CADA Audit Confidentiality

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking Union assurance levels 2, 3, or 4 must undergo independent third-party audits. To protect commercial interests, Article 20(3) explicitly mandates that auditing organisations ensure an adequate level of confidentiality and professional secrecy regarding all information obtained during the audit, including after the audit has concluded. This protection covers trade secrets and sensitive operational data. Crucially, the regulation limits data sharing: auditors may only share information that is necessary for reporting purposes under Article 23 and must ensure that such shared information does not contain any details that could reasonably be considered confidential.

Detail

The CADA proposal establishes a Union cloud computing sovereignty framework designed to mitigate risks associated with dependence on third-country providers. A critical component of this framework is the independent third-party audit mechanism required for services claiming Union assurance levels 2, 3, or 4. Because these audits require deep access to a provider's infrastructure, source code, and operational data, the proposal embeds robust confidentiality safeguards. These measures ensure that the pursuit of sovereignty does not come at the cost of exposing a provider's intellectual property or compromising their competitive position.

The Core Confidentiality Obligation: Article 20(3)

The primary legal shield for sensitive data during the audit process is found in Article 20(3) of the CADA proposal. This provision imposes a strict duty on auditing organisations. It states that auditors "shall ensure an adequate level of confidentiality and professional secrecy in respect of the information obtained from the audited providers and third parties as part of the audits, including after the audits have ended."

This obligation is perpetual regarding the specific information obtained; it does not expire when the audit report is issued. The text further clarifies that this requirement "shall not adversely affect the performance of the audits and other provisions of this Regulation." This balance ensures that while auditors must be thorough, they cannot use the audit process to extract or leak proprietary information.

The scope of this protection is broad. It covers any information obtained during the audit, which typically includes:

• Trade Secrets: Proprietary algorithms, source code, architectural designs, and unique software configurations.
• Operational Data: Internal logs, security configurations, vulnerability assessments, and incident response records.
• Third-Party Information: Data obtained from subcontractors or other entities involved in the service provision.

The Reporting Carve-Out: Interaction with Article 23

While Article 20(3) establishes a high bar for secrecy, the audit process must still result in a report and, where necessary, notifications to authorities. This is where the interaction with Article 23 (Transparency obligations) becomes critical.

Article 20(3) explicitly limits the scope of information that can be shared for reporting. It states that under Article 23, "the auditing organisation shall only share information that are necessary for the reporting purposes and do not contain any information that could reasonably be considered confidential."

This creates a strict "need-to-know" filter:

1. Necessity: Information shared with the national competent authority or the Commission must be strictly necessary to fulfill the reporting obligations (e.g., notifying a change in assurance status or a revocation of an audit opinion).
2. Non-Confidentiality: The shared information must be stripped of any elements that could reasonably be considered confidential.

For example, if an auditor must report that a provider has failed to meet a specific software supply chain criterion, the report would state the failure and the nature of the gap. It would not include the provider's full source code, specific vulnerability exploits, or proprietary architectural diagrams unless such details were absolutely indispensable and could not be redacted without rendering the report meaningless—a high bar that the regulation implicitly discourages.

Auditor Independence and Professional Ethics

Confidentiality is not an isolated rule but is deeply intertwined with the auditor's independence and professional ethics, as outlined in Article 20(4). The proposal requires auditing organisations to demonstrate:

• Independence: They must be independent from the cloud computing service provider and free from conflicts of interest. Specifically, they cannot have provided non-audit services related to the matters audited in the 12 months before or after the audit.
• Professional Ethics: They must adhere to codes of practice or appropriate standards, ensuring objectivity.
• Technical Competence: They must possess proven expertise in auditing cloud computing services.

If an auditor's independence or competence is in doubt, they must abstain or resign. This structural independence reinforces the confidentiality obligation by removing financial or operational incentives for an auditor to leak sensitive data to competitors or third parties.

Scope of Protection and Data Types

The confidentiality obligation applies to all information obtained "as part of the audits." This includes data collected from documents, databases, IT systems, interviews, or testing performed (as referenced in the definition of "audit evidence" in Article 2(20) and the evidence requirements in Annex III).

The protection extends to:

• Source Code: Auditors may need to review source code to verify software supply chain measures (Annex II, point 2(i) and 3(i)). Article 20(3) ensures this code remains confidential.
• Subcontractor Data: Information obtained from third parties or subcontractors involved in the service is also protected.
• Post-Audit Retention: The obligation persists "including after the audits have ended," preventing auditors from using historical audit data for future commercial advantage or unauthorized disclosure.

Penalties and Enforcement

While Article 20 sets the obligations, Article 24 outlines the consequences of non-compliance. Member States must lay down rules on penalties for infringements of the sovereignty chapter, including breaches of audit obligations. These penalties must be "effective, proportionate and dissuasive."

Although the proposal does not specify a fixed fine amount for confidentiality breaches specifically, the criteria for imposing penalties include:

• The nature, gravity, scale, and duration of the infringement.
• Any financial benefits gained or losses avoided by the infringing party.
• The infringing party's annual turnover.

A breach of confidentiality could be deemed a severe infringement, potentially leading to significant fines, civil liability for damages (as recipients of services have a right to seek compensation under Article 24(3)), and the revocation of the auditor's ability to perform audits under the framework. Furthermore, Article 20(7) allows auditing organisations to revoke their own audit report if the provider supplied incorrect evidence, but conversely, an auditor who breaches confidentiality risks losing their standing and facing enforcement actions from national competent authorities.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the confidentiality provisions of CADA offer a critical layer of protection but also impose specific procedural duties.

1. Contractual Alignment: When engaging an auditing organisation under Article 20, your engagement contract should explicitly mirror the confidentiality and professional secrecy obligations of Article 20(3). While the Regulation sets the minimum standard, robust contractual clauses can provide additional legal recourse and define specific redaction protocols for the audit report.
2. Scope Definition and Data Minimization: Work with your IT and security teams to define the audit scope precisely. Since auditors need access to verify compliance with Annex II criteria, ensure they only access what is strictly necessary. This reduces the volume of sensitive data exposed and aligns with the principle that auditors should only share non-confidential information for reporting.
3. Internal Training and Access Controls: Ensure that your internal teams understand that while auditors are bound by confidentiality, they are still external parties. Maintain strict access controls and logging during the audit period to track what information is accessed and by whom. This creates an audit trail that can be vital if a confidentiality breach occurs.
4. Reporting Preparedness: Be aware that while you must report material changes to your auditor (triggering Article 23 notifications), you can request that such reports be handled in a way that minimizes the exposure of confidential details. The auditor is legally obligated to protect this information when forwarding reports to national competent authorities.

Common misconceptions

• "Auditors can share any data with regulators." This is incorrect. Article 20(3) explicitly states that auditing organisations shall only share information that is necessary for reporting purposes and does not contain any information that could reasonably be considered confidential. Regulators receive the audit opinion and necessary evidence, not raw, unredacted sensitive data.

• "Confidentiality ends when the audit is complete." The proposal clearly states that the obligation of confidentiality and professional secrecy applies "including after the audits have ended." This is a perpetual obligation regarding the specific information obtained during that engagement.

• "Any auditor can be used." No. Article 20(4) imposes strict independence and competence requirements. An auditor who has provided other services to you recently, or who lacks specific cloud auditing expertise, cannot be used. This ensures that the confidentiality obligation is held by a qualified, independent party.

• "CADA overrides GDPR." CADA does not override GDPR; it complements it. The confidentiality obligations in Article 20(3) work in tandem with data protection rules to ensure that personal data and trade secrets are both protected during the audit process.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• CADA Annual Audit Review: How It Protects Buyers Over Time
• Can a CADA auditor revoke its audit opinion? Article 20 explained
• Who pays for the CADA audit? Provider costs explained
• Which CADA tier protects against foreign sanction compulsion?
• Which CADA assurance levels require an independent audit?

This is general information about a draft EU regulation, not legal advice.