How do I prepare for a CADA independent third-party audit?

Summary As proposed in the Cloud and AI Development Act (CADA), a cloud computing service provider seeking Union assurance level 2, 3 or 4 must obtain a "positive" audit opinion from an independent auditing organisation before it can be recognised (Article 20). Preparation comes down to three things: choose an auditing organisation that satisfies the independence and competence conditions in Article 20(4); assemble evidence that maps your service to the cumulative Annex II criteria, using the indicative evidence list in Annex III; and cooperate fully with the audit, because Article 20(2) places a legal duty on you to assist and to refrain from hampering, unduly influencing or undermining it. The audit evidence must be relevant, sufficient and reliable (Article 21).

Detail

For providers serving Union entities and public sector bodies at the higher tiers, compliance is verified, not self-declared. The audit is governed by Article 20 (independent audit) and Article 21 (content and quality of audit evidence), against the criteria in Annex II and the indicative evidence list in Annex III.

The legal duty to cooperate

Article 20(2) places a direct duty on the audited provider. You must cooperate with the auditing organisation and give the assistance needed to conduct the audit in an "effective, efficient and timely manner," including by granting access to all relevant data and premises and by answering oral or written questions. You must also refrain from hampering, unduly influencing or undermining the audit. In practice, obstruction tends to produce a "negative" opinion or an inability to conclude — either of which blocks recognition.

Choosing an independent auditing organisation

You select the auditing organisation, but Article 20(4) sets cumulative conditions it must meet:

1. Independence and no conflicts of interest with the provider or any connected legal person. In particular, the organisation must not have provided non-audit services on the audited matters in the 12 months before the audit and must commit not to provide them in the 12 months after; and it must not have provided audit services under this Article to the provider (or a connected person) in the 10-year period before the audit begins.
2. No contingent fees — the audit may not be performed for fees contingent on its result.
3. Proven expertise, technical competence and capability in auditing cloud computing services.
4. Proven objectivity and professional ethics, based in particular on adherence to codes of practice or appropriate standards.

The auditing organisation must also keep an adequate level of confidentiality and professional secrecy over what it learns (Article 20(3)).

Assembling evidence: Annex III against Annex II

The heart of preparation is mapping your service to the Annex II criteria using the evidence indicated in Annex III. Article 21(1) requires the auditing organisation to assess compliance with the Annex II criteria on the basis of the Annex III evidence; Article 21(2) requires that evidence to be (a) relevant and sufficient to support an audit report and opinion, and (b) reliable, according to the auditor's professional judgment and scepticism. Annex III is expressly indicative — auditors may seek any additional information — so treat the lists below as a floor, not a ceiling.

Key evidence categories under Annex III (for the criteria in Annex II at Levels 2–4) include:

1. Union establishment (criterion A): proof you are incorporated under a Member State's law with a genuine, stable Union presence — e.g. national company extracts, tax-residency documentation, business licences, VAT registration, and checks against the BRIS and VIES systems, plus evidence that offices, permanent staff, contractual operations and banking/accounting functions are in the Union.
2. Location of infrastructure, assets and personnel (criterion B): precise locations (down to street and country) of infrastructure, including primary, backup, disaster-recovery and log storage; asset registers and proof that servers and operational assets sit in the Union; and employment, payroll and organisational records showing service personnel are Union-based, supported by network and architecture diagrams.
3. Data localisation (criterion C): evidence that customer data (including metadata and telemetry) is stored and processed exclusively in the Union — access logs, privileged-access records, data-flow diagrams, master service and data-processing agreements — and that no data leaves the Union without the public sector body's approval.
4. Union citizenship (criterion D): for Levels 3 and 4, personnel involved in the service must be Union citizens (with national security clearance where appropriate for classified information); at Level 2 this applies where the public sector body requires it. Evidence includes proof of citizenship, access-control policies and citizenship-verification procedures.
5. Cybersecurity certification (criterion E): a European cybersecurity certificate at assurance level "substantial" (Levels 2 and 3) or "high" (Level 4) under a cloud scheme established pursuant to Regulation (EU) 2019/881, once such a scheme exists; until then, national schemes apply, or — absent any scheme — demonstration of the highest cybersecurity standards under applicable Union law.
6. No third-country AI training (criterion F): proof that data generated by use of the service is not used to train or fine-tune any AI system operated by a third country or third-country entity, and is not transferred outside the Union.
7. Absence of third-country control (criterion G): ownership and governance evidence showing you are not subject to the control of a third country or third-country entity — at Level 3 subject only to the "associated third countries" route the Commission may open under Article 18 — extending to direct and indirect owners.
8. Technical support localisation (criterion H): evidence that technical and operational support, including sub-outsourcing, is initiated and performed exclusively within the Union.
9. Software supply-chain transparency (criterion I): a complete, up-to-date software bill of materials (SBOM) and dependency list, plus documented controls over third-country software components and migration plans.
10. Open-source controls (criterion J): documented controls preventing the use of remote features that could materially tamper with or disrupt the service.
11. Separation of third-country subsidiaries (criterion K): proof of effective legal, technical and organisational separation between the Union parent and any third-country subsidiary.

The audit process and outcomes

Article 20(5) requires a substantiated written audit report containing, among other things, the audited provider's identity and the period covered, the auditing organisation's identity, a declaration of interests, the aspects audited and methodology, a description and summary of the main findings, a list of third parties consulted, and a "positive" or "negative" audit opinion on compliance with the applicable Annex II criteria. Where the opinion is negative, the report sets out operational recommendations on specific measures to achieve compliance and a recommended timeframe; where positive, it states the Union assurance level to be recognised under Article 17. If the auditor could not audit certain aspects or express an opinion, Article 20(6) requires the report to explain the circumstances and reasons — there is no separate "qualified" opinion category in the proposal. Article 20(8) then requires an annual review of the report and opinion.

Two further points shape the audit. First, the auditing organisation may revoke its audit report and opinion if the provider, intentionally or negligently, supplied incorrect or misleading audit evidence (Article 20(7)); a revocation is then published in the central repository for five years (Article 22(3)). Second, under Article 20(3) the auditing organisation owes a duty of confidentiality and professional secrecy over the information it obtains, including after the audit ends, and — read with Article 23 — shares only what is necessary for reporting and does not disclose information that could reasonably be considered confidential. You should still expect to hand over commercially sensitive material (ownership structures, network topology, supplier contracts), so agree handling and retention arrangements with the auditor up front.

The role of the criteria's strictness across levels

The same evidence categories appear at Levels 2, 3 and 4, but Annex III itself notes that, while the evidence requested may be the same, the aspects analysed differ with the level's strictness. The practical consequence is that moving up a level is rarely a matter of producing more documents; it is about demonstrating stronger guarantees on the same points. Union citizenship of personnel, for example, is conditional at Level 2 (where the public sector body requires it) but a standing requirement at Levels 3 and 4; the absence of third-country control is demonstrated through mitigating measures at Level 2 but is, in principle, an absolute condition at Levels 3 and 4 — subject only, at Level 3, to the "associated third countries" route the Commission may open under Article 18. Frame your evidence to the level you are seeking, not to a generic "sovereignty" standard.

What this means for you

Preparation should begin before CADA enters into force.

1. Run a gap analysis against the Annex II criteria. Find where infrastructure, personnel or data flows fall short of Union-exclusive requirements — and remember the criteria are cumulative, so a higher level also requires every lower-level criterion (Article 20(1)).
2. Tidy your documentation. Annex III expects granular evidence; vague records cause delays or a negative opinion. Keep contracts, SBOMs and data-flow diagrams current and retrievable.
3. Manage subcontractors. Their infrastructure, personnel and data handling are part of the audited service. Bind them contractually to Union-only processing and support.
4. Select auditors carefully. The independence conditions in Article 20(4) — including the 10-year look-back on prior audit engagements and the 12-month bar on related non-audit services — may rule out your current advisers. Identify qualifying organisations early.
5. Set up rapid access protocols. Slow provision of data or premises can read as hampering the audit (Article 20(2)).

Common misconceptions

"Self-assessment is enough for all levels." No. Self-assessment covers only Level 1 (Article 19). Levels 2, 3 and 4 require an independent third-party audit (Article 20).

"We can keep using our current auditor." Possibly not. The 10-year look-back on prior audit engagements and the 12-month bar on related non-audit services in Article 20(4) may disqualify your existing advisers.

"Data residency in the EU is fine; support can stay global." No. For Levels 2–4, Annex II criterion H requires technical and operational support to be initiated and performed exclusively within the Union.

"We only need to evidence our own infrastructure." No. Where subcontractors are involved in the service, their infrastructure, personnel and data handling must also be evidenced (Annex III, criteria B and C).

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Who pays for the independent audit under CADA? Costs for Levels 1–4
• How to prepare for the annual CADA audit review: Article 20(8) explained
• How do I prepare audit evidence that meets CADA Annex III standards?
• How to get recognised at CADA Union assurance level 3: Audit, criteria & third-country rules
• CADA Compliance: Self-Assessment vs. Independent Audit Explained

This is general information about a draft EU regulation, not legal advice.