Summary As proposed, the Cloud and AI Development Act (CADA) requires compliance teams to verify that a cloud provider's Union assurance recognition is current by cross-referencing the Commission's central repository and confirming the validity of the provider's independent audit. For Union assurance levels 2, 3, and 4, Article 20(8) mandates an annual review of the audit report; a failure to complete this review or a subsequent revocation invalidates the recognition. Furthermore, Article 22 requires that any revocation be published in the central repository for five years. Relying on a provider whose recognition has lapsed or been revoked exposes contracting authorities to non-compliance with mandatory procurement rules under Article 30.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a dynamic, ongoing framework for verifying that cloud computing services meet specific sovereignty and security standards, known as Union assurance levels. For in-house counsel, procurement officers, and compliance teams, verifying that a provider's recognition is "current" is not a static, one-time due diligence exercise. Instead, it is a continuous obligation tied to the validity of the provider's annual audit cycle and their active registration status in the Union-wide repository.

The Central Repository: The Definitive Source of Truth

Under Article 22 of the CADA proposal, the European Commission is mandated to establish and maintain a "central repository" of cloud computing services that have been formally recognised as offering Union assurance levels 1 through 4. This repository is the primary public interface for verifying a provider's status and serves as the single point of truth for the Union.

  • Public Availability and Updates: Article 22(4) stipulates that the central repository shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment. This ensures that the status of any recognised service is visible to all potential public-sector customers across the EU.
  • Registration as a Condition of Recognition: A cloud computing service is not considered recognised across the Union merely upon the issuance of an audit opinion. Article 22(2) clarifies that the national competent authority of establishment must register the cloud computing service in the central repository following a successful recognition procedure. Without this registration, the service lacks Union-wide validity.
  • Visibility of Revocation: Crucially, the repository acts as a historical record of compliance failures. Article 22(3) mandates that "the revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years." This five-year retention period ensures that contracting authorities can identify providers with a history of non-compliance, even if they have since attempted to re-apply.

Compliance teams must treat the central repository as the definitive source for current recognition status. A provider may claim to be "Level 3" assured in their marketing materials, but if they are not listed in the repository, or if their listing indicates a revoked status, they are not compliant for procurement purposes requiring that assurance level.

The Annual Audit Review Requirement

For services seeking Union assurance levels 2, 3, and 4, recognition is contingent upon independent third-party audits. While the initial audit grants recognition, Article 20(8) imposes a strict temporal requirement to maintain it. This provision ensures that the "current" status of a provider is not based on a stale assessment.

Article 20(8) states:

"The audited provider shall annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation which shall assess the continued compliance of the audited service with the applicable criteria set out in Annex II. On the basis of the annual review, the auditing organisation may confirm, update, or revoke the initial audit report and audit opinion."

This clause establishes a "use it or lose it" mechanism for higher assurance levels. A "current" recognition is inextricably linked to a valid, annually reviewed audit report. Compliance officers must verify not just that an audit exists, but that the most recent annual review has been completed and resulted in a continued "positive" opinion. If a provider fails to submit their audit for annual review within the 12-month cycle, or if the auditing organisation revokes the opinion based on that review, the foundation for the recognition collapses. The recognition effectively ceases to be valid until a new positive opinion is issued and registered.

Transparency and Material Changes

The validity of a recognition is also dependent on the provider's ongoing transparency and the reporting of material changes. Article 23 imposes transparency obligations on recognised providers. If a provider becomes aware of any information or material change in circumstances that may affect their audit report, audit opinion, or recognition, they must notify the auditing organisation and the national competent authority of establishment "as soon as possible" (Article 23(1)).

This triggers a cascading verification process:

  1. The auditing organisation assesses whether the audit report or opinion needs amendment or revocation (Article 23(2)).
  2. If the audit opinion is amended or revoked, the national competent authority must assess whether its recognition needs to be amended or revoked (Article 23(3)).
  3. If the recognition is revoked, the authority must notify other Member States and the Commission.

This creates a chain reaction where a material change (e.g., a change in ownership structure, a new third-country control risk, or a data breach) can precipitate a loss of recognition. Compliance teams should monitor provider communications for disclosures of material changes that might precipitate this chain reaction and immediately re-verify the provider's status in the central repository.

Revocation of Recognition

Even with a valid annual audit, a recognition can be revoked directly by the national competent authority if the integrity of the application process is compromised. Article 17(11) grants the evaluating national competent authority the power to revoke recognition if it finds that the cloud computing service provider:

"...intentionally or negligently, supplied incorrect or misleading information."

This provision underscores that recognition is not a permanent badge but a status conditional on honesty and accuracy. If a provider is found to have misrepresented their infrastructure location, data residency, ownership structure, or software supply chain during the initial application or subsequent audits, their recognition can be withdrawn. Once revoked, the service is no longer eligible for procurement by public sector bodies requiring that assurance level. The revocation is then published in the central repository for five years, serving as a permanent warning to the market.

Implications for Procurement

The necessity of verifying current recognition is driven by the mandatory procurement obligations in Article 30. Contracting authorities whose activities are identified as contributing to the preservation of public order (e.g., law enforcement, defence, critical infrastructure) must only procure cloud computing services recognised as having Union assurance levels 2, 3, or 4 (Article 30(3)). Other public sector bodies must use services with at least Union assurance level 1 (Article 30(2)).

Procuring from a provider whose recognition has lapsed due to a missed annual audit, or whose recognition has been revoked, would constitute a failure to comply with these mandatory procurement rules. While CADA outlines penalties for providers infringing the sovereignty framework under Article 24 (requiring Member States to lay down rules that are "effective, proportionate and dissuasive"), contracting authorities face significant reputational, operational, and potential contractual risks if they rely on invalid assurance levels. In the event of a risk assessment requiring migration to a compliant service, Article 29(6) notes that the migration must occur within a reasonable transition period not exceeding 12 months; however, relying on a non-compliant provider during this interim may still violate Article 30 mandates if the transition is not managed proactively.

What this means for you

For in-house counsel and compliance officers, verifying CADA recognition requires integrating the following checks into your vendor management and procurement lifecycle:

  1. Pre-Contract Verification via Repository: Before finalising a contract with a cloud provider claiming Union assurance, search the Commission's central repository (Article 22). Confirm the service is listed, the assurance level matches your procurement requirements, and the status is "active." Do not rely solely on the provider's self-declaration.
  2. Annual Audit Confirmation: For providers at assurance levels 2, 3, and 4, request evidence of the most recent annual audit review pursuant to Article 20(8). Ensure the auditing organisation has issued a continued "positive" opinion. Do not accept a static audit report from the initial recognition phase if more than 12 months have passed. Ask for the date of the last annual review and the date of the next scheduled review.
  3. Monitor for Material Changes: Include contractual clauses requiring providers to notify you promptly of any material changes that could affect their recognition status (Article 23). Establish a process to re-verify repository status immediately if such notifications are received.
  4. Watch for Revocation: Set up alerts or periodic checks (e.g., quarterly) on the central repository to detect if a provider's status changes to "revoked." Be aware that revocations under Article 17(11) can occur due to incorrect information supplied by the provider, which may indicate deeper governance issues. Remember that revocations remain visible for five years.
  5. Transition Planning: If a provider's recognition is revoked or their annual audit fails, you must migrate to a compliant service. While Article 29(6) allows for a transition period of up to 12 months, relying on a non-compliant provider in the interim may violate Article 30 procurement mandates. Early identification of lapsed recognitions is critical to avoiding breach of contract or regulatory non-compliance.

Common misconceptions

  • "A one-time audit is sufficient." Incorrect. For Union assurance levels 2, 3, and 4, Article 20(8) mandates an annual review. A provider with a "positive" opinion from two years ago but no recent annual review does not have a current recognition.
  • "If the provider says they are compliant, they are." Incorrect. Compliance is verified through the central repository (Article 22) and the audit reports. Providers must self-assess for Level 1, but higher levels require independent audit. Self-declarations can be revoked if found to be based on incorrect information (Article 17(11)).
  • "Recognition is permanent until the contract ends." Incorrect. Recognition is dynamic. It can be revoked by the auditing organisation if the annual review fails, or by the national competent authority if the provider supplied misleading information (Article 17(11)). The repository will reflect these changes immediately.
  • "Level 1 providers need annual audits." Incorrect. Article 19 outlines a conformity self-assessment for Level 1. While they must report material changes (Article 23), the strict annual independent audit review of Article 20(8) applies only to levels 2, 3, and 4.

Related

This is general information about a draft EU regulation, not legal advice.