How CADA's audit definitions work together for sovereignty recognition

Summary As proposed, the Cloud and AI Development Act (CADA) builds its cloud sovereignty framework on independent audits for Union assurance levels 2, 3 and 4. Four definitions in Article 2 do the work: the auditing organisation (2(17)), the audited service (2(18)), the audit criteria (2(19)) and the audit evidence (2(20)). They form a chain — an independent body assesses a specific cloud service against the criteria in Annex II, using evidence listed in Annex III, and issues a "positive" or "negative" audit opinion. A positive opinion then lets a national competent authority grant recognition that is valid across the Union.

Detail

To see how CADA's audit mechanism works, start with the definitions in Article 2. The proposal does not use loose terminology; it defines a closed loop linking the auditor, the service, the rules and the proof.

The four definitions (Article 2(17)–(20))

1. Auditing organisation (Article 2(17)): "an individual organisation, a consortium or other combination of organisations, including any subcontractors, that the audited cloud computing service provider has contracted to perform an independent audit." The provider selects the auditor, but the auditor must satisfy strict independence rules (Article 20(4)).
2. Audited service (Article 2(18)): "a cloud computing service being audited for the purpose of receiving an audit report and an audit opinion." This narrows the audit to the specific service seeking recognition, not the provider's whole portfolio.
3. Audit criteria (Article 2(19)): "the criteria, pursuant to Annex II to this Regulation, against which the auditing organisation assesses whether the audited provider and its audited service comply with each cumulative criterion to be met for it to be recognised as offering Union assurance levels 2, 3, or 4." This ties the audit to the Annex II requirements — and, by its own wording, to levels 2, 3 and 4 only.
4. Audit evidence (Article 2(20)): "any information used by an auditing organisation to support the audit findings and conclusions and to issue an audit opinion, including data collected from documents, databases or IT systems, interviews or testing performed."

How the definitions combine: the audit workflow

These definitions form a procedural chain.

1. Mandate and scope (Article 2(17) and 2(18))

A provider contracts an auditing organisation to examine a specific audited service. Level 1 relies instead on a conformity self-assessment (Article 19); levels 2, 3 and 4 require this external audit (Article 20(1)). The provider chooses the auditor, but that choice is constrained by Article 20(4), which requires independence — in particular, the auditor must not have provided related non-audit services to the provider in the 12 months before the audit (and must commit not to for 12 months after), and must not have provided auditing services under that Article to the provider in the preceding 10 years.

2. The benchmark (Article 2(19) and Annex II)

The auditor measures the audited service against the audit criteria — the cumulative requirements in Annex II.

• Level 2 requires, among other things, that infrastructure, assets and personnel are located in the Union, and that the service obtains a European cybersecurity certificate of at least "substantial" assurance level (once such a scheme exists).
• Level 3 adds requirements such as Union citizenship for personnel, support performed exclusively within the Union, and that the provider and its subcontractors are not subject to third-country control.
• Level 4 is stricter still, including a cybersecurity certificate of "high" assurance level and an absence of any derogation from the no-third-country-control criterion.

The auditor assesses each cumulative criterion. Under Article 20(1), a provider seeking a higher level must satisfy all the criteria of the lower levels, and failure to meet any lower-level requirement precludes conformity with the higher levels.

3. The proof (Article 2(20) and Annex III)

To reach a conclusion, the auditor gathers audit evidence, governed by Article 21 and Annex III.

• Article 21(2) requires evidence to be "relevant and sufficient" and "reliable, according to the auditing organisation's professional judgment and scepticism."
• Annex III sets out, per criterion, the evidence the provider must supply. For the no-third-country-control criterion, for instance, this includes ownership graphs, shareholders' agreements, corporate-governance documents and details of commercial and financial links — covering, for legal persons, any shareholder holding at least 5% of the capital or voting rights.

4. The output: the audit opinion (Article 20(5))

The auditor prepares an audit report containing a "positive" or "negative" audit opinion. Where the opinion is negative, the report must include operational recommendations and a timeframe to achieve compliance. Where the auditor cannot audit certain aspects, the report must explain why (Article 20(6)).

5. From opinion to recognition (Article 17)

The opinion is not the final step. Under Article 17, the provider submits the audit report and the positive opinion to the national competent authority of establishment, which assesses the evidence and, if satisfied, prepares a recognition decision subject to a review period by the other Member States' authorities. Once recognised, the service is entered in the central repository (Article 22) and may be procured by public-sector buyers requiring that assurance level (Article 30).

What this means for you

For providers pursuing Union assurance levels 2, 3 or 4, the interplay of these definitions sets a high bar for documentation and transparency.

1. Prepare for deep-dive audits: Because audit evidence must be relevant, sufficient and reliable, you must keep granular records — for example, verifiable evidence that personnel are Union citizens where levels 3 and 4 require it.
2. Select auditors carefully: You contract the auditing organisation, but it must meet Article 20(4) independence rules. Engaging an auditor that has recently provided you related non-audit services would disqualify the audit.
3. Define the audited service precisely: Your audited service must be clearly delineated; you must show that the specific infrastructure serving it meets the audit criteria in Annex II.
4. Plan for annual review: Under Article 20(8), the audit report and positive opinion must be submitted annually for review, so your evidence-generation processes must be repeatable.

Common misconceptions

• "The auditor chooses the criteria." No. The audit criteria are fixed in Annex II and referenced in Article 2(19); the auditor assesses compliance against them.
• "A positive opinion guarantees recognition." Not automatically. The auditing organisation issues the opinion, but a national competent authority grants recognition under Article 17, and may request further information or reject the application if the evidence is insufficient.
• "Level 1 requires an audit." No. Article 2(19) limits the audit criteria to levels 2, 3 and 4. Level 1 relies on a conformity self-assessment and an EU statement of conformity (Article 19).
• "Audit evidence is only technical." No. Article 2(20) expressly includes documents and interviews. For sovereignty, this includes legal documents such as shareholders' agreements and corporate bylaws to assess third-country control.

Related

• What are audit criteria under CADA? Annex II sovereignty rules
• How does CADA define the actors in a sovereignty audit?
• Why does CADA skip definitions 23 and 24 in Article 2?
• Why does CADA borrow so many definitions from other EU regulations?
• Which CADA definitions are original and which are imported from other laws?

This is general information about a draft EU regulation, not legal advice.