How do I prepare audit evidence that meets CADA Annex III standards?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers seeking Union assurance levels 2, 3, or 4 must undergo independent third-party audits. Article 21 mandates that the evidence submitted to prove compliance with Annex II criteria must be "relevant and sufficient" to enable an audit opinion and "reliable" according to the auditor's "professional judgement and scepticism." Annex III provides an indicative but detailed checklist of required evidence, ranging from precise infrastructure location logs to granular personnel citizenship records. Providers must move beyond generic compliance statements to prepare a structured, verifiable audit trail that withstands rigorous testing.

Detail

The CADA proposal establishes a rigorous sovereignty framework where recognition at Union assurance levels 2, 3, or 4 is contingent upon an independent audit. Unlike Level 1, which relies on self-assessment, higher levels require a "positive" audit opinion from an auditing organisation. The quality and nature of the evidence supporting this opinion are governed strictly by Article 21 of the proposal.

The Legal Standard: Article 21 and the Quality of Evidence

Article 21(1) establishes the foundational rule: auditing organisations must assess compliance with the criteria in Annex II based on the audit evidence listed in Annex III. Crucially, the text clarifies that Annex III is "indicative and does not limit the evidence that may be requested." Auditors retain the discretion to seek "any additional information necessary to ensure a comprehensive and accurate assessment."

The core quality standards for this evidence are explicitly defined in Article 21(2):

1. Relevance and Sufficiency: The evidence must be "relevant and sufficient to enable the auditing organisation to prepare an audit report and provide an audit opinion." It must cover the specific criteria applicable to the requested assurance level without gaps.
2. Reliability: The evidence must be "reliable, according to the auditing organisation's professional judgement and scepticism."

This legal standard implies that the burden of proof is high. Evidence cannot be merely declarative; it must be corroborated by objective data. For instance, a provider cannot simply state that data remains in the Union; they must provide technical logs, contractual clauses, and architectural diagrams that prove this fact. The auditor's "professional judgement and scepticism" means they will actively test the validity of the evidence, looking for inconsistencies, missing links, or potential workarounds.

Mapping Evidence to Annex III Criteria

Annex III serves as the practical blueprint for evidence collection. It breaks down the sovereignty criteria into specific evidentiary requirements. Providers should structure their evidence repositories to align with these categories. Below is a detailed breakdown of the evidence required for each major criterion.

1. Union Establishment (Criterion A)

To prove the provider is established in the Union, Annex III requires:

• Legal Incorporation: National company extracts, tax residency documentation, and business licences.
• Registry Verification: Proof of registration in the Business Registers Interconnected System (BRIS) and the VAT Information Exchange System (VIES).
• Effective Presence: Lease contracts, utility bills, or property documents for physical EU offices.
• Operational Stability: Employment contracts, payroll records, and timesheets proving permanent staff are located in the Union.
• Financial Control: Financial statements and statutory audit reports demonstrating that banking and accounting functions are exclusively in the Union.

2. Location of Infrastructure, Assets, and Personnel (Criterion B)

Providers must demonstrate that all elements involved in service provision are physically located in the Union.

• Infrastructure: A list with precise details (number, street, city, postal code, country) of all infrastructure, including primary, backup, disaster recovery, and log storage locations. Network diagrams illustrating exclusive use of Union-based infrastructure. Lease agreements and facility access logs.
• Assets: Asset registers identifying servers and equipment. Purchase invoices, delivery notes, and licence agreements proving hardware location. Deployment records and configuration reports.
• Personnel: Employment contracts, payroll records, and timesheets for all personnel with operational responsibilities. Organisational charts showing Union-based staff with operational control.

3. Data Localisation (Criterion C)

Evidence must prove that customer data (including metadata and telemetry) remains exclusively within the Union.

• Access Controls: Access logs, support access policies, and privileged access records showing no external access.
• Data Flows: Data flow diagrams clearly identifying the source and destination of data, demonstrating that data does not leave the Union.
• Contractual Guarantees: Master service agreements and data processing agreements containing explicit data boundary clauses. Contracts with subcontractors demonstrating compliance with GDPR and data residency.
• Monitoring: Logs and monitoring records proving all data is stored and processed exclusively within the Union.

4. Union Citizenship (Criterion D)

For higher assurance levels, personnel involved in the service must be Union citizens.

• Identity Proof: Valid official government-issued documents (e.g., passports, national identity cards) for relevant personnel.
• Access Control: Organisational charts and job descriptions confirming that only Union citizens have access to operations.
• Audit Trails: Access control policies and audit trails showing that only authorised Union citizens can access systems.
• Verification Procedures: Documentation describing how citizenship is verified before assignment and maintained throughout employment.

5. European Cybersecurity Certification (Criterion E)

• Valid Certificate: A valid European cybersecurity certificate issued by a competent conformity assessment body, demonstrating compliance with 'basic', 'substantial', or 'high' assurance levels (as applicable).
• Certification Report: A report describing the main components used for the service.
• Interim Measures: If the Union scheme is not yet established, valid national cybersecurity certificates or evidence of adherence to the highest market standards.

6. AI Systems Operated by Third Countries (Criterion F)

Providers must prove data generated by the service is not used to train third-country AI systems.

• Contractual Clauses: Explicit clauses prohibiting the use of customer data for training third-country AI models.
• Data Flow Diagrams: End-to-end flow documentation, including MLOps connections.
• Model Cards: System cards stating that generated data does not leave the Union.
• Data Lineage: Policies and documentation showing data provenance and usage.

7. Absence of Third-Country Control (Criterion G)

This is often the most complex criterion, requiring a deep dive into ownership and governance.

• Ownership Structure: Cap tables, shareholder agreements, and commercial registry extracts identifying all direct and indirect shareholders up to ultimate owners.
• Governance: Documents describing decision-making bodies, their composition, nationality, and appointment rules. Board minutes and resolutions.
• Commercial/Financial Links: Evidence of long-term supply agreements, credits, or financial dependencies that could confer control.
• Subcontractor Control: The same ownership and control evidence must be provided for all subcontractors involved in service provision.

8. No Technical and Operational Support Outside the Union (Criterion H)

• Contractual Clauses: Binding clauses stating all support and administration must be initiated and performed in the Union.
• Subcontractor Registers: Up-to-date registers of all subcontractors.
• Network Controls: Evidence of geographically restricted network controls and Union-based administrative infrastructure.
• Operational Proof: Proof that help desks, SOC, and NOC operations are exclusively Union-based.

9. Software Supply Chain Transparency (Criterion I)

• SBOM: A complete and up-to-date Software Bill of Materials (SBOM) for all software components, including open-source software.
• Dependencies: A list of dependencies, including origin, country of design/development, and degree of reliance on non-EU vendors.
• Risk Mitigation: Evidence of risk-based processes for identifying and mitigating dependencies.
• Migration Plans: Switchover plans and tests for alternative solutions if a vendor fails.
• Remote Feature Testing: Test procedures and reports proving no remote features can tamper with or disrupt the system.

10. Open-Source Software (Criterion J)

• Testing Evidence: Proof of testing to prevent remote features in open-source components.
• Change Management: Procedures covering firmware, BIOS, and software updates.
• Ecosystem Monitoring: Risk-based processes to identify weak ecosystems or deprecated OSS.
• Acquisition Detection: Mechanisms to detect if open-source software is acquired by a third-country entity.

11. Global Services and Subsidiaries (Criterion K)

• Independence Proof: Proof that third-country subsidiaries are legally and operationally independent.
• Access Restrictions: Evidence that subsidiaries have no access to systems processing customer data.
• Privileged Accounts: Verification that subsidiaries have no privileged accounts in Union production environments.
• Request Handling: Procedures ensuring foreign government requests received by subsidiaries are redirected to the competent Union entity.

The Role of Professional Judgement and Scepticism

Article 21(2)(b) explicitly states that evidence must be reliable according to the auditor's "professional judgement and scepticism." This is not a passive review; it is an active investigation. Auditors will:

• Cross-reference: Match payroll records with physical access logs to verify staff location.
• Test Controls: Attempt to access data from outside the Union to verify technical blocks.
• Question Inconsistencies: Challenge why a subcontractor in a third country is listed if Criterion H prohibits it.
• Assess Completeness: Verify that all dependencies in the SBOM are accounted for and that no "shadow" IT exists.

Providers must anticipate this scepticism. Evidence that is internally inconsistent, incomplete, or ambiguous will likely result in a negative audit opinion or significant delays.

What this means for you

For cloud service providers and data centre operators, preparing for CADA audits requires a fundamental shift from ad-hoc compliance to structured evidence management. You must:

1. Map your controls to Annex III: Create a matrix linking each Annex II criterion to specific Annex III evidence types.
2. Centralise evidence: Use a secure, version-controlled repository to store all required documents, ensuring audit trails are intact.
3. Test your evidence: Conduct internal mock audits to verify that your evidence is sufficient and reliable. Ensure that technical controls (e.g., network blocks) are documented and tested.
4. Engage early with auditors: Discuss your evidence strategy with your chosen auditing organisation to ensure alignment on expectations.
5. Maintain ongoing compliance: Audit evidence must reflect current operations. Implement processes to update evidence as infrastructure, personnel, or software changes.

Failure to meet these standards will result in a negative audit opinion, preventing recognition as offering Union assurance levels 2, 3, or 4, and limiting your ability to serve public sector clients.

Common misconceptions

• "Annex III is exhaustive." While Annex III provides a detailed list, Article 21(1) states it is indicative. Auditors may request additional evidence if they deem the provided information insufficient.
• "Self-certification is enough for all levels." Only Union assurance level 1 allows for conformity self-assessment. Levels 2, 3, and 4 require independent third-party audits.
• "General compliance documents suffice." CADA requires specific, granular evidence (e.g., precise server locations, individual citizenship records). Generic statements of compliance are not acceptable.
• "Third-country subsidiaries are automatically excluded." Subsidiaries in third countries are allowed if you can prove effective legal, technical, and organisational separation (Criterion K). However, the burden of proof is high.
• "Open-source software is exempt from scrutiny." Open-source components must still be tested for remote features and managed for supply chain risks (Criterion J).

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• How to prepare for the annual CADA audit review: Article 20(8) explained
• How do I prepare for a CADA independent third-party audit?
• How to keep CADA audit evidence ready for inspection by competent authorities
• Who pays for the independent audit under CADA? Costs for Levels 1–4
• What happens after a negative CADA audit opinion?

This is general information about a draft EU regulation, not legal advice.