Summary Under the proposed Cloud and AI Development Act (CADA), transparency is a dynamic, continuous obligation that is legally fused with the audit evidence regime for Union assurance levels 2, 3, and 4. Article 23 imposes a strict duty on cloud providers to promptly notify both auditing organisations and national competent authorities of any "material change" in circumstances that could affect their audit report or recognition. Upon such notification, the auditing organisation is legally required to reassess the validity of its audit opinion under Article 23(2), determining whether to amend or revoke the report. This mechanism ensures that the "positive" audit opinion remains grounded in current, reliable evidence as defined in Article 21 and Annex III. Failure to maintain this transparency can lead to the revocation of Union assurance recognition and expose providers to penalties under Article 24, including civil liability for damages.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous framework for sovereign cloud computing services centred on four "Union assurance levels" (UALs). For providers seeking recognition at UAL 2, 3, or 4, initial compliance is verified through independent third-party audits governed by Article 20. However, the integrity of these audits is not static; it relies heavily on the continuous transparency of the cloud computing service provider, as codified in Article 23. This section details how transparency obligations interact with the audit process, the evidence regime, and the enforcement mechanisms, creating a closed loop of accountability.

The Link Between Transparency and Audit Evidence

CADA does not treat audits as one-off events that confer permanent status. Instead, the audit process is dynamic, underpinned by a continuous duty of transparency. Article 23(1) mandates that a recognised cloud computing service provider must, "as soon as possible," notify both the auditing organisation and the national competent authority of establishment upon becoming aware of any information or material change in circumstances that may affect the audit report and the 'positive' opinion.

This transparency obligation is intrinsically linked to the audit evidence regime set out in Article 21 and Annex III. Auditing organisations prepare their initial audit reports and opinions based on specific "audit evidence," which must be "relevant and sufficient" and "reliable" (Article 21(2)). This evidence covers the cumulative criteria in Annex II, including:

  • Union Establishment and Control: Evidence of incorporation, ownership structures, and the absence of third-country control.
  • Location of Infrastructure and Personnel: Proof that assets, data, and staff remain within the Union.
  • Software Supply Chain: Documentation of Software Bills of Materials (SBOM), source code auditability, and migration plans for third-country components.

A "material change" under Article 23 is any alteration that impacts the reliability or sufficiency of this underlying evidence. Examples include:

  • A change in the ultimate beneficial owner of the provider or its subcontractors, potentially triggering third-country control issues under Annex II criteria (e.g., Criterion G).
  • The relocation of critical infrastructure, assets, or personnel outside the Union, violating Annex II Criterion B.
  • Changes in the software supply chain, such as the introduction of new third-country components that lack the required source code auditability or migration plans (Annex II Criterion I).
  • Any event that compromises the operational autonomy of the provider, such as new contractual obligations with third-country entities that could force service disruption.

By requiring immediate notification of such changes, CADA ensures that the audit evidence remains current. The auditing organisation is not passive; it has an active duty to verify that the "positive" opinion still reflects the reality of the service.

Auditor Reassessment and the Notification Chain

When a cloud provider triggers its transparency obligation under Article 23(1), a specific procedural chain is activated to protect the integrity of the Union assurance framework. Article 23(2) stipulates: "On the basis of the notification under paragraph 1, the auditing organisation shall assess whether the audit report or the audit opinion need to be amended or revoked."

This reassessment is the critical pivot point. The auditing organisation must determine if the material change undermines the cumulative criteria for the specific Union assurance level. For example:

  • If a provider at UAL 3 acquires a subcontractor subject to third-country control without the necessary safeguards outlined in Article 18 and Annex II, the auditor may be forced to revoke the 'positive' opinion.
  • If a provider at UAL 2 fails to maintain the required "substantial" cybersecurity certification (Annex II, 2.1(e)), the auditor must reassess compliance.

If the auditing organisation concludes that the report or opinion must be amended or revoked, Article 23(2) further requires it to notify the national competent authority of establishment "as soon as possible." This triggers a secondary assessment by the competent authority under Article 23(3), which must then assess whether its recognition of the cloud computing service needs to be amended or revoked.

If the recognition is amended or revoked, the competent authority must notify the competent authorities of other Member States and the Commission. This ensures a unified EU-wide response, preventing a scenario where a provider retains a "sovereign" label in one Member State while having lost assurance status in another. The revocation or amendment is also published in the central repository established under Article 22, where it remains available for five years, ensuring market transparency.

Penalties and Enforcement for Transparency Failures

The seriousness of these transparency obligations is underscored by the enforcement powers granted to national competent authorities under Article 26 and the penalty framework in Article 24. Article 24(1) requires Member States to lay down rules on penalties for infringements of this Chapter by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive."

When determining the level of penalty under Article 24(2), authorities must consider several non-exhaustive criteria, including:

  • The nature, gravity, scale, and duration of the infringement (e.g., how long the provider failed to notify a material change).
  • The financial benefits gained or losses avoided by the infringing party (e.g., retaining a contract by hiding a loss of sovereignty).
  • The infringing party's annual turnover in the preceding financial year in the Union.

A failure to notify a material change under Article 23 can be construed as a significant infringement, particularly if it results in the public sector procuring services that no longer meet the required assurance level. Furthermore, Article 24(3) provides that recipients of the cloud computing services have the right to seek compensation from cloud computing service providers for any damage or loss suffered due to an infringement of their obligations under this Chapter. This creates a direct civil liability risk for providers that fail in their transparency duties, adding a commercial dimension to the regulatory penalties.

The Role of Audit Independence and Objectivity

The interaction between transparency and audits is safeguarded by the strict independence requirements for auditing organisations under Article 20(4). Auditors must be independent of the cloud provider and have no conflicts of interest. They must adhere to high professional ethics and objectivity. This ensures that when an auditor reassesses a report following a transparency notification under Article 23, the decision to amend or revoke is based solely on objective evidence and compliance with Annex II criteria, not on commercial pressure from the provider.

Moreover, Article 20(5) requires the audit report to be substantiated in writing, including a description of the specific aspects audited and the methodology applied. If an auditor fails to properly assess a material change reported under Article 23, they may face professional and legal consequences for failing to maintain the required standard of care and objectivity. The audit evidence standards in Article 21 reinforce this by requiring auditors to assess compliance based on evidence that is "reliable, according to the auditing organisation's professional judgment and scepticism."

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, the integration of transparency obligations with the audit regime under CADA requires a proactive, real-time compliance strategy.

  1. Establish Internal Monitoring Triggers: You cannot wait for an annual audit to identify compliance gaps. Implement internal monitoring systems that flag any "material change" in circumstances relevant to Annex II criteria. This includes changes in corporate structure, ownership, subcontractor relationships, infrastructure locations, and software dependencies.
  2. Define "Material Change" in Contracts: Clearly define what constitutes a "material change" in your internal policies and in contracts with subcontractors. Ensure that subcontractors are contractually obligated to notify you of any changes that could affect the Union assurance level, allowing you to fulfil your Article 23 notification duty promptly.
  3. Prepare for Auditor Reassessment: Maintain an open and cooperative relationship with your auditing organisation. When a material change occurs, provide comprehensive documentation to facilitate the auditor's assessment under Article 23(2). Delays in providing this information can exacerbate the risk of recognition revocation.
  4. Review Penalty Exposure: Assess your organisation's exposure under Article 24. Ensure that your compliance budget accounts for the potential costs of penalties and civil liability. Implement robust governance structures to demonstrate that you have taken all necessary measures to prevent transparency failures.
  5. Document Everything: Keep detailed records of all notifications sent under Article 23, the auditor's responses, and any subsequent actions taken by competent authorities. This documentation will be crucial if you need to defend against allegations of non-compliance or if you are seeking to mitigate penalties.

Common misconceptions

  • Misconception: Transparency obligations are only for initial certification.
    • Reality: Article 23 applies continuously. The duty to notify material changes exists for the entire duration of the recognition. A provider is not "safe" once it receives a positive audit opinion; it must remain transparent about any changes that could invalidate that opinion.
  • Misconception: Only the competent authority needs to be notified.
    • Reality: Article 23(1) requires notification to both the auditing organisation and the national competent authority of establishment. The auditor must be notified first to trigger the technical reassessment of the audit report.
  • Misconception: Auditors can ignore minor changes.
    • Reality: While the regulation uses the term "material change," the criteria for Union assurance levels are cumulative and strict. A change that seems minor in isolation (e.g., a small change in subcontractor ownership) may have a material impact on the "third-country control" criteria under Annex II. Auditors are required to assess the impact rigorously.
  • Misconception: Penalties are only administrative fines.
    • Reality: In addition to administrative fines under Article 24(2), providers face the risk of civil liability for damages under Article 24(3). Public sector clients can seek compensation for losses suffered due to a provider's failure to maintain transparency and assurance levels.

Related

This is general information about a draft EU regulation, not legal advice.