Summary Under the proposed Cloud and AI Development Act (CADA), the documentation of third-party consultations is a mandatory, non-negotiable component of the independent audit report required for Union assurance levels 2, 3, and 4. Specifically, Article 20(5)(f) of the proposal explicitly requires the audit report to include "a list of the third parties consulted as part of the audit." This list serves as a critical transparency mechanism, enabling national competent authorities and the public to verify the breadth, independence, and reliability of the evidence gathered. Failure to include this specific list renders the audit report non-compliant with the statutory requirements of the proposal, potentially blocking a provider's recognition for sovereign cloud services and exposing them to penalties under Article 24.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous sovereignty framework for cloud computing services, structured around four distinct Union assurance levels. While Union assurance level 1 relies on a conformity self-assessment by the provider, Union assurance levels 2, 3, and 4 mandate independent third-party audits conducted by accredited auditing organisations. The integrity of these audits is paramount, as they form the evidentiary basis for the national competent authority's decision to recognise a service at a specific assurance level under Article 17.

A core element of this integrity is the transparency of the audit process itself, which is codified in the detailed requirements for the audit report found in Article 20. Paragraph 5 of Article 20 explicitly enumerates the minimum contents of the audit report. This report is not merely an internal compliance document; it is the legal instrument that substantiates the "positive" or "negative" audit opinion required for recognition. Consequently, every element listed in Article 20(5) is a statutory obligation.

The Specific Requirement: Article 20(5)(f)

Among the mandatory elements, Article 20(5)(f) states that the audit report must include "a list of the third parties consulted as part of the audit." This requirement ensures that the auditing organisation's findings are not based solely on the cloud provider's internal assertions or self-declared documentation. Instead, the auditor must corroborate critical claimsβ€”such as data localisation, infrastructure ownership, or cybersecurity controlsβ€”by engaging with external entities.

The term "third parties" in this context is broad and functional. It encompasses any entity outside the direct employment of the cloud provider but integral to the service delivery chain. This includes:

  • Subcontractors: Entities providing technical support, maintenance, or specific service components (as defined in Annex II).
  • Infrastructure Owners: Operators of data centres or colocation facilities where the provider's assets are located.
  • Security Vendors: Third-party firms conducting penetration testing or managing security operations.
  • Legal and Compliance Advisors: External counsel consulted regarding contractual obligations or third-country control issues.

By mandating a list of these entities, Article 20(5)(f) creates a verifiable trail of the audit's scope. It allows the competent authority to assess whether the auditor had sufficient access to independent sources to form a reliable opinion.

Why Third-Party Consultation Matters for Sovereignty

The inclusion of this list serves several critical regulatory purposes within the CADA framework:

  1. Verification of Independence and Scope: By listing who was consulted, the report allows the competent authority to assess whether the auditor had sufficient access to independent sources. If an auditor only consulted entities controlled by the cloud provider, the independence of the opinion may be questioned under the conflict-of-interest rules in Article 20(4). The list demonstrates that the auditor looked beyond the provider's immediate sphere of control.
  2. Transparency of Evidence: The audit opinion (whether "positive" or "negative") must be substantiated by reliable evidence, as required by Article 21. The list of consulted parties provides a transparent trail of evidence, showing that the auditor sought corroboration for critical claims. For example, verifying that data remains exclusively within the Union (a key criterion in Annex II) often requires consulting the data centre operator directly, not just the cloud provider.
  3. Accountability and Traceability: If a service is later found to be non-compliant, the list of consulted third parties helps regulators identify whether the auditor failed to engage with key stakeholders who could have revealed non-compliance. It shifts the burden of proof from a "he said, she said" scenario to a documented record of engagement.

Integration with Other Audit Requirements

The requirement to list third parties works in tandem with other provisions in Article 20 and Annex III.

  • Cooperation Obligations: Article 20(2) requires audited providers to cooperate with auditing organisations and provide access to relevant data and premises. The list in Article 20(5)(f) documents the outcome of this cooperation. It proves that the provider facilitated access to the necessary third parties.
  • Audit Evidence Standards: Article 21 requires that audit evidence be "relevant and sufficient" and "reliable." The consultation of third parties is often the primary method by which an auditor gathers this reliable evidence, particularly for criteria involving subcontractors, infrastructure location, or personnel screening (as detailed in Annex II).
  • Supporting the Opinion: The report must also include a "positive" or "negative" audit opinion (Article 20(5)(g)) and, if negative, operational recommendations (Article 20(5)(h)). The list of consulted parties supports the credibility of this opinion. If the opinion is positive, the list demonstrates that the auditor thoroughly vetted the ecosystem. If negative, it shows that the auditor sought and potentially failed to find sufficient compliance evidence from relevant external sources.

What this means for you

For in-house counsel, compliance officers, and cloud computing service providers, the requirement to document third-party consultations has immediate operational and contractual implications.

1. Contractual Preparedness and Subcontractor Management Ensure that your master service agreements (MSAs) and subcontractor agreements include explicit clauses that permit third-party audits. Specifically, these contracts must allow auditing organisations to consult with your subcontractors, infrastructure providers, and other third parties. If a subcontractor refuses to engage with the auditor due to a contractual gap, it could prevent the auditor from completing the list required by Article 20(5)(f), jeopardising your entire recognition application. You must proactively identify all subcontractors involved in the provision of the audited service (as defined in Annex II) and inform them of the legal requirement for them to be consulted.

2. Internal Documentation Processes Your compliance team must work closely with the selected auditing organisation to maintain a real-time log of all third-party interactions during the audit. This is not just about who was interviewed, but also which third-party systems were tested or whose data was reviewed. The auditor will need this information to populate the mandatory list in the final report. Failure to maintain this log could result in an incomplete report, which is a statutory defect.

3. Timeline Management The recognition process is time-sensitive. Under Article 17(5), the evaluating national competent authority has 60 days to assess the evidence submitted. A report missing the mandatory list under Article 20(5)(f) is non-compliant. The authority may request further information, suspending the 60-day clock, or reject the request entirely. Delays in coordinating with third parties can therefore directly impact your ability to secure recognition within the statutory timeframe.

4. Penalties and Consequences While CADA does not specify a fixed fine for a missing list in the audit report, the consequences are severe. Under Article 17, the competent authority will reject the application if the evidence is insufficient. A report missing the mandatory list is formally defective. Furthermore, under Article 24, Member States must impose effective, proportionate, and dissuasive penalties for infringements. Providing incorrect or misleading information (including an incomplete audit report that omits required elements) could trigger these penalties. Additionally, recipients of the service have the right to seek compensation for damage suffered due to such infringements.

Common misconceptions

Misconception: Only direct employees need to be audited. Reality: CADA's assurance levels, particularly Levels 2–4, have strict criteria regarding subcontractors and infrastructure location (Annex II). The auditor must verify compliance across the entire service delivery chain. Therefore, third parties (subcontractors, data centre operators, etc.) are essential sources of evidence, and their consultation must be documented.

Misconception: The list of third parties is optional if the audit is positive. Reality: Article 20(5)(f) does not distinguish between positive and negative opinions. The list is a mandatory component of the report structure regardless of the outcome. Omitting it renders the report formally defective and non-compliant with the proposal.

Misconception: Third-party consultation is limited to security vendors. Reality: "Third parties" can include any entity whose involvement is relevant to the audit criteria. This may include legal counsel for contractual verification, infrastructure providers for location verification, or even former employees if relevant to personnel screening requirements (subject to data protection laws). The scope is defined by the need to verify the criteria in Annex II.

Related

This is general information about a draft EU regulation, not legal advice.