Does CADA create a new audit on top of existing EU cloud audits?

Summary As proposed, the Cloud and AI Development Act (CADA) does not simply replicate existing cybersecurity audits; it introduces a distinct, sovereignty-focused audit regime for cloud computing services seeking Union assurance levels 2, 3, or 4. While CADA's Article 20 mandates independent third-party audits against specific Annex II criteria, it explicitly acknowledges that existing certifications, such as the European Cybersecurity Certification Scheme for Cloud Services (EUCS), can satisfy certain technical cybersecurity criteria within those higher assurance levels. However, EUCS, NIS2, and DORA audits do not substitute for the CADA audit because they do not assess the broader sovereignty, operational autonomy, and third-country control risks that CADA targets. Providers must therefore prepare for a complementary audit process that leverages existing evidence but addresses new, sovereignty-specific requirements.

Detail

To understand how CADA's audit regime interacts with existing EU frameworks, it is necessary to distinguish between the purpose of the audits and the evidence they generate. CADA is designed to mitigate risks related to technological sovereignty, operational autonomy, and dependence on third-country providers, whereas instruments like the NIS2 Directive, the Digital Operational Resilience Act (DORA), and the upcoming EUCS focus primarily on technical cybersecurity and operational resilience.

The CADA Audit Requirement: Article 19 and Annex II

Under the proposed CADA, the audit obligation is tiered. For Union assurance level 1, providers carry out a conformity self-assessment and issue an EU statement of conformity (Article 19). However, for Union assurance levels 2, 3, and 4, the rules are stricter. Article 20(1) of the CADA proposal states that cloud computing service providers seeking recognition for these higher levels "shall undergo at their own expense, independent third-party audits to obtain an audit report and an audit opinion from an auditing organisation."

These audits are not generic security reviews. They are strictly bound to the criteria set out in Annex II of the CADA proposal. Annex II defines cumulative criteria for each assurance level, covering areas such as:

• Location and Establishment: Infrastructure, assets, and personnel must be located in the Union (Annex II, Section 2.1(b) and 3.1(b)).
• Data Localisation: Customer data, including metadata and telemetry, must remain exclusively within the Union (Annex II, Section 2.1(c)).
• Third-Country Control: Providers must demonstrate that they are not subject to the control of a third country in a way that could compromise service continuity, data access, or operational autonomy (Annex II, Section 2.1(g) and 3.1(g)).
• Software Supply Chain: Providers must maintain a software bill of materials (SBOM) and demonstrate controls to block remote features that could tamper with systems (Annex II, Section 2.1(i)).

The auditing organisation must assess compliance with these specific sovereignty and operational criteria, not just technical security controls. Article 20(1) reinforces this by stating that audited providers undergoing an audit at a higher Union assurance level must satisfy all cumulative criteria under Annex II applicable to lower levels as well.

Interaction with EUCS: Complementary, Not Substitutive

A key question for providers is whether an existing EUCS certification (under the Cybersecurity Act) replaces the CADA audit. The answer is no, but there is significant overlap. The CADA proposal explicitly integrates EUCS into its higher assurance levels. For example, Annex II, Section 2.1(e) requires that for Union assurance level 2, the audited service "obtains a European cybersecurity certificate of at least assurance level 'substantial' under a European cybersecurity certification scheme covering cloud computing services... provided that such a scheme has been established." Similarly, Union assurance level 4 requires a certificate of at least assurance level 'high' (Annex II, Section 4.1(e)).

This means that obtaining an EUCS certificate is a prerequisite or a component of meeting the CADA criteria for levels 2, 3, and 4, but it is not the entirety of the audit. The CADA audit must also verify non-technical sovereignty criteria, such as the absence of third-country control over the provider's ability to deliver the service, the location of personnel, and the handling of subcontractors. As the CADA explanatory memorandum notes, "Certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." Therefore, the CADA audit is a broader assessment that includes but exceeds the scope of EUCS.

NIS2 and DORA: Different Legal Bases, Different Goals

The NIS2 Directive and DORA impose strict cybersecurity and operational resilience obligations on essential and important entities, including many cloud providers. However, these frameworks are not designed to assess sovereignty or third-country dependency risks in the manner CADA does.

• NIS2: Focuses on risk management, incident reporting, and business continuity. While it improves trust in cloud services, it does not mandate the specific data localisation, personnel citizenship, or third-country control tests required by CADA's Annex II.
• DORA: Applies specifically to the financial sector's use of cloud services, focusing on ICT risk management and incident response testing. It does not address the broader public order and sovereignty risks that CADA's Union assurance levels target.

Consequently, a cloud provider compliant with NIS2 or DORA obligations still needs to undergo the specific CADA audit to be recognised for Union assurance levels 2–4. The CADA audit is a distinct legal obligation under a different regulation, aimed at a different policy goal (technological sovereignty vs. operational resilience).

Reusing Existing Audit Evidence

While the audits are distinct, CADA is designed to avoid unnecessary duplication of effort. Article 21 of the CADA proposal outlines the "Content and quality of audit evidence." It states that auditing organisations should assess compliance based on audit evidence listed in Annex III. This evidence is indicative and does not limit the evidence that may be requested.

In practice, this means that auditors will likely accept existing documentation and evidence from NIS2, DORA, or EUCS compliance processes where relevant. For instance:

• Evidence of technical cybersecurity measures from an EUCS audit can be used to satisfy the cybersecurity components of CADA's Annex II criteria.
• Incident response and risk management documentation required by NIS2 can inform the operational resilience aspects of the CADA audit.
• Software supply chain documentation (such as SBOMs) required by other frameworks can be leveraged for CADA's Annex II, Section 2.1(i) requirements.

However, providers must be prepared to supply additional evidence that is not covered by these existing frameworks. This includes detailed proof of the location of all infrastructure and personnel, contractual clauses preventing third-country access to data, and evidence of legal separation from third-country subsidiaries (Annex III, Audit Criterion K). The auditing organisation has the discretion to request any additional information necessary to ensure a comprehensive assessment (Annex III, introductory paragraph).

The Role of the Auditing Organisation

Article 20 of CADA sets strict independence requirements for auditing organisations. They must be independent from the cloud provider, have no conflicts of interest, and possess proven expertise in auditing cloud computing services. Providers are free to select their auditing organisation, provided it meets these criteria. The audit report must include a "positive" or "negative" opinion on whether the service complies with the applicable audit criteria for the specific Union assurance level (Article 20(5)). A "positive" opinion is a prerequisite for the national competent authority to grant recognition under Article 17.

What this means for you

For cloud service providers and data centre operators, the introduction of CADA's audit regime means preparing for a more comprehensive compliance landscape.

1. Map Your Current Certifications: If you already hold an EUCS certificate, you are already partway to meeting the technical cybersecurity requirements for CADA's Union assurance levels 2–4. However, you must identify the gaps between EUCS and CADA's Annex II criteria, particularly regarding third-country control, data localisation, and personnel location.
2. Prepare Sovereignty-Specific Evidence: Start documenting evidence that is not typically required by NIS2 or DORA. This includes:
   • Detailed maps of all infrastructure and data storage locations within the Union.
   • Contracts with subcontractors that explicitly prohibit third-country access to data and ensure operational autonomy.
   • Proof of the legal and technical separation between EU entities and any third-country subsidiaries.
   • Documentation of software supply chain controls, including SBOMs and source code auditability.
3. Engage with Auditors Early: When selecting an auditing organisation for your CADA audit, choose one with experience in both cybersecurity and sovereignty assessments. Discuss how they plan to leverage your existing EUCS, NIS2, or DORA evidence to streamline the process.
4. Plan for Ongoing Reviews: Article 20(8) requires annual reviews of the audit report and opinion to assess continued compliance. Ensure your internal monitoring processes are robust enough to support these annual reviews without requiring a full re-audit from scratch, unless material changes occur.

Common misconceptions

• "EUCS certification is enough for CADA compliance." This is incorrect. While EUCS satisfies the technical cybersecurity criteria for CADA's higher assurance levels, it does not address the sovereignty, data localisation, and third-country control requirements. A separate CADA audit is still required to verify these additional criteria.
• "NIS2 or DORA compliance replaces the CADA audit." No. NIS2 and DORA focus on operational resilience and cybersecurity. They do not assess the specific sovereignty risks (such as third-country legal access to data) that CADA targets. You will need to undergo the CADA audit regardless of your NIS2 or DORA status.
• "The CADA audit is a complete duplicate of existing audits." While there is overlap, CADA is designed to reuse existing evidence where possible. The audit is not a "start from scratch" process but rather a complementary assessment that builds on existing cybersecurity and resilience documentation while adding sovereignty-specific checks.
• "Only large providers need to worry about this." While the highest assurance levels (3 and 4) are likely to be sought by larger providers handling critical public sector data, any provider aiming for Union assurance level 2 must undergo the independent third-party audit. Level 1 only requires a self-assessment, but even that must be documented and made public.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Which EU laws does CADA stack on top of? A guide to the new sovereignty layer
• How do EUCS and DORA cloud audits combine with a CADA tier audit?
• Which existing EU certifications can be reused as CADA tier evidence?
• Which CADA obligations stack on top of AI Act obligations?
• CADA vs Existing EU Cloud Rules: The Missing Sovereignty Layer

This is general information about a draft EU regulation, not legal advice.