Summary As proposed in the Cloud and AI Development Act (CADA), a provider would reach Union assurance level 2 by undergoing, at its own expense, an independent third-party audit and obtaining a "positive" audit opinion (Article 20). It would then apply to the national competent authority (NCA) of its establishment, submitting the audit report, the "positive" opinion and all evidence given to the auditor (Article 17(4)). The NCA — the "evaluating national competent authority" — does not re-audit; it assesses the evidence within 60 days, then notifies other Member States for a 60-day review before the service is recognised across the Union. Recognition is not permanent: the report and opinion must be re-reviewed annually (Article 20(8)), and material changes must be notified (Article 23). Note that the proposal does not describe the auditing organisation as "accredited" — it sets independence, competence and objectivity conditions instead (Article 20(4)). CADA is a proposal and is not yet in force.

Detail

As proposed, the CADA Union cloud computing sovereignty framework is designed to mitigate risks associated with dependence on cloud services subject to third-country control. Article 16 would establish four "Union assurance levels," with levels 2, 3 and 4 requiring independent third-party verification. For assurance level 2, the route to recognition would be defined by Article 17 and Article 20 of the proposal.

The independent third-party audit

Unlike assurance level 1, which would rely on a self-assessment and an EU statement of conformity (Article 19), assurance level 2 would require external validation. Under Article 20(1), a provider seeking recognition for level 2 (or 3 or 4) would have to undergo independent third-party audits, conducted at its own expense, to obtain an audit report and an audit opinion from an auditing organisation. The proposal does not describe these organisations as "accredited."

The auditing organisation would have to be independent from the provider and free of conflicts of interest. Article 20(4) sets out the criteria, which include that the organisation:

  • has not provided non-audit services related to the audited matters to the provider (or any legal person connected to it) in the 12 months before the audit begins, and commits not to do so in the 12 months after completion;
  • has not provided auditing services pursuant to Article 20 to the same provider (or a connected legal person) in the 10-year period before the audit begins;
  • does not perform the audit for fees contingent on the result;
  • has proven expertise, technical competence and capabilities in auditing cloud computing services; and
  • has proven objectivity and professional ethics, based in particular on adherence to codes of practice or appropriate standards.

The audit would assess whether the provider complies with the cumulative criteria for Union assurance level 2 set out in Annex II — verifying, for example, that the provider and its involved subcontractors are established in the Union, that infrastructure, assets and personnel are located in the Union, and that customer data (including metadata and telemetry) remains exclusively within the Union. It would also check the "substantial" cybersecurity certificate and the software supply-chain measures, such as a complete software bill of materials (SBOM).

The audit report and "positive" opinion

The auditing organisation would prepare a substantiated, written audit report. Article 20(5) sets out the minimum content, which includes:

  • the name, address and point of contact of the audited provider, and the period covered;
  • the name and address of the auditing organisation;
  • a declaration of interests;
  • a description of the specific aspects audited and the methodology applied;
  • a description and summary of the main findings;
  • a list of the third parties consulted; and
  • crucially, a "positive" or "negative" audit opinion on whether the audited service complies with the applicable Annex II criteria for level 2, 3 or 4.

Where the opinion is "positive," the report identifies the Union assurance level to be recognised under Article 17 (Article 20(5)(i)). If the auditor could not audit certain aspects or express an opinion, the report must explain why (Article 20(6)). Where the opinion is "negative," the report must include operational recommendations and a recommended timeframe to achieve compliance (Article 20(5)(h)). Without a "positive" opinion, a provider cannot proceed to recognition.

Submission to the national competent authority

With a "positive" opinion, the provider would apply for formal recognition. Article 17 governs the recognition mechanism: the provider submits an application to the NCA of its establishment, which acts as the "evaluating national competent authority" (Article 17(1)–(2)).

Article 17(4) specifies what the application for levels 2, 3 and 4 must include:

  1. the audit report;
  2. the "positive" audit opinion referred to in Article 20; and
  3. all the evidence provided to the auditing organisation during the audit procedure.

The NCA does not re-audit the provider; it assesses the evidence and the audit report to verify that the provider meets the Union assurance level 2 criteria.

The recognition process

On accepting an application, the evaluating NCA would have 60 days to assess the evidence. Article 17(5) sets out three possible outcomes:

  1. Draft recognition. Where the evidence is sufficient, the NCA prepares a draft recognition decision and notifies the competent authorities of other Member States for a 60-day review period. Where no reasoned objection is submitted, the conclusions are deemed accepted, the NCA adopts the recognition decision, and the service is recognised throughout the Union at the appropriate level (Article 17(7)).
  2. Request for further information. Where the evidence is insufficient, the NCA may request further information; the 60-day period is suspended from the request until the information is received, and the suspension "shall not exceed 30 days in total" unless justified by the nature of the information or exceptional circumstances (Article 17(5)(b)).
  3. Rejection. The NCA may reject the request, but must first give the provider 30 days to provide written comments on the conclusions, which it must take due account of (Article 17(5)(c)).

Where another Member State submits a reasoned objection during the review period, the evaluating NCA must assess it and either maintain or revoke its draft decision (Article 17(9)). Where it intends to maintain the draft despite the objection, the concerned authority may refer the matter to the Commission, which adopts a binding decision determining whether the recognition may proceed (Article 17(10)).

Ongoing obligations

Recognition would not be a one-time event. Under Article 20(8), the audited provider must annually submit the audit report and the "positive" opinion for review by the same or a different auditing organisation, which may confirm, update or revoke it. Under Article 23, the provider must notify the auditing organisation and the NCA as soon as it becomes aware of any material change in circumstances that may affect the report, the "positive" opinion or the recognition. An auditing organisation may also revoke its report and opinion where the provider supplied incorrect or misleading audit evidence (Article 20(7)), and the NCA may revoke a recognition obtained through incorrect or misleading information (Article 17(11)).

What this means for you

For cloud service providers and data centre operators, achieving CADA level 2 recognition would be a significant operational undertaking, not a paperwork exercise.

  • Budget for audits. As proposed, the independent third-party audit is at your own expense (Article 20(1)). Choose an auditing organisation that meets the Article 20(4) independence, competence and objectivity criteria — and do not assume it must be "accredited," as the proposal sets conditions rather than an accreditation requirement.
  • Prepare your evidence. Internal checks alone would not suffice. Maintain rigorous documentation — SBOMs, data-flow diagrams, proof of data localisation, the "substantial" cybersecurity certificate — for the auditor, and remember that the NCA scrutinises the same evidence package (Article 17(4)).
  • Engage early with your NCA. The process involves a 60-day assessment window plus a 60-day cross-border review; insufficient evidence triggers a suspension of up to 30 days. Early engagement with your national competent authority helps avoid delays.
  • Plan for annual reviews. Build processes for annual re-review (Article 20(8)). Your compliance posture must be maintained continuously, and material changes must be notified promptly (Article 23).
  • Market access. As proposed, without recognition you could not bid for EU public-sector contracts that require level 2 or higher. Under Article 30(3), contracting authorities whose activities are identified as contributing to public order would only procure services recognised at level 2, 3 or 4.

Common misconceptions

  • "Self-assessment is enough for level 2." As proposed, self-assessment is only permitted for Union assurance level 1 (Article 19). Levels 2, 3 and 4 require independent third-party audits and a "positive" opinion (Article 20).
  • "The NCA conducts the audit." The NCA does not audit your systems. It assesses the audit report and evidence produced by your chosen independent auditing organisation; its role is evaluative and supervisory (Article 17).
  • "Recognition is permanent." Recognition is subject to annual review (Article 20(8)) and to revocation where material changes occur or incorrect information was supplied (Articles 17(11), 20(7), 23).
  • "Any auditor can perform the audit." The auditing organisation must meet the independence, competence and objectivity conditions in Article 20(4) — for example, no audit services to the provider in the prior 10 years and no fees contingent on the result. The proposal does not, however, require the organisation to be "accredited."

Related

This is general information about a draft EU regulation, not legal advice.