How do I choose a CADA auditing organisation?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers seeking Union assurance levels 2, 3, or 4 must undergo independent third-party audits. While you retain the freedom to select your auditing organisation, that choice is strictly bounded by the independence, conflict-of-interest, and competence requirements in Article 20(4) of the proposal. Crucially, you must avoid auditors who have provided non-audit services in the preceding 12 months, performed CADA audits for you in the last 10 years, or charge fees contingent on the audit result.

Detail

The CADA proposal establishes a rigorous framework for verifying the sovereignty and security of cloud computing services through a system of "Union assurance levels." While Union assurance level 1 relies on a self-assessment and an EU statement of conformity (Article 19), levels 2, 3, and 4 require a formal, independent third-party audit to obtain a "positive" audit opinion (Article 20(1)).

A critical feature of this regime is provider autonomy in selecting the auditor. Article 20(2) of the CADA proposal explicitly states that audited providers "shall be free to select the auditing organisation of their choice." However, this freedom is heavily conditional. The chosen organisation must demonstrate strict independence, technical competence, and adherence to professional ethics as defined in Article 20(4). Failure to select an organisation that meets these statutory criteria will render the audit invalid, preventing recognition at the higher assurance levels.

Independence and Conflict-of-Interest Rules

The core of the selection process revolves around ensuring the auditing organisation is free from conflicts of interest that could compromise the integrity of the audit. Article 20(4)(a) lays out specific, non-negotiable temporal and financial barriers designed to prevent familiarity bias and financial coercion.

1. The 12-Month Non-Audit Service Bar An auditing organisation must not have provided any non-audit services related to the matters being audited to the cloud service provider (or any connected legal person) in the 12 months preceding the audit. Furthermore, the organisation must commit to not providing such services in the 12 months following the completion of the audit.

• Source: Article 20(4)(a)(i).
• Implication: This "cooling-off" period prevents auditors from having a financial incentive to overlook issues in hopes of securing future consulting, remediation, or advisory contracts. It ensures the auditor's judgment is not influenced by past or future business relationships.

2. The 10-Year Audit Rotation Rule To prevent overly close relationships between a provider and an auditor, an organisation must not have provided auditing services pursuant to Article 20 to the same provider (or connected legal person) in the 10 years prior to the beginning of the current audit.

• Source: Article 20(4)(a)(ii).
• Implication: This mandatory rotation ensures fresh perspectives and reduces the risk of familiarity bias. It effectively limits the tenure of any single auditing organisation for a specific provider to a maximum of one audit cycle within a decade, requiring a break before re-engagement.

3. Ban on Contingent Fees Article 20(4)(a)(iii) explicitly prohibits auditing organisations from performing audits in return for fees that are contingent on the result of the audit.

• Source: Article 20(4)(a)(iii).
• Implication: Fees must be fixed, hourly, or based on effort, never on the outcome (e.g., passing or failing the audit). This ensures the auditor has no financial motivation to issue a "positive" opinion simply to secure payment.

Required Expertise and Professional Ethics

Beyond independence, the auditing organisation must possess the specific capability to audit complex cloud infrastructure and AI systems against the unique criteria of CADA.

Proven Expertise and Competence Article 20(4)(b) requires the organisation to have "proven expertise, technical competence and capabilities in auditing cloud computing services." This is not a generic IT audit; the auditor must understand the specific criteria for Union assurance levels set out in Annex II, which include:

• Data localisation and exclusivity within the Union.
• Personnel citizenship and security clearance requirements.
• Software supply chain transparency (including SBOMs).
• Absence of third-country control or restrictive measures.

Objectivity and Professional Ethics Article 20(4)(c) mandates "proven objectivity and professional ethics, based in particular on adherence to codes of practice or appropriate standards."

• Source: Article 20(4)(c).
• Recital 55 Context: The explanatory memorandum reinforces this, noting that auditing organisations must comply with core independence requirements, including firm rotation and non-contingent fees. Crucially, Recital 55 states: "If their independence or technical competence of auditing organisations is not beyond doubt, they should abstain or resign from the audit engagement." This places a proactive duty on the auditor to self-assess their eligibility before accepting the mandate.

Cooperation, Access, and Confidentiality

While you choose the auditor, you must facilitate their work. Article 20(2) requires providers to cooperate fully, giving the auditor access to all relevant data and premises and answering oral or written questions. Providers must refrain from "hampering, unduly influencing or undermining the performance of the audit."

Conversely, the auditor has a strict duty of confidentiality. Article 20(3) requires auditing organisations to ensure an adequate level of confidentiality and professional secrecy regarding information obtained, including trade secrets, even after the audit concludes. However, this duty "shall not adversely affect the performance of the audits," meaning auditors cannot use confidentiality as a shield to withhold necessary evidence from the competent authorities.

What this means for you

For cloud service providers and data centre operators aiming for Union assurance levels 2, 3, or 4, the selection of an auditing organisation is a strategic compliance step, not merely an administrative one. You cannot simply hire your current IT consultant, your long-standing cybersecurity partner, or a firm that has recently advised you on cloud architecture.

Actionable steps for selection:

1. Conduct a 10-Year History Check: Before engaging an auditor, conduct rigorous due diligence to confirm they have not performed a CADA Article 20 audit for your entity (or any connected legal person) within the last decade. If they have, you must wait out the remainder of the 10-year period or choose a different firm. This applies even if the previous audit was for a different assurance level.
2. Audit the "Cooling-Off" Period: Review all contracts with potential auditors from the past 12 months. If they have provided consulting, remediation, security testing, or advisory services related to the matters to be audited, they are disqualified. You must also ensure they contractually commit to not providing such services for 12 months after the audit completion.
3. Verify Technical Competence: Ensure the firm has specific experience in cloud sovereignty audits. General ISO 27001 or SOC 2 experience is insufficient. They must demonstrate the ability to verify the nuanced criteria in Annex II, such as tracing software supply chains to third-country control and verifying personnel citizenship.
4. Scrutinise Fee Structures: Explicitly confirm in writing that the audit fee is not contingent on the result. Any clause linking payment to a "positive" opinion or specific assurance level is a direct violation of Article 20(4)(a)(iii).
5. Prepare for Deep Access: Select an organisation that has the resources and protocols to handle the extensive data access required by Article 20(2), while also demonstrating robust confidentiality measures for your trade secrets. The auditor will need access to premises, data, and personnel to verify compliance.

Failure to select a compliant auditor will result in an invalid audit opinion. Without a "positive" audit opinion, you cannot be recognised at Union assurance levels 2, 3, or 4, effectively barring you from serving public sector clients in critical domains such as law enforcement, defence, or national security.

Common misconceptions

Misconception 1: "I can use any accredited IT auditor." Not necessarily. While general IT audit experience is helpful, CADA requires specific "proven expertise... in auditing cloud computing services" (Article 20(4)(b)). The audit criteria are highly specific to sovereignty, data localisation, and third-country control, which go beyond standard cybersecurity certifications. An auditor must be able to assess legal and operational autonomy, not just technical security.

Misconception 2: "The 12-month bar only applies to consulting." It applies to "non-audit services related to the matters audited." This is broader than just consulting; it could include remediation work, security testing, or advisory services that overlap with the scope of the CADA audit. If the service relates to the matters being audited, the bar applies.

Misconception 3: "I can keep the same auditor indefinitely as long as they are independent." No. The 10-year bar on prior auditing services (Article 20(4)(a)(ii)) forces rotation. You cannot use the same auditing organisation for CADA audits for more than one 10-year cycle without a break. This is a hard statutory limit designed to prevent long-term familiarity.

Misconception 4: "The auditor must be EU-based." The proposal does not explicitly state the auditor must be established in the EU. Article 20(4) sets competence and independence criteria but does not mandate the auditor's place of establishment (unlike the provider, which must be established in the Union under Annex II). However, the auditor must be able to access premises and data, which may imply practical constraints, and they must adhere to the same independence rules regardless of location.

Misconception 5: "Confidentiality means the auditor can hide findings." No. While Article 20(3) protects trade secrets, it explicitly states this requirement "shall not adversely affect the performance of the audits." Auditors must share necessary information with competent authorities and cannot use confidentiality to withhold evidence of non-compliance.

Related

• How do I know if the Cloud and AI Development Act (CADA) applies to my organisation?
• Who pays for the independent audit under CADA? Costs for Levels 1–4
• Which National Competent Authority Do I Apply to for CADA Recognition?
• Where do I start with CADA compliance if I am completely new to it?
• CADA Entry into Force and Application: Key Dates Explained

This is general information about a draft EU regulation, not legal advice.