Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers (CSPs) recognised at Union assurance levels 1–4 face a strict, continuous transparency duty. Article 23 mandates that providers must notify their auditing organisation and the national competent authority (NCA) of establishment "as soon as possible" upon becoming aware of any information or material change in circumstances that could affect their audit report, audit opinion, or recognition status. This triggers a mandatory cascade: the auditor must reassess and potentially amend or revoke the opinion, which in turn forces the NCA to reassess and potentially amend or revoke the Union-wide recognition, with immediate notification to all other Member States and the Commission.

Detail

The CADA proposal (COM(2026) 502 final) establishes a dynamic sovereignty framework where recognition is not a static certificate but a continuous state of compliance. While Article 16 sets the four Union assurance levels and Article 17 establishes the recognition mechanism, Article 23 provides the critical "safety valve" to ensure that recognition remains accurate in real-time.

The Core Duty: Immediate Notification

Article 23(1) imposes a proactive obligation on recognised providers. The duty is triggered not by a scheduled audit, but by the provider's own awareness of a change. The text states:

"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

This creates a dual-notification requirement. The provider cannot simply inform the auditor and assume the NCA will be updated later; both entities must be notified simultaneously and immediately. The phrase "as soon as possible" is legally significant, implying a duty of urgency that precludes waiting for internal reviews to conclude or for the next annual cycle.

The Cascade of Reassessment

The notification under Article 23(1) initiates a rigid, two-stage reassessment cascade designed to protect the integrity of the Union assurance framework across the single market.

Stage 1: The Auditor's Reassessment

Once the auditing organisation receives the notification, Article 23(2) requires it to act immediately:

"On the basis of the notification under paragraph 1, the auditing organisation shall assess whether the audit report or the audit opinion need to be amended or revoked."

If the auditor determines that the material change invalidates the previous findings, they must:

  1. Amend or revoke the audit report or the "positive" audit opinion.
  2. Notify the NCA of establishment "as soon as possible" of this change.

This step is critical because the NCA's recognition is legally dependent on the auditor's opinion. If the opinion is revoked, the basis for recognition collapses.

Stage 2: The NCA's Reassessment and Cross-Border Notification

The NCA of establishment then faces its own mandatory assessment under Article 23(3). This assessment is triggered by either the provider's direct notification or the auditor's subsequent notification:

"On the basis of the notification referred to in paragraph 1 or 2, the national competent authority of establishment shall assess whether its recognition needs to be amended or revoked."

If the NCA concludes that the recognition must be amended or revoked, the consequences are immediate and Union-wide. Article 23(3) mandates:

"Where the national competent authority of establishment amends or revokes it recognition of the cloud computing service, it shall, as soon as possible, notify the national competent authorities of the other Member States and the Commission."

This ensures that a loss of status in one Member State (e.g., Germany) is instantly communicated to all others (e.g., France, Italy) and the Commission, preventing a provider from continuing to market a service as "Union-assured" in other jurisdictions while its status is under review or revoked in its country of establishment.

Defining "Material Change" in Practice

While Article 23 does not provide an exhaustive list of what constitutes a "material change," the criteria in Annex II (Union Assurance Levels) provide the definitive benchmark. A change is material if it impacts the cumulative criteria for the specific assurance level held.

Common triggers for Article 23 notifications include:

  • Change in Control (Levels 2–4): If a third country or a legal entity established in a third country acquires control over the provider or its subcontractors, this directly impacts Annex II, Sections 2.1(g), 3.1(g), and 4.1(g). Even if the provider believes safeguards are in place, the mere change in control structure is a material fact requiring immediate notification.
  • Infrastructure or Personnel Relocation: Moving data centres, assets, or key personnel outside the Union breaches the localisation requirements for all levels (Annex II, Sections 1.1(b), 2.1(b), 3.1(b), 4.1(b)). For Level 3 and 4, the requirement for Union citizen personnel (Annex II, Sections 3.1(d), 4.1(d)) is particularly sensitive; any change in the nationality or clearance status of operational staff is material.
  • Data Flow Alterations: Any change in how customer data (including metadata and telemetry) is processed, stored, or transferred, particularly if data begins to leave the Union without explicit public sector body approval, violates Annex II, Sections 1.1(c), 2.1(c), 3.1(c), and 4.1(c).
  • Subcontractor Changes: Onboarding new subcontractors, especially those outside the Union or subject to third-country control, affects the transparency and due diligence requirements (Annex II, Sections 1.1(f), 2.1(i), 3.1(i), 4.1(i)).
  • Cybersecurity Certification Status: For Levels 2, 3, and 4, the service must hold a European cybersecurity certificate of at least "substantial" (Levels 2/3) or "high" (Level 4) assurance (Annex II, Sections 2.1(e), 3.1(e), 4.1(e)). The loss, suspension, or downgrade of this certificate is a definitive material change.

Timing and the "As Soon As Possible" Standard

The regulation's use of "as soon as possible" sets a high bar for compliance. In the context of cloud sovereignty and public order, delays are not merely administrative errors; they are potential infringements.

Article 24 empowers Member States to lay down penalties for infringements of the sovereignty chapter, requiring them to be "effective, proportionate and dissuasive." Failure to notify a material change promptly could be interpreted as a failure to cooperate with the framework, potentially leading to:

  • Revocation of Recognition: The NCA may revoke the status retroactively if the delay prevented timely intervention.
  • Financial Penalties: Member States may impose fines based on the nature, gravity, and duration of the infringement, including the financial benefits gained by the provider due to the delay.
  • Compensation Liability: Under Article 24(3), recipients of the service have the right to seek compensation for damage suffered due to an infringement, which could include a provider failing to disclose a material risk.

What this means for you

For cloud service providers operating under the proposed CADA framework, transparency is not a passive reporting duty but an active governance requirement.

  1. Implement Real-Time Monitoring: You cannot rely on annual audits to catch material changes. You must establish internal monitoring systems that track your corporate structure, data flows, infrastructure locations, and subcontractor status against Annex II criteria in real-time.
  2. Define "Material" Internally: Create an internal policy that explicitly defines what triggers an Article 23 notification. When in doubt, treat a change as material. It is safer to over-notify and have the auditor deem it non-material than to under-notify and face revocation.
  3. Dual-Channel Notification Protocols: Ensure your legal and compliance teams have pre-approved templates and direct contact channels for both the auditing organisation and the NCA of establishment. The notification must be sent to both simultaneously.
  4. Document the Timeline: Maintain a precise log of when a change was discovered, when the internal decision to notify was made, and the exact timestamp of the notification sent. This evidence is crucial for demonstrating compliance with the "as soon as possible" standard if your actions are later scrutinised.
  5. Prepare for Business Continuity: Understand that a notification may lead to a temporary suspension of your "recognised" status while the reassessment occurs. Have contingency plans to inform public sector clients and manage service continuity if your recognition is amended or revoked.

Common misconceptions

"I only need to notify if I fail an audit." Incorrect. Article 23 applies to any material change that may affect the audit opinion or recognition, regardless of whether a formal audit is currently underway. The duty is triggered by the change itself, not by an audit finding.

"I can wait until my next annual audit to report changes." Incorrect. The obligation is to notify "as soon as possible." Waiting for the annual review cycle (under Article 20(8)) creates a period of non-compliance where the provider is operating under a status that is no longer accurate. This delay could be grounds for revocation and penalties.

"Only the auditor needs to know." Incorrect. You must notify both the auditing organisation and the national competent authority of establishment. The NCA holds the ultimate power to revoke recognition and relies on your direct notification to initiate its own assessment.

"Minor operational tweaks don't count." Caution is advised. Changes that seem minor internally (e.g., shifting a backup server to a new data centre, or a change in a subcontractor's ownership structure) may be material if that data centre is outside the Union or if the new owner is subject to third-country control. Always assess changes against the specific criteria of your assurance level in Annex II.

Related

This is general information about a draft EU regulation, not legal advice.