How to notify material changes affecting CADA recognition

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers holding Union assurance level recognition (Levels 1–4) must notify both their auditing organisation and their national competent authority of establishment "as soon as possible" upon becoming aware of any information or material change in circumstances that may affect their audit report, positive audit opinion, or recognition status. This obligation, mandated by Article 23(1), triggers a mandatory reassessment cascade: the auditor must first assess whether to amend or revoke the audit opinion, followed by the authority's assessment of the recognition itself. Failure to notify promptly can lead to the revocation of recognition and penalties under Article 24.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a dynamic framework for cloud sovereignty. Recognition of a Union assurance level is not a one-time certification; it is a continuous status contingent on the provider meeting the cumulative criteria set out in Annex II. To maintain the integrity of this framework and ensure that the central repository of recognised services remains accurate, the proposal imposes strict transparency obligations on providers to report changes that could undermine their compliance.

The Legal Obligation: Article 23(1)

The core requirement is explicitly set out in Article 23(1) of the proposal. The text states:

"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

This provision applies specifically to providers recognised under Article 17 for Union assurance levels 2, 3, and 4, where an independent third-party audit and a "positive" audit opinion are prerequisites. While Level 1 relies on a self-assessment and an EU statement of conformity, the principle of maintaining compliance remains, though the specific notification cascade in Article 23 is legally tied to the audit mechanisms of the higher assurance levels.

The phrase "as soon as possible" imposes a high standard of urgency. It does not allow providers to wait for their scheduled annual review (required under Article 20(8)) to report significant developments. The duty is triggered immediately upon the provider's awareness of the change.

Defining "Material Change in Circumstances"

While the proposal does not provide an exhaustive definition of "material change," the context of Annex II and the nature of the sovereignty criteria suggest that any event altering the provider's ability to meet the cumulative criteria is material. Based on the criteria in Annex II, examples of material changes would likely include:

• Infrastructure and Data Localisation: Any relocation of infrastructure, assets, or personnel outside the Union, or a change in data storage locations that violates the exclusivity requirement (Annex II, points 1(b), 2(b), 3(b), 4(b)), unless explicitly authorised by the public sector body.
• Subcontractor Changes: The onboarding of new subcontractors, particularly those established outside the Union, or changes to the scope of work that affect data residency, security, or operational autonomy (Annex II, points 1(d), 2(h), 3(h), 4(h)).
• Control and Ownership: Changes in the ownership structure or control of the provider, such as a third-country entity acquiring a controlling stake. This is critical for Levels 3 and 4, which generally prohibit third-country control unless a specific derogation under Article 18 applies (Annex II, points 3(g), 4(g)).
• Cybersecurity Certification Status: The loss, suspension, or downgrade of the required European cybersecurity certificate (e.g., dropping from "substantial" to "basic" or losing certification entirely), which is a mandatory criterion for Levels 2, 3, and 4 (Annex II, points 2(e), 3(e), 4(e)).
• Software Supply Chain Integrity: The introduction of new dependencies or software components that cannot be audited, or the discovery of remote features that could materially tamper with the service, violating the supply chain measures in Annex II (points 2(i), 3(i), 4(i)).
• Personnel Status: For Levels 3 and 4, changes affecting the Union citizenship or security clearance status of personnel involved in service provision (Annex II, points 3(d), 4(d)).

The Reassessment Cascade

Notification under Article 23(1) is the trigger for a structured, multi-step reassessment process designed to verify continued compliance. This cascade ensures that the recognition status is updated in real-time across the Union.

1. Auditor's Assessment (Article 23(2)): Upon receiving the notification, the auditing organisation must immediately assess whether the audit report or the "positive" audit opinion needs to be amended or revoked. The auditor evaluates the material change against the audit criteria in Annex II. If the change means the provider no longer complies, the auditor must revoke or amend the opinion.

2. Notification to the Authority: If the auditing organisation decides to amend or revoke the audit report or opinion, it is legally required to "as soon as possible, notify the national competent authority of establishment." This step ensures the authority is informed of the technical failure of the audit basis.

3. Authority's Assessment (Article 23(3)): Based on the notification from the provider (under Article 23(1)) or the auditor (under Article 23(2)), the national competent authority of establishment must assess whether its recognition of the cloud computing service needs to be amended or revoked. The authority determines if the provider still meets the criteria for the specific Union assurance level.

4. Cross-Border Notification and Repository Update: If the national competent authority amends or revokes the recognition, it must "as soon as possible, notify the national competent authorities of the other Member States and the Commission." This ensures that the change is reflected in the central repository established under Article 22, which must be publicly available and regularly updated. This step is crucial for maintaining a single market view of sovereign services.

Consequences of Non-Compliance

Failure to notify a material change "as soon as possible" is a serious breach of the proposal. Article 17(11) explicitly empowers the evaluating national competent authority to revoke recognition where a provider "intentionally or negligently, supplied incorrect or misleading information." A failure to report a material change could be construed as supplying misleading information by omission.

Furthermore, Article 24 mandates that Member States lay down rules on penalties for infringements of the sovereignty chapter. These penalties must be "effective, proportionate and dissuasive." While the proposal does not set fixed fine amounts (unlike the AI Act), the reputational damage of having a recognition revoked and published in the central repository could be severe for a provider seeking public sector contracts.

What this means for you

For cloud service providers and data centre operators holding or seeking CADA recognition, this requirement necessitates robust internal monitoring and incident reporting mechanisms. You cannot rely on annual audits to catch compliance drift.

• Define Internal Triggers: Establish a clear internal definition of "material change" that aligns with Annex II. This should cover technical changes (e.g., infrastructure migration, software updates), legal changes (e.g., M&A, new subcontractors), and security incidents.
• Integrate into Incident Response: Update your incident response and change management protocols to include a specific CADA notification step. Ensure that your legal, compliance, and security teams are alerted immediately when a potential material change occurs.
• Maintain Open Communication: Build a relationship of transparency with your auditing organisation. Proactive communication can help manage the reassessment process and demonstrate good faith compliance, potentially mitigating the risk of revocation.
• Document the Process: Keep detailed records of the change, the date and content of the notification sent to the auditor and the national competent authority, and the subsequent assessments. This documentation is your primary defence if your recognition is challenged.
• Prepare for Reassessment: Be ready to provide additional evidence to the auditor and authority to support the reassessment. This may include updated software bills of materials (SBOM), new subcontractor agreements, revised data flow diagrams, or proof of personnel citizenship.

Common misconceptions

"I only need to report changes during my annual audit." Reality: This is incorrect. Article 23(1) requires notification "as soon as possible" upon becoming aware of a material change. Waiting for the annual review under Article 20(8) is a violation of the transparency obligation and could lead to penalties or revocation.

"I only need to notify the national competent authority." Reality: Article 23(1) explicitly requires notification to both the auditing organisation and the national competent authority of establishment. The auditor plays a critical role in the initial reassessment of the audit report and opinion; skipping them breaks the cascade.

"Small changes don't need to be reported." Reality: The term "material change" is broad and interpreted in the context of the criteria. Any change that may affect the audit report, opinion, or recognition should be reported. It is safer to err on the side of caution and notify, allowing the auditor and authority to determine if the change is indeed material.

"This only applies to Level 4 providers." Reality: Article 23 applies to providers recognised under Article 17, which covers Levels 2, 3, and 4. While Level 1 providers use a self-assessment, the broader principle of maintaining compliance applies, though the specific audit-based cascade is designed for the higher levels where independent verification is mandatory.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Transparency Obligations: How to Notify on Material Changes
• CADA Recognition Refused: Your 30-Day Right to Comment & Re-application Guide
• How should a non-EU provider weigh whether to pursue CADA recognition at all?
• How does a provider already certified under EUCS map across to CADA recognition?
• Which National Competent Authority Do I Apply to for CADA Recognition?

This is general information about a draft EU regulation, not legal advice.