State where the provider has its main establishment.

The proposal states that this notification must occur "as soon as possible" after the provider becomes aware of the information or change. While CADA does not specify a rigid hourly deadline (unlike NIS2's 24-hour initial notification or DORA's 4-hour window), the phrase "as soon as possible" implies immediate action proportional to the severity of the material change. The urgency is driven by the need to prevent the continued offering of a service under a recognition that may no longer be valid.

Distinction from NIS2 and DORA

It is crucial for providers to distinguish between CADA's sovereignty-focused transparency obligations and cybersecurity-focused incident reporting regimes. The objectives, triggers, and consequences differ significantly:

• NIS2 Directive: Requires essential and important entities to notify competent authorities of "significant incidents" within 24 hours of becoming aware of them. The focus is on the impact on society, the economy, and public security. The threshold is the impact of the incident.
• DORA: Requires financial entities and critical third-party providers to report major ICT-related incidents to relevant authorities within four hours of initial detection. The focus is on operational resilience within the financial sector.
• CADA: Focuses on sovereignty and assurance level validity. An incident might be significant enough to trigger NIS2 reporting but not material enough to affect the Union assurance level criteria (e.g., a minor DDoS attack that is mitigated without data exfiltration, control loss, or violation of personnel location rules). Conversely, an incident might not be "significant" under NIS2 thresholds but could violate specific sovereignty criteria (e.g., inadvertent access by a third-country subsidiary, or a change in the legal control structure), thereby triggering CADA Article 23 notifications.

Providers subject to both regimes must maintain parallel reporting workflows. A failure to report a material change under CADA could lead to the revocation of the Union assurance level recognition, effectively barring the provider from public sector contracts that require such assurance, even if the NIS2 reporting was timely.

Consequences of Non-Notification

If a provider fails to notify a material change, the auditing organisation or the national competent authority may discover the breach through subsequent audits, external reports, or cross-border cooperation mechanisms. Under Article 23(2), the auditing organisation must assess whether the audit report or opinion needs to be amended or revoked. If the provider concealed a material change, the authority may revoke the recognition entirely.

Furthermore, Article 24 outlines that Member States must lay down rules on penalties for infringements of this Chapter, which would include failing to meet transparency obligations. These penalties must be "effective, proportionate and dissuasive." While CADA does not set fixed fine amounts (unlike the AI Act's Article 99), the reputational damage of losing Union assurance level recognition—especially for providers targeting the public sector—could be far more severe than a monetary fine.

What this means for you

For cloud service providers and data centre operators seeking or holding Union assurance level recognition, the following operational steps are critical to ensure compliance with Article 23:

1. Integrate Incident Response with Compliance Teams: Your security incident response plan (SIRP) must include a specific compliance triage step. When an incident occurs, immediately assess it against the specific criteria of your Union assurance level (as defined in Annex II). Ask: "Does this breach violate any of the cumulative criteria for our assurance level?"
2. Define "Material Change" Internally: Develop internal guidelines that map common security incidents to CADA criteria. For instance, any unauthorised access by personnel not meeting Union citizenship requirements (for Level 3/4) or any data transfer outside the Union without explicit public sector body approval is automatically a material change.
3. Establish Rapid Notification Protocols: Ensure your legal and compliance teams have direct lines of communication with both your auditing organisation and your national competent authority. "As soon as possible" requires pre-defined escalation paths to avoid delays.
4. Maintain Parallel Reporting Logs: Keep distinct logs for NIS2/DORA incident reports and CADA transparency notifications. While the facts may overlap, the legal basis, audience, and content requirements differ. Do not assume a NIS2 notification satisfies CADA obligations.
5. Prepare for Audit Reassessment: Be ready to provide evidence to your auditing organisation immediately upon notification. The auditor may need to issue an amended report or revoke the opinion if the incident fundamentally undermines the assurance level. Under Article 23(2), the auditor must assess whether the report needs amendment or revocation based on the notification.

Common misconceptions

Misconception 1: "If I report to NIS2, I don't need to notify under CADA." Reality: NIS2 and CADA serve different purposes. NIS2 focuses on cybersecurity resilience and public order impact. CADA focuses on sovereignty and the validity of the assurance level. An incident may not be "significant" under NIS2 but may breach sovereignty criteria (e.g., data access by a third-country entity), requiring CADA notification.

Misconception 2: "Only data breaches trigger Article 23." Reality: Article 23 covers any "material change in circumstances." This includes operational changes, such as a change in control by a third-country entity, a change in the location of infrastructure, or a failure in software supply chain controls. These may not be "data breaches" in the traditional sense but are material to the assurance level criteria.

Misconception 3: "I only notify if the audit opinion is revoked." Reality: The notification obligation arises when you become aware of a material change that may affect the audit report. You notify first; the auditor then assesses whether to amend or revoke. Waiting for revocation before notifying is a violation of Article 23(1).

Misconception 4: "CADA has a 24-hour reporting deadline like NIS2." Reality: CADA uses the flexible standard "as soon as possible." While this implies urgency, it is not a fixed hourly deadline. However, the lack of a fixed deadline does not reduce the obligation to act immediately upon discovery of a material change.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• What evidence supports a CADA transparency notification decision?
• CADA Transparency Notification Chain: How Article 23 Works
• Does a change of ownership trigger a CADA transparency notification?
• Who sets the penalties for CADA transparency infringements?
• Who enforces CADA transparency obligations on cloud providers?

This is general information about a draft EU regulation, not legal advice.