Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers seeking Union assurance levels 2, 3, or 4 must undergo a mandatory annual review to maintain their recognition. Article 20(8) explicitly requires audited providers to submit their existing audit report and associated "positive" audit opinion to an auditing organisation each year. This organisationβ€”whether the same as the initial auditor or a different oneβ€”must assess the service's continued compliance with the criteria in Annex II. Based on this review, the auditor may confirm, update, or revoke the initial audit report and opinion. Failure to maintain this cycle can result in the loss of recognition, preventing the provider from serving public sector bodies.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a dynamic sovereignty framework rather than a static certification. For providers aiming to serve Union entities and public sector bodies at assurance levels 2, 3, or 4, the initial audit is merely the starting point. The regulation mandates a rigorous, recurring verification process to ensure that the stringent criteria regarding establishment, infrastructure location, personnel, and third-country control remain met over time.

The Legal Mandate: Article 20(8)

The core obligation for this ongoing verification is found in Article 20(8) of the proposal. The text states:

"The audited provider shall annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation which shall assess the continued compliance of the audited service with the applicable criteria set out in Annex II. On the basis of the annual review, the auditing organisation may confirm, update, or revoke the initial audit report and audit opinion."

This provision creates a continuous compliance loop. Unlike some certifications that remain valid for multiple years without re-evaluation, CADA's higher assurance levels require annual scrutiny. This reflects the dynamic nature of cloud infrastructure, software supply chains, and geopolitical risks, which can change rapidly. The regulation empowers the auditing organisation to take three distinct actions based on the review:

  1. Confirm: The service continues to meet all criteria; the existing report and opinion remain valid.
  2. Update: The service remains compliant, but the report or opinion requires modification to reflect changes in the service, infrastructure, or criteria interpretation.
  3. Revoke: The service no longer meets the criteria, leading to the withdrawal of the audit opinion.

Step-by-Step Preparation for the Annual Review

Preparing for the annual review requires a structured approach that mirrors the initial audit but focuses specifically on changes, updates, and ongoing adherence to Annex II.

1. Select or Confirm Your Auditing Organisation

Article 20(8) provides flexibility: you may submit your review to the same auditing organisation that performed the initial audit or a different one.

  • Same Auditor: This is often more efficient. The auditor already possesses deep knowledge of your infrastructure, previous findings, and risk profile. They may focus primarily on verifying specific changes rather than re-auditing the entire stack from scratch.
  • Different Auditor: You may choose a new auditor for reasons of cost, specialized expertise, or strategic partnership. However, be prepared to provide comprehensive evidence, as the new auditor will lack historical context. Crucially, any new auditor must meet the strict independence and competence requirements set out in Article 20(4), including prohibitions on providing non-audit services in the 12 months before and after the audit.

2. Gather Updated Audit Evidence

The auditing organisation must assess compliance based on the cumulative criteria in Annex II. You must prepare updated evidence corresponding to the requirements in Annex III. Key areas to prepare include:

  • Union Establishment (Criterion A): Verify that your legal establishment, central administration, and main establishment remain within the Union. Provide updated company extracts, tax residency documents, and proof of physical presence (e.g., lease contracts, utility bills).
  • Location of Infrastructure and Personnel (Criterion B): Confirm that all infrastructure, assets, and personnel involved in the service remain located in the Union. Update asset registers, server location logs, and personnel records (employment contracts, payroll records) to reflect any changes.
  • Data Localisation (Criterion C): Provide updated data flow diagrams and logs demonstrating that customer data, including metadata and telemetry, remains exclusively within the Union. Ensure no new third-party subcontractors outside the Union have been engaged without meeting the strict criteria.
  • Union Citizenship (Criterion D): For UAL 3 and 4, verify that all personnel involved are Union citizens. Provide updated proof of citizenship and security clearances where required. Note that for UAL 2, this is conditional only if the public sector body explicitly requires it.
  • Cybersecurity Certification (Criterion E): Ensure your European cybersecurity certificate (or national equivalent if the EU scheme is not yet available) is still valid and covers the required assurance level ("substantial" for UAL 2 and 3; "high" for UAL 4).
  • AI Training Data (Criterion F): Confirm that data generated by using the audited service has not been used to train AI systems operated by third countries. Provide updated contractual clauses and MLOps records.
  • Third-Country Control (Criterion G): Re-assess ownership structures, cap tables, and corporate governance. Provide evidence that no third-country control has emerged that would restrict your ability to perform the service or access customer data.
  • Technical Support (Criterion H): Verify that all technical and operational support continues to be initiated and performed exclusively within the Union. Update subcontractor registers and help-desk logs.
  • Software Supply Chain (Criterion I): Provide an updated Software Bill of Materials (SBOM) and list of dependencies. Ensure any new software components from third countries have been subject to source code audits and have documented migration plans.
  • Open-Source Software (Criterion J): Update controls for open-source software to prevent remote tampering. Provide evidence of monitoring for deprecated or unmaintained OSS.
  • Global Services (Criterion K): If you have subsidiaries in third countries, verify the legal, technical, and organisational separation between the Union parent and the subsidiary. Ensure the subsidiary has no access to Union customer data or privileged accounts.

3. Conduct an Internal Pre-Review

Before submitting to the auditing organisation, conduct an internal gap analysis against the Annex II criteria. Identify any material changes in circumstances since the last audit, such as:

  • New subcontractors or changes in existing ones.
  • Changes in software stack, dependencies, or source code.
  • Changes in personnel, management structures, or citizenship status.
  • Updates to cybersecurity certifications or incidents.
  • Any breaches or security incidents that may impact compliance.

4. Submit for Review

Submit the current audit report and positive audit opinion to the auditing organisation, along with all updated evidence. Ensure the submission is timely to avoid any disruption to your recognition status. The regulation does not specify a fixed calendar date for this, but providers should align it with their internal fiscal or operational cycles to ensure continuity.

5. Cooperate with the Auditor

As per Article 20(2), you must cooperate with the auditing organisation. This includes providing access to all relevant data, premises, and personnel, and answering oral or written questions promptly. You must refrain from hampering, unduly influencing, or undermining the performance of the audit.

6. Receive the Outcome

The auditing organisation will assess the continued compliance. The possible outcomes are:

  • Confirm: The initial audit report and opinion remain valid.
  • Update: The audit report and opinion are updated to reflect changes or improvements.
  • Revoke: The audit report and opinion are revoked if compliance is not maintained.

Impact on Recognition and Notification

If the auditing organisation revokes the audit report or opinion, the consequences are immediate and severe. You must notify the national competent authority of establishment immediately under Article 23. The competent authority will then assess whether to amend or revoke your recognition as offering a specific Union assurance level.

Article 23 states that on becoming aware of any material change in circumstances that may affect the audit report or the "positive" opinion, the provider must notify the auditing organisation and the competent authority. If the recognition is revoked, the service is removed from the central repository maintained by the Commission under Article 22, effectively barring the provider from serving public sector bodies requiring that assurance level.

What this means for you

For cloud service providers and data centre operators, the annual review is not a mere formality. It is a critical compliance milestone that determines your market access in the EU public sector.

  • Continuous Compliance Culture: Move from a "project-based" compliance mindset to a "continuous compliance" culture. Integrate Annex II criteria into your daily operations, change management processes, and vendor management procedures. Do not wait for the annual review to fix issues.
  • Documentation Discipline: Maintain real-time documentation of your infrastructure, personnel, software stack, and data flows. This will make the annual review process smoother and less resource-intensive.
  • Auditor Relationship: Build a strong relationship with your auditing organisation. Regular communication throughout the year, rather than just at audit time, can help identify and address issues proactively.
  • Risk Management: Use the annual review as an opportunity to identify and mitigate emerging risks, such as new third-country dependencies or software supply chain vulnerabilities.

Common misconceptions

"The audit is a one-time event." Many providers believe that once they achieve a Union assurance level, they are compliant for the duration of their contract. CADA explicitly requires annual reviews for UAL 2, 3, and 4 under Article 20(8).

"We can use any auditor." Auditing organisations must meet strict independence and competence requirements (Article 20(4)). They must not have provided non-audit services to you in the 12 months before or after the audit, and must have proven expertise in auditing cloud computing services.

"Minor changes don't matter." Any material change in circumstances that may affect compliance must be reported to the auditing organisation and the competent authority (Article 23). Failing to report changes can lead to revocation.

"Union assurance level 1 requires an annual audit." Union assurance level 1 is based on a conformity self-assessment (Article 19) and does not require an independent third-party audit or annual review in the same way as levels 2-4. However, you must still maintain compliance and report material changes.

Related

This is general information about a draft EU regulation, not legal advice.