How to keep CADA audit evidence ready for inspection by competent authorities

Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers must maintain all audit evidence and documentation required for their Union assurance level in a state of immediate readiness for inspection. Article 26 grants national competent authorities broad investigative powers, including the right to request information "as soon as possible," inspect premises, and seize records in any form. Article 21 mandates that this evidence must be "relevant, sufficient, and reliable." To remain compliant, providers must retain the specific evidence lists in Annex III continuously, ensuring they can demonstrate ongoing adherence to their assurance level criteria at any moment, not just during the initial audit. Failure to cooperate or produce evidence promptly can lead to enforcement actions, including fines and withdrawal of recognition.

Detail

The proposed CADA establishes a dynamic sovereignty framework where cloud computing service providers must prove their compliance with specific "Union assurance levels" (levels 1–4) to serve public sector bodies. This proof is not a static, one-time submission but an ongoing, continuous obligation. The regulatory burden falls heavily on the provider to maintain this readiness, as the competent authorities of establishment hold exclusive enforcement powers under Article 25.

The Standard for Evidence: Article 21

Article 21 of the CADA proposal sets the definitive standard for the quality and nature of evidence that must be available for inspection. It explicitly states that audit evidence shall be:

1. Relevant and sufficient to enable the auditing organisation to prepare an audit report and provide an audit opinion.
2. Reliable, according to the auditing organisation's professional judgment and scepticism.

This article implies that evidence cannot be ad-hoc, retroactively assembled, or incomplete during an inspection. It must be part of a structured, ongoing evidence-gathering process defined by the audit criteria in Annex II and the specific evidence list in Annex III. If a provider cannot produce evidence that meets these standards during an inspection, it risks having its audit report revoked or its recognition withdrawn. The requirement for "reliability" means that data must be accurate, verifiable, and consistent with the provider's actual operations at the time of the inspection.

Investigative Powers of Competent Authorities: Article 26

Article 26 outlines the specific investigative powers that national competent authorities may exercise to verify compliance. Providers must be prepared to respond to these powers immediately. The text of Article 26(1) grants three distinct powers:

• Request for Information: Under Article 26(1)(a), authorities can require any cloud service provider, as well as any other persons acting for purposes related to their trade, business, craft or profession (including auditing organisations), to provide information relating to a suspected infringement "as soon as possible."
• On-Site Inspections: Article 26(1)(b) grants the power to carry out, or request a judicial authority to order, inspections of any premises used for trade or business. Authorities can examine, seize, take, or obtain copies of information relating to a suspected infringement "in any form, irrespective of the storage medium."
• Interviews and Recordings: Article 26(1)(c) allows authorities to ask any member of staff or representative for explanations regarding suspected infringements and, "with their consent," to record their answers by any technical means.

These powers are reinforced by Article 26(2), which grants enforcement powers, including the ability to order the cessation of infringements and impose fines for failure to comply with investigative orders. The "as soon as possible" requirement in Article 26(1)(a) is critical; delays in retrieving evidence can be interpreted as non-cooperation or an inability to maintain compliance, potentially triggering penalties under Article 24.

Retaining Annex III Evidence and Audit Records

Annex III of the CADA proposal details the specific audit evidence required for each criterion of the Union assurance levels. Providers must retain these records continuously. Key categories include:

• Criterion A (Union Establishment): Evidence of incorporation, registered office location, physical offices, payroll records, and banking functions exclusively within the Union.
• Criterion B (Location of Infrastructure): Asset registers, lease agreements, network diagrams, and precise location details of all infrastructure, including backup and disaster recovery sites.
• Criterion C (Data Localisation): Data flow diagrams, access logs, support access policies, and contractual agreements demonstrating that customer data remains exclusively within the Union.
• Criterion G (Absence of Third-Country Control): Detailed ownership structures, cap tables, shareholder agreements, and evidence of legal and technical separation from third-country entities.
• Criterion I (Software Supply Chain): Complete and up-to-date Software Bills of Materials (SBOM), dependency lists, and evidence of source code audits for third-country components.

Providers must retain these records for the duration of their recognition. The evidence must be current; for example, a data flow diagram from two years ago may not reflect current compliance if new subcontractors or data processing activities have been introduced. Article 23 further requires providers to notify authorities of any "material change in circumstances" that may affect the audit report, necessitating an immediate update of the relevant evidence files.

Cooperating with Investigative Powers

Cooperation is not optional. Article 26(2) outlines enforcement powers, including the ability to impose fines for failure to comply with investigative orders. Providers must have internal protocols that ensure:

1. Immediate Response: Designated points of contact who can respond to information requests without undue delay, adhering to the "as soon as possible" standard.
2. Access Facilitation: Technical and physical access to premises and data stores for inspectors, including the ability to seize or copy information in any form.
3. Preservation of Evidence: Ensuring that no evidence is deleted, altered, or destroyed during an investigation.
4. Staff Training: Employees must be trained to recognize official requests and know how to escalate them to legal and compliance teams without obstructing the investigation.

What this means for you

For cloud service providers and data centre operators, "keeping evidence ready" means moving from a reactive compliance model to a proactive, continuous monitoring system.

1. Centralize Evidence Storage: Create a secure, centralized repository for all Annex III evidence. This should include real-time dashboards for data localization, up-to-date asset registers, and live access logs. Ensure this repository is accessible to auditors and authorities.
2. Regular Internal Audits: Conduct internal audits that mirror the external audit process. Test your ability to retrieve specific pieces of evidence (e.g., a specific data flow diagram or a shareholder agreement) within hours, not days.
3. Update Processes: Ensure that any change in infrastructure, subcontracting, or ownership triggers an immediate update to the relevant evidence files. Stale evidence is non-compliant evidence.
4. Prepare for On-Site Inspections: Designate secure areas for inspectors and ensure that IT systems allow for the rapid extraction of logs and configuration data. Train staff on how to interact with inspectors professionally and legally, noting that Article 26(1)(c) allows for recorded interviews.
5. Legal Review of Contracts: Ensure all subcontractor agreements and data processing agreements are readily accessible and explicitly demonstrate compliance with Union assurance level criteria, particularly regarding data localization and third-country control.

Common misconceptions

• "Once certified, I am compliant." CADA recognition is not a static badge. Providers must continuously meet the criteria. If your infrastructure changes, your evidence must change. Competent authorities can inspect at any time if there is a suspicion of non-compliance.
• "I only need to keep evidence for the initial audit." Article 21 requires evidence to be relevant and sufficient for the audit opinion. Since the audit opinion must be reviewed annually (Article 20(8)), evidence must be current and maintained throughout the year, not just at the time of the initial assessment.
• "Digital logs are enough." Article 26(1)(b) allows for inspections of premises and seizure of information in any form. This includes physical documents, hardware configurations, and even verbal explanations from staff. Ensure all forms of evidence are preserved and accessible.
• "I can delay providing information to consult my lawyers." While legal advice is prudent, Article 26(1)(a) requires information to be provided "as soon as possible." Excessive delay can be seen as obstruction. Have a pre-approved protocol for handling such requests to balance legal rights with regulatory obligations.

Related

• How do national competent authorities use mutual assistance under CADA?
• How do I prepare audit evidence that meets CADA Annex III standards?
• Who pays for the independent audit under CADA? Costs for Levels 1–4
• Which National Competent Authority Do I Apply to for CADA Recognition?
• What happens after a negative CADA audit opinion?

This is general information about a draft EU regulation, not legal advice.