How does CADA define the actors in a sovereignty audit?

Summary Under the proposed Cloud and AI Development Act (CADA), the actors and concepts in a sovereignty audit are defined in Article 2: Article 2(17) defines the auditing organisation, Article 2(18) the audited service, Article 2(19) the audit criteria, and Article 2(20) the audit evidence. Together they frame the independent third-party audit required for Union assurance levels 2, 3 and 4, and they feed the procedural rules in Articles 20 and 21.

Detail

For Union assurance levels 2–4, a provider would have to demonstrate compliance through an independent third-party audit. To keep this consistent across the EU, CADA defines the key audit terms in Article 2.

The core definitions in Article 2

• Auditing organisation — Article 2(17): "an individual organisation, a consortium or other combination of organisations, including any subcontractors, that the audited cloud computing service provider has contracted to perform an independent audit." The definition is broad enough to cover single entities or consortia, while leaving independence to be enforced separately.
• Audited service — Article 2(18): "a cloud computing service being audited for the purpose of receiving an audit report and an audit opinion." The unit of assessment is the specific service offering, though verifying control and independence may require access to broader company information.
• Audit criteria — Article 2(19): "the criteria, pursuant to Annex II to this Regulation, against which the auditing organisation assesses whether the audited provider and its audited service comply with each cumulative criterion to be met for it to be recognised as offering Union assurance levels 2, 3, or 4." This ties the audit to the requirements in Annex II.
• Audit evidence — Article 2(20): "any information used by an auditing organisation to support the audit findings and conclusions and to issue an audit opinion, including data collected from documents, databases or IT systems, interviews or testing performed." A deliberately broad concept covering both documentary and technical proof.

How the definitions structure the audit framework

Article 20 — Independent audit. Article 20(1) requires providers seeking recognition at levels 2, 3 or 4 to undergo, at their own expense, independent third-party audits to obtain an audit report and an audit opinion. The auditing organisation (Article 2(17)) is then bound by the independence requirements in Article 20(4): it must be independent and conflict-free — in particular, it must not have provided non-audit services related to the matters audited to the provider (or a connected person) in the 12 months before the audit and must commit not to do so in the 12 months after; it must not have provided audit services under this Article to that provider in the preceding 10 years; and its fees must not be contingent on the result. It must also have proven expertise and technical competence in auditing cloud computing services, and proven objectivity and professional ethics.

The audited service (Article 2(18)) is the subject of the audit report and opinion. Under Article 20(5)(g), that report must contain a "positive" or "negative" audit opinion; a positive opinion identifies the assurance level to be recognised (Article 20(5)(i)), which is then submitted to the national competent authority for recognition under Article 17.

Article 21 — Content and quality of audit evidence. Article 21(1) requires the auditing organisation to assess compliance with the criteria in Annex II "on the basis of the audit evidence listed in Annex III." Article 21(2) requires that evidence be (a) relevant and sufficient to enable the report and opinion, and (b) reliable according to the auditing organisation's professional judgment and scepticism. So the audit evidence is the verified basis for the conclusion, and the audit criteria are the benchmark against which it is measured. If the evidence does not demonstrate compliance with Annex II for the target level, the opinion will be negative and recognition denied.

Why these definitions matter for levels 2-4

Union assurance level 1 can be demonstrated by a conformity self-assessment and an EU statement of conformity (Article 19). Levels 2, 3 and 4 require the independent audit. The Article 2 definitions ensure that:

• Independence is structural — the auditing organisation is a contracted third party subject to Article 20(4).
• Scope is clear — the audited service is the unit of assessment.
• Verification is robust — a chain runs from the criteria in Annex II, through the evidence in Annex III, to the auditor's opinion.

What this means for you

For cloud providers and data-centre operators targeting the public sector:

1. Select your auditor carefully. Your auditing organisation (Article 2(17)) must meet the independence and competence rules in Article 20(4) — including no recent or planned non-audit services on the audited matters and no contingent fees. Define the scope of the audited service (Article 2(18)) clearly in your engagement.
2. Prepare comprehensive evidence. Beyond policy documents, assemble technical audit evidence (Article 2(20)) — data from IT systems, logs, interview records and test results — mapped to the audit criteria (Article 2(19)) in Annex II for your target level. Use Annex III as the guide to what auditors will request.
3. Align internal processes so you can reliably extract and present data from systems; evidence must be relevant, sufficient and reliable (Article 21(2)).
4. Account for subcontractors. The auditing-organisation definition includes the auditor's subcontractors, and the assurance criteria reach your own subcontractors involved in providing the service.

Common misconceptions

• "Any auditor can perform a CADA sovereignty audit." Incorrect. Article 20(4) imposes strict independence, expertise and ethics requirements; the auditor must have proven competence in auditing cloud services and no disqualifying conflicts.
• "The audit covers the entire company." Misleading. Article 2(18) makes the audited service the unit of assessment, though verifying independence and control may require access to broader company data (for example, ownership evidence under Annex III, Section 7).
• "Audit evidence is just documentation." Incorrect. Article 2(20) covers data from IT systems, interviews and testing; policy documents alone are unlikely to suffice.

Related

• What are audit criteria under CADA? Annex II sovereignty rules
• How CADA's audit definitions work together for sovereignty recognition
• Audit criteria vs audit evidence under CADA: the difference
• What is audit evidence under CADA? Article 2(20) explained
• How CADA's control definition affects sovereignty tier eligibility

This is general information about a draft EU regulation, not legal advice.