How does a provider maintain its CADA recognition over time?

Summary Under the proposed Cloud and AI Development Act (CADA), maintaining a Union assurance level recognition is not a one-time event but a continuous obligation. For providers at Union assurance levels 2, 3, and 4, Article 20(8) mandates an annual review of the audit report and the associated 'positive' audit opinion to confirm continued compliance. Simultaneously, Article 23 imposes a strict duty to notify the auditing organisation and the national competent authority "as soon as possible" of any material change in circumstances that could affect the recognition. Failure to meet these ongoing requirements, or supplying incorrect or misleading information, exposes the provider to the revocation of recognition under Article 17(11).

Detail

The CADA proposal establishes a rigorous, dynamic lifecycle for cloud computing service providers seeking to offer services to Union entities and public sector bodies. Once a provider achieves recognition for a specific Union assurance level (Levels 1–4) via the procedure in Article 17, the obligation to maintain that status begins immediately. The framework relies on two distinct but interconnected mechanisms: periodic independent verification for higher assurance levels and continuous transparency for all recognised providers.

Annual Audit Reviews for Levels 2, 3, and 4

For providers recognised at Union assurance levels 2, 3, and 4, the cornerstone of maintaining recognition is the mandatory annual review cycle. Article 20(8) explicitly states: "The audited provider shall annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation which shall assess the continued compliance of the audited service with the applicable criteria set out in Annex II."

This provision ensures that the provider's infrastructure, personnel, data localisation, cybersecurity measures, and software supply chain remain aligned with the strict sovereignty requirements of the specific assurance level throughout the year, rather than just at the moment of initial certification. The auditing organisation, upon conducting this annual review, has the authority to "confirm, update, or revoke the initial audit report and audit opinion."

If the auditing organisation revokes the opinion or updates it to a negative status due to non-compliance, this triggers a cascade of consequences. The loss of a 'positive' audit opinion undermines the basis for the national competent authority's recognition. Consequently, the competent authority must reassess the provider's status, potentially leading to the amendment or revocation of the Union assurance level recognition itself.

Providers at Union assurance level 1 follow a different path, relying on a conformity self-assessment and an EU statement of conformity under Article 19. While they do not undergo the same third-party annual audit cycle as levels 2–4, they remain subject to the transparency obligations and the risk of revocation if they are found to have supplied incorrect information.

Transparency Obligations and Material Changes

Beyond the scheduled annual audit, providers have a continuous, real-time duty to report changes. Article 23 sets out strict transparency obligations applicable to all recognised providers. The text mandates: "On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

The term "material change" is not exhaustively defined in a single list but is broadly interpreted through the cumulative criteria of Annex II. In practice, this encompasses any deviation from the conditions under which recognition was granted, such as:

• Changes in Control: Any shift in ownership or control that introduces third-country influence or alters the legal entity's establishment status.
• Infrastructure Relocation: Moving data storage, processing assets, or personnel outside the Union, unless explicitly permitted by the public sector body under the specific assurance level criteria.
• Subcontractor Changes: The introduction of new subcontractors or the removal of existing ones that were part of the original audit scope, particularly those involved in technical support or data processing.
• Cybersecurity or Personnel Shifts: Significant changes in cybersecurity certification status (e.g., losing a 'substantial' or 'high' assurance certificate) or changes in the nationality/clearance status of key personnel.

The process following a notification is strict. Upon receiving a notification under Article 23, the auditing organisation must assess whether the audit report or the audit opinion needs to be amended or revoked. If the auditing organisation amends or revokes the report, it must "as soon as possible, notify the national competent authority of establishment." Subsequently, the competent authority assesses whether its initial recognition needs to be amended or revoked. If the authority amends or revokes the recognition, it must notify the competent authorities of other Member States and the Commission, ensuring the change is reflected across the Union.

Risks of Revocation

The loss of recognition is a severe consequence that can immediately disrupt business relationships with public sector bodies and Union entities. Article 17(11) provides the legal basis for revocation by the evaluating national competent authority. It states: "The evaluating national competent authority may revoke its recognition where it finds that a cloud computing service provider, whose service was recognised across the Union as providing a specific Union assurance level, intentionally or negligently, supplied incorrect or misleading information."

This provision underscores the critical importance of accuracy not only in the initial application but also in the ongoing annual reviews and transparency notifications. If a provider fails to report a material change that subsequently undermines the assurance level criteria, or if it provides false data during an annual audit review, the competent authority has the power to withdraw the recognition entirely.

Once revoked, the service is removed from the central repository maintained by the Commission under Article 22. The text of Article 22(3) notes that "The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years." This public record serves as a permanent warning to potential public-sector customers. Furthermore, under Article 30, contracting authorities are generally prohibited from procuring services that do not meet the required assurance level, effectively barring a revoked provider from the public market.

What this means for you

For cloud service providers and data centre operators, maintaining CADA recognition requires embedding compliance into your daily operational governance. It is not sufficient to pass an audit once and then wait for the next mandatory cycle.

1. Establish Real-Time Monitoring: You must have internal processes to detect "material changes" immediately. This includes monitoring changes in corporate structure, subcontractor agreements, infrastructure configurations, and personnel status. Any deviation from the conditions documented in your initial audit evidence must be flagged and reported "as soon as possible" under Article 23.
2. Budget for Annual Audits: For Levels 2–4, factor the cost and resource requirement of annual audit reviews into your operational budget. Ensure your contracts with auditing organisations include clear Service Level Agreements (SLAs) for these annual reviews to avoid gaps in your recognised status. Remember, Article 20(8) requires the review to happen every year, not just when you feel like it.
3. Document Every Notification: Keep meticulous records of all notifications sent to auditing organisations and competent authorities under Article 23. Proof of timely notification can be critical if a dispute arises regarding whether a change was material or whether negligence occurred.
4. Train Staff on Accuracy: Ensure that all staff interacting with auditors and regulators understand the severity of Article 17(11). Intentional or negligent misrepresentation is a direct path to revocation. Training should cover the precise criteria of your specific assurance level to avoid accidental non-compliance during the annual review.
5. Prepare for Subcontractor Scrutiny: Since subcontractors are part of the audit scope, ensure your supply chain management includes regular checks on subcontractors' compliance with data localisation and personnel requirements. Their failures can trigger a material change notification for your service, potentially jeopardising your own recognition.

Common misconceptions

Misconception 1: "Recognition is permanent once granted." Recognition is conditional and ongoing. The CADA framework is designed to be dynamic. Annual reviews under Article 20(8) and the continuous transparency obligations under Article 23 mean that your status is under constant evaluation. A single year of non-compliance or a failure to report a material change can lead to revocation.

Misconception 2: "Only the annual audit matters." The annual audit is a snapshot. Article 23 creates a continuous obligation. If a material change occurs in January and you wait until the annual audit in December to report it, you may have breached your transparency obligations. The regulation requires notification "as soon as possible" after becoming aware of the change, regardless of the audit schedule.

Misconception 3: "Level 1 providers have no ongoing obligations." While Level 1 providers do not undergo third-party annual audits, they are still subject to the transparency obligations of Article 23 and the risk of revocation under Article 17(11) if they supplied incorrect or misleading information in their self-assessment. They must still ensure their self-assessment remains accurate over time and report any material changes immediately.

Misconception 4: "Revocation only happens for major security breaches." Revocation under Article 17(11) is specifically tied to the supply of incorrect or misleading information, whether intentional or negligent. This can include administrative errors in reporting, failure to disclose subcontractor changes, or inaccuracies in documenting data flows, not just technical security failures. The "negligently" standard means that even honest mistakes in reporting can lead to loss of recognition if they are significant enough to mislead the authority.

Related

• What happens to a cloud provider without CADA recognition?
• CADA Recognition Revocation: What Happens if a Provider Supplies False Information?
• CADA Recognition: What it means for a provider's go-to-market
• How should a non-EU cloud provider approach CADA recognition?
• CADA Annual Audit Review: How It Protects Buyers Over Time

This is general information about a draft EU regulation, not legal advice.