Does CADA recognition expire? Annual audit rules explained

Summary As proposed, CADA recognition does not carry a fixed calendar expiration date (e.g., "valid for 5 years"). However, it is not permanent. For Union assurance levels 2, 3, and 4, recognition remains valid only if the provider undergoes an annual independent audit review to confirm continued compliance. If a provider fails this annual review, or if it is found to have intentionally or negligently supplied incorrect or misleading information during the process, the national competent authority may revoke the recognition immediately.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, establishes a dynamic sovereignty framework rather than a static certification. A critical operational question for cloud providers is whether the formal recognition of a Union assurance level expires after a set period. The proposal does not define a static "shelf-life" for the recognition decision itself. Instead, the validity of the recognition is inextricably linked to the continuous validity of the underlying audit evidence and the provider's ongoing adherence to the criteria in Annex II.

The mechanism for maintaining validity differs significantly between the assurance levels.

Level 1: Self-Assessment and Continuous Responsibility

For Union assurance level 1, the framework relies on a conformity self-assessment. Under Article 19, the provider issues an EU statement of conformity. While there is no statutory requirement for an annual third-party audit for this level, the provider assumes full responsibility for the accuracy of that statement at all times. The recognition is not "time-bound" in the traditional sense, but it is conditional on the provider maintaining the criteria and reporting material changes.

Levels 2, 3, and 4: The Annual Audit Mandate

For Union assurance levels 2, 3, and 4, the framework mandates independent third-party audits. The proposal explicitly rejects a multi-year certification model in favor of an annual review cycle.

Article 20(8) is the governing provision for the longevity of recognition at these levels. It states:

"The audited provider shall annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation which shall assess the continued compliance of the audited service with the applicable criteria set out in Annex II. On the basis of the annual review, the auditing organisation may confirm, update, or revoke the initial audit report and audit opinion."

This provision establishes a strict annual rhythm. The "recognition" granted by the national competent authority under Article 17 is predicated on the existence of a valid, positive audit opinion. If the annual review under Article 20(8) results in a negative opinion or a revocation of the audit report, the foundation for the recognition collapses. Consequently, while the authority's decision does not have a printed expiry date, the service effectively loses its recognised status if the annual audit cycle is not successfully completed.

Revocation for Misleading Information

Beyond the annual cycle, the proposal provides a mechanism for immediate revocation if the integrity of the recognition process is compromised. Article 17(11) grants the evaluating national competent authority the power to revoke recognition in cases of fraud or negligence regarding the information provided.

Specifically, Article 17(11) states:

"The evaluating national competent authority may revoke its recognition where it finds that a cloud computing service provider, whose service was recognised across the Union as providing a specific Union assurance level, intentionally or negligently, supplied incorrect or misleading information."

This clause applies to information submitted during the initial application for recognition as well as any subsequent updates. It ensures that a provider cannot maintain a recognised status based on a flawed or deceptive initial assessment, regardless of how much time has passed since the recognition was granted.

The Role of Transparency and Material Changes

The obligation to maintain recognition is further reinforced by Article 23, which imposes transparency obligations. Providers must notify the auditing organisation and the competent authority "as soon as possible" of any "material change in circumstances" that may affect the audit report or the recognition.

If a provider fails to report a material change (e.g., a change in ownership structure, the location of critical infrastructure, or the introduction of a new third-country subcontractor), the auditing organisation may reassess the audit opinion. If the opinion is amended or revoked due to the unreported change, the competent authority will subsequently review and likely revoke the recognition. Thus, the validity of the recognition is a continuous state of compliance, not a fixed term.

What this means for you

For cloud service providers targeting the EU public sector market, the CADA framework requires a shift from a "project-based" compliance mindset to an "operational lifecycle" mindset. You must integrate compliance maintenance into your daily operations, not just your initial market entry strategy.

1. Budget for Recurring Annual Audits

For providers targeting levels 2, 3, or 4, you must budget for an independent third-party audit every single year. This is a recurring operational cost, not a one-time capital expenditure.

• Action: Secure a contract with an auditing organisation that explicitly covers the annual review requirement under Article 20(8).
• Risk: If you miss the annual submission window or fail to secure a "positive" audit opinion, your recognition becomes invalid, potentially disqualifying you from public procurement contracts that require a specific assurance level.

2. Implement Continuous Monitoring for "Material Changes"

You cannot wait for the annual audit to discover compliance gaps. Article 23 requires you to self-monitor and report material changes immediately.

• Action: Establish an internal governance process to track changes in:
  • Ownership and control structures (to ensure no new third-country control emerges).
  • Infrastructure location (to ensure data and assets remain in the Union).
  • Personnel status (to ensure Union citizenship requirements are met).
  • Subcontractor relationships.
• Risk: Failure to report a material change can lead to the revocation of your audit opinion and subsequent recognition, even if you pass the annual review.

3. Rigorous Data Accuracy in Applications

The "intentional or negligent" standard in Article 17(11) is strict. It is not enough to claim you "didn't know" if the information was incorrect.

• Action: Conduct a pre-submission audit of all evidence provided for your initial recognition application. Ensure that your Software Bill of Materials (SBOM), ownership charts, and infrastructure maps are accurate and up-to-date at the moment of submission.
• Risk: If an authority later discovers that your initial application contained misleading information (even due to negligence), they can revoke your recognition retroactively.

4. Plan for Audit Continuity

Article 20(8) allows you to switch auditing organisations for the annual review ("to the same or a different auditing organisation").

• Action: Maintain a relationship with multiple qualified auditing organisations or ensure your current auditor has the capacity to scale with your growth. Do not let your relationship with a single auditor become a single point of failure.

Common misconceptions

Misconception 1: "CADA recognition is like a CE mark that lasts 5 years." Many providers assume that once they pass an audit, they are "certified" for a multi-year period. This is incorrect. For levels 2–4, CADA mandates an annual review cycle. There is no "grace period" or multi-year validity. The recognition is only as strong as the most recent positive audit opinion.

Misconception 2: "If I passed the initial audit, I'm safe until the next scheduled review." The initial audit only gets you the recognition. Article 20(8) requires an annual review to maintain it. Furthermore, Article 23 requires immediate reporting of material changes. If a significant change occurs six months after your initial audit, you must report it immediately; waiting for the annual review could be a violation.

Misconception 3: "Minor errors in my application are harmless." Article 17(11) explicitly covers negligent supply of incorrect information. If you make a careless error in your ownership declaration or infrastructure map that affects the assessment of your sovereignty level, the authority can revoke your recognition. The standard is not just "fraud"; it includes negligence.

Misconception 4: "Recognition expires automatically after a set time." The proposal does not set a fixed expiration date (e.g., "valid until 2030"). Instead, recognition expires functionally when the annual audit is not passed, or legally when the authority revokes it due to misleading information or failure to report changes. It is a conditional status, not a time-limited one.

Related

• Who pays for the CADA audit? Provider costs explained
• CADA Transparency: Reporting Material Changes & Annual Audit Reviews
• CADA Auditing Independence: Article 20 Conflict Rules Explained
• CADA Audit Report vs. Audit Opinion: Key Differences Explained
• CADA Cross-Border Recognition: The 60-Day Review Period Explained

This is general information about a draft EU regulation, not legal advice.