Summary To maintain your Cloud and AI Development Act (CADA) recognition annually for Union assurance levels 2, 3, or 4, you must submit your existing audit report and "positive" audit opinion to an auditing organisation for a yearly review, as proposed in Article 20(8). You also have a continuous, immediate duty under Article 23 to notify your auditor and national competent authority (NCA) of any material changes that could affect your compliance. Failure to undergo this annual review or to report significant changes can lead to the revocation of your recognition and removal from the central repository.
Detail
Under the proposed Cloud and AI Development Act (CADA), obtaining a Union assurance level (Levels 2, 3, or 4) is not a one-time event. It is an ongoing obligation that requires continuous verification and active governance. If you are a cloud computing service provider seeking to maintain your recognition year after year, you must navigate two primary, interlocking mechanisms: the mandatory annual review of your audit evidence and the transparency obligations regarding material changes.
While Level 1 relies on a self-assessment, Levels 2, 3, and 4 require independent third-party audits. Once you have obtained an initial "positive" audit opinion, your compliance journey does not end. The proposal establishes a rigorous cycle of verification to ensure that the sovereignty and security criteria set out in Annex II are met continuously, not just at the point of initial application.
The Annual Review Requirement (Article 20)
For providers seeking recognition at Union assurance levels 2, 3, or 4, independent third-party audits are mandatory. The proposal explicitly mandates a recurring cycle of compliance. Article 20(8) states:
"The audited provider shall annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation which shall assess the continued compliance of the audited service with the applicable criteria set out in Annex II. On the basis of the annual review, the auditing organisation may confirm, update, or revoke the initial audit report and audit opinion."
This provision establishes a strict annual cadence. You must proactively submit your previous year's audit report and positive opinion to an auditing organisation every year. This organisation can be the same entity that performed your initial audit, or you may choose a different one, provided they meet the independence and competence requirements set out in Article 20(4).
The purpose of this annual review is to verify that your cloud computing service continues to meet the cumulative criteria for your specific Union assurance level. The auditing organisation will assess whether your service remains compliant with the evolving operational reality of your business. Based on this review, they have three potential outcomes:
- Confirm: They validate that you remain compliant, effectively renewing your status for the coming year.
- Update: They may require updates to the report if minor adjustments or clarifications are needed to reflect current operations, ensuring the audit evidence remains accurate.
- Revoke: If they find that you no longer comply with the criteria, they will revoke the audit report and opinion. This revocation is not merely an internal administrative step; it triggers a notification to your national competent authority, which can lead to the withdrawal of your CADA recognition.
Crucially, the proposal allows you to switch auditing organisations annually. However, the new auditor must still assess the "continued compliance" of the service. This means you must maintain a complete and accessible audit trail, ensuring that any new auditor can verify your historical and current compliance without obstruction.
Transparency and Material Change Notifications (Article 23)
In addition to the scheduled annual review, CADA imposes a continuous duty of transparency. You cannot wait for the next annual cycle if significant events occur that impact your compliance status. Article 23 outlines these transparency obligations, creating a "duty to report" that operates in real-time.
"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."
A "material change" is a broad concept that could include a change in ownership structure, a shift in data storage locations, the introduction of new subcontractors, or any operational alteration that affects the criteria in Annex II (such as data residency, personnel citizenship, or cybersecurity measures). The threshold is whether the change may affect the audit report or the recognition.
When you notify your auditing organisation of such a change, they must assess whether the audit report or opinion needs to be amended or revoked (Article 23(2)). If they amend or revoke it, they must notify the national competent authority. Subsequently, the national competent authority will assess whether its original recognition of your service needs to be amended or revoked (Article 23(3)). If the recognition is changed or withdrawn, the authority must notify other Member States' authorities and the Commission.
This creates a rapid-response chain: Provider → Auditor → NCA → Commission/Other MS. The speed of this chain is critical. The proposal requires notification "as soon as possible," implying that delays could be interpreted as a failure to comply with transparency duties, potentially leading to penalties under Article 24.
The Role of the Central Repository
Your maintained status is publicly visible and subject to scrutiny. Under Article 22, the Commission maintains a central repository of all recognised cloud computing services. If your annual review is successful, your status remains active in this repository.
However, the repository also serves as a public record of non-compliance. If your audit opinion is revoked or your recognition withdrawn, this revocation is published in the central repository and remains available there for five years (Article 22(3)). This public record ensures that public sector bodies and other users can verify your current compliance status in real-time. A revocation listed in the repository effectively disqualifies you from being procured by public authorities under Article 30 until the issue is resolved and recognition is restored.
What this means for you
For cloud service providers and data centre operators, maintaining CADA recognition requires embedding compliance into your ongoing operational governance. It is not a "set and forget" certification. The proposal shifts the burden of proof from a single point in time to a continuous state of readiness.
1. Establish an Annual Compliance Calendar Mark your calendar for the anniversary of your initial audit completion. You must initiate the annual review process with your auditing organisation well before the deadline to avoid gaps in your recognised status. Ensure your internal teams have all necessary documentation ready for the auditor's review, including updated software bills of materials (SBOMs), personnel records, and infrastructure logs.
2. Monitor for Material Changes Implement internal monitoring systems to detect operational changes that could constitute a "material change" under Article 23. This includes changes in your supply chain, infrastructure location, corporate control, or subcontractor relationships. When such a change occurs, trigger an immediate notification protocol to both your auditor and your national competent authority. Do not assume a change is immaterial; when in doubt, notify. The proposal places the onus on the provider to identify changes that may affect compliance.
3. Prepare for Audit Continuity Decide early whether you will use the same auditing organisation annually or switch. If you switch, ensure the new auditor has full access to your historical audit data and current operations to perform the review efficiently. Remember that the auditor has the power to revoke your opinion if compliance lapses, so maintaining open communication and transparency is critical. The proposal allows you to choose a different auditor, but the continuity of evidence is your responsibility.
4. Protect Your Public Reputation Since your status is listed in the central repository, any lapse in annual review or failure to report material changes can lead to a public revocation. This not only affects your ability to contract with public sector bodies but also damages your market reputation. Treat the annual review as a critical business continuity activity. A revocation listed for five years can have long-term commercial consequences.
Common misconceptions
Misconception 1: "I only need an audit when I first apply for recognition." Incorrect. Article 20(8) mandates an annual submission for review. Your initial audit is just the entry ticket; the annual review is the maintenance fee for your recognised status. Without it, your recognition cannot be sustained.
Misconception 2: "I can wait until the next annual audit to report major operational changes." Incorrect. Article 23 requires you to notify your auditor and competent authority "as soon as possible" upon becoming aware of material changes. Waiting for the annual cycle could be seen as a failure to comply with transparency duties, potentially leading to revocation before your next scheduled audit.
Misconception 3: "Union Assurance Level 1 requires annual independent audits." Incorrect. Level 1 relies on a conformity self-assessment and an EU statement of conformity (Article 19). While you must still ensure ongoing compliance, the strict annual third-party audit review mechanism in Article 20(8) applies specifically to Levels 2, 3, and 4.
Misconception 4: "Once recognised, my status is secure for the audit period." Incorrect. Recognition is conditional. If your auditor revokes the opinion during the annual review or if a material change leads to a loss of compliance, your national competent authority can revoke your recognition at any time (Article 17(11) and Article 23(3)). The "positive" opinion is valid only as long as the underlying compliance is maintained.
Misconception 5: "I can switch auditors without consequence." While you can switch auditors, the new auditor must still assess the "continued compliance" of the service. If the new auditor finds gaps in your historical data or current operations, they may revoke the opinion. Switching does not reset your compliance clock; it simply changes who verifies it.
Related
- Which National Competent Authority Do I Apply to for CADA Recognition?
- What is the timeline and deadlines for getting CADA recognition?
- CADA Compliance Checklist for Cloud Providers: Steps to Recognition
- What happens if another Member State objects to my CADA recognition?
- What happens after a negative CADA audit opinion?
This is general information about a draft EU regulation, not legal advice.