How does an auditor assess data-residency criteria under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), an auditor assesses data-residency criteria by rigorously mapping the legal requirements of Annex II (Union Assurance Levels) to the specific evidentiary checklist in Annex III. For services seeking Union Assurance Levels 2, 3, or 4, providers must prove that customer data remains exclusively within the Union. As proposed, Article 21 mandates that this audit evidence must be "relevant, sufficient and reliable" according to the auditor's professional judgment. This means auditors do not merely review policy statements; they verify technical configurations, access logs, network diagrams, and contractual safeguards to confirm that no data leaves the EU boundary without explicit public-sector approval.

Detail

The CADA proposal establishes a tiered sovereignty framework where data residency is a non-negotiable pillar for higher assurance levels. To understand how an auditor evaluates this, one must examine the precise interplay between the criteria set out in Annex II, the indicative evidence list in Annex III, and the qualitative standards defined in Article 21.

The Regulatory Foundation: Annex II Criteria

For Union Assurance Level 1, the criteria regarding data residency rely on a self-assessment by the provider. However, for Levels 2, 3, and 4, the requirements are cumulative, strict, and subject to independent third-party audit.

• Level 2: Annex II, Section 2.1(c) requires that "the customer data, including metadata and telemetry data, that is processed, stored and transferred by the audited provider and the subcontractors which are involved in the provision of the service, remain exclusively within the Union," unless the public sector body explicitly requires otherwise.
• Level 3: Annex II, Section 3.1(c) repeats this requirement verbatim, adding the critical temporal condition that this applies "at any time, including before, during or after the configuration or use of the service."
• Level 4: Annex II, Section 4.1(c) refines the scope for the highest tier, focusing on data identified as "sensitive" following a risk assessment, requiring it to remain exclusively within the Union.

The Auditor's Tool: Annex III Evidence

Auditors do not assess these criteria in a vacuum. Annex III provides the indicative list of evidence an auditing organisation should request to assess compliance with the criteria in Annex II. Specifically, Audit Criterion C in Annex III, titled "Data localisation in the Union," details the specific evidence required to prove residency.

An auditor maps the Annex II criteria to the following evidence types from Annex III:

1. Technical and Operational Proof: The auditor requests evidence demonstrating that third parties or subcontractors are technically and operationally unable to access, obtain, make unavailable, destroy, or process customer data without prior authorisation. This includes access logs, support access policies, and privileged access records.
2. Monitoring and Logging: Auditors look for logs and monitoring records demonstrating that all data are stored and processed exclusively within the Union. This might include master service agreements, data processing agreements, data residency contractual agreements, or any EU data boundary definitions.
3. Data Flow Diagrams: A critical piece of evidence is a data flow diagram showing the flows of data between the cloud computing service provider and customer data, as well as with third-party services and subcontractors. The diagram must clearly identify the source and destination of data and demonstrate that the data does not leave the Union.
4. Contractual Safeguards: Auditors review contractual agreements and logs to ensure that "no customer data, including encrypted data, are transferred outside of the Union without public sector body approval."

The Quality Standard: Article 21

Article 21 of the CADA proposal sets the qualitative bar for this evidence. It explicitly states that audit evidence shall be:

• Relevant: It must directly address the criteria in Annex II. For example, a general IT security policy is not relevant evidence for data residency; a specific data flow diagram showing data paths is.
• Sufficient: There must be enough evidence to enable the auditing organisation to prepare an audit report and provide an audit opinion. A single screenshot of a server location is likely insufficient; a combination of lease agreements, network diagrams, and access logs is required.
• Reliable: The evidence must be reliable "according to the auditing organisation's professional judgment and scepticism." For instance, self-generated logs may be considered less reliable than independent monitoring reports or third-party verified records.

The Assessment Process

When assessing data residency, the auditor follows a logical chain mandated by the proposal:

1. Identify the Scope: The auditor defines what constitutes "customer data" under the proposal. Annex III defines this broadly to include data input by the customer, data produced by the customer's use of the service, and any derived data (telemetry, metadata).
2. Map the Infrastructure: Using the data flow diagrams and asset registers requested under Annex III, Criterion B (Location of infrastructure, assets, and personnel), the auditor maps where the physical and logical infrastructure resides.
3. Verify Controls: The auditor checks the technical controls (e.g., geographically restricted network controls, Union-based administrative infrastructure) and operational controls (e.g., subcontractor agreements) to ensure they enforce the residency requirement.
4. Evaluate Evidence Quality: Applying Article 21, the auditor determines if the collected evidence is sufficient to conclude that the data remains in the Union. If the evidence is ambiguous or incomplete, the auditor must seek additional information or qualify their opinion.

Implications for Subcontractors

The criteria apply not just to the primary provider but also to subcontractors involved in the provision of the service. Annex III requires auditors to verify that subcontractors are also bound by these restrictions. The auditor will review the provider's subcontractor register and the contractual clauses binding those subcontractors to ensure they do not have the technical or operational ability to process data outside the Union.

What this means for you

For CTOs, architects, and SMEs, the CADA proposal shifts data residency from a marketing claim to a verifiable, auditable technical requirement.

• Architects: You must design your systems with "data residency by design." This means implementing strict network boundaries, ensuring that backup and disaster recovery sites are also within the Union, and creating comprehensive data flow diagrams that can be easily updated and audited. Your architecture must prevent data leakage at the code and configuration level.
• CTOs: You need to establish robust evidence collection processes. This means maintaining up-to-date asset registers, access logs, and monitoring records. You must also ensure that all subcontractors are contractually and technically bound to the same residency requirements. Your internal controls must be able to generate the "relevant, sufficient and reliable" evidence demanded by Article 21.
• SMEs: While SMEs may start with Union Assurance Level 1 (self-assessment), growing into Levels 2–4 requires significant preparation. You should begin documenting your data flows and subcontractor arrangements now. Consider the cost of maintaining separate Union-based infrastructure for public sector clients, as this will be a key differentiator in procurement.

Common misconceptions

"Data residency only means where the servers are." Incorrect. Under CADA, residency applies to all customer data, including metadata, telemetry, and logs. It also applies to processing and storage, not just physical location. Data in transit must also be managed to ensure it does not inadvertently leave the Union.

"A contract is enough to prove residency." Incorrect. While contracts are part of the evidence, Article 21 requires reliable and sufficient evidence. Auditors will look for technical proof (logs, diagrams) and operational proof (access controls), not just legal promises.

"Level 1 has no audit requirements for residency." Partially true, but misleading. Level 1 relies on self-assessment, but the provider still assumes responsibility for compliance. If a provider claims Level 1, they must still meet the criteria in Annex II, Section 1.1(c). The difference is the verification method (self vs. third-party audit), not the underlying technical requirement.

"Encrypted data can leave the Union freely." Incorrect. Annex III explicitly states that evidence must show that "no customer data, including encrypted data, are transferred outside of the Union without public sector body approval." Encryption does not bypass residency requirements.

Related

• CADA public sector body: definition, data residency powers & assurance tiers
• CADA Level 4: Sensitive Data Risk Assessment & Strict Residency Rules
• CADA Level 1 Data Residency: What the Proposal Requires
• What data rule applies at CADA Level 3? Residency & AI Training
• CADA Level 4 Data Residency: Strict Rules for Sensitive Data

This is general information about a draft EU regulation, not legal advice.