Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers recognized at Union assurance levels 2, 3, or 4 are subject to a mandatory annual review to ensure their sovereignty and security guarantees remain valid. As explicitly stated in Article 20(8), the audited provider must submit their audit report and the associated "positive" audit opinion for review every year. Based on this reassessment, the auditing organization may confirm, update, or revoke the initial opinion. This dynamic mechanism protects public-sector buyers by preventing reliance on outdated certifications and ensuring that any degradation in compliance is detected and addressed promptly.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous framework for cloud sovereignty. While the initial recognition process is critical, the proposal recognizes that cloud environments are dynamic. Infrastructure evolves, personnel change, and geopolitical risks shift. To address this, CADA mandates a continuous compliance loop through annual audits for higher assurance levels.

The Legal Basis: Article 20(8)

The core obligation for ongoing compliance is found in Article 20(8) of the proposal. This article stipulates that for cloud computing service providers seeking recognition at Union assurance levels 2, 3, or 4, the obligation to undergo independent third-party audits does not end with the initial issuance of the report.

The text of Article 20(8) states:

"The audited provider shall annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation which shall assess the continued compliance of the audited service with the applicable criteria set out in Annex II. On the basis of the annual review, the auditing organisation may confirm, update, or revoke the initial audit report and audit opinion."

This provision creates a statutory "renewal" process. It is not merely a check-box exercise; it is a substantive re-evaluation of whether the provider still meets the cumulative criteria for their specific assurance level. The flexibility to use "the same or a different auditing organisation" ensures that the review remains objective and prevents long-term entrenchment between a provider and a specific auditor.

The Three Outcomes: Confirm, Update, or Revoke

The annual review empowers the auditing organization to take one of three distinct actions, each with significant implications for the provider and the buyer:

  1. Confirm: If the auditing organization determines that the provider continues to meet all applicable criteria in Annex II, they confirm the initial audit report and opinion. This maintains the provider's recognized status across the Union.
  2. Update: If the review reveals changes that do not fundamentally compromise compliance but require documentation adjustments (e.g., minor infrastructure shifts or updated subcontractor lists), the auditor may update the report. This ensures the public record reflects the current state of the service without necessarily stripping the provider of their status.
  3. Revoke: This is the most critical safeguard. If the provider no longer meets the criteriaβ€”perhaps due to a change in ownership, a breach of data localization rules, or a failure to maintain cybersecurity standardsβ€”the auditing organization may revoke the initial audit report and audit opinion.

The power to revoke is a direct protection for buyers. If an opinion is revoked, the legal basis for the provider's recognition disappears. This prevents public bodies from continuing to procure services that no longer meet the sovereignty standards required for their specific risk profile.

The Trigger for Immediate Action: Article 23

While the annual review is a scheduled event, CADA also provides for immediate action outside this cycle. Article 23 imposes transparency obligations on recognized providers. If a provider becomes aware of any "material change in circumstances" that may affect the audit report or opinion, they must notify the auditing organization and the national competent authority of establishment "as soon as possible."

This creates a dual-layer protection:

  • Scheduled: The annual review catches gradual drift or planned changes.
  • Ad-hoc: The Article 23 obligation ensures that sudden, material risks (such as a new third-country law or a security breach) are flagged immediately, potentially triggering an unscheduled audit or revocation before the next annual cycle.

Impact on Recognition and the Central Repository

The outcome of the annual review (or an ad-hoc assessment) flows directly into the legal status of the service. Under Article 23(2), if the auditing organization amends or revokes the audit report or opinion, they must notify the national competent authority of establishment.

Subsequently, under Article 23(3), the competent authority must assess whether its recognition of the cloud computing service needs to be amended or revoked. If the authority amends or revokes the recognition, it must notify other Member States and the Commission.

Crucially, Article 22 mandates the establishment of a central repository of recognized cloud computing services. Article 22(3) specifies that "The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This public visibility is vital for buyers. Procurement officers can consult the central repository to verify not just that a provider was recognized, but that their recognition is currently valid and has not been revoked in the intervening year.

Why This Applies to Levels 2, 3, and 4

The annual review requirement is specific to Union assurance levels 2, 3, and 4. Article 20(1) clarifies that providers seeking these levels must undergo independent third-party audits. Level 1, in contrast, relies on a conformity self-assessment by the provider (Article 19) and does not carry the same annual third-party audit mandate.

The higher levels involve complex, sensitive criteria such as:

  • Union citizenship of personnel (Annex II, 3.1(d) and 4.1(d)).
  • Absence of third-country control (Annex II, 3.1(g) and 4.1(g)).
  • Strict data localization (Annex II, 3.1(c) and 4.1(c)).
  • High cybersecurity certification (Annex II, 3.1(e) and 4.1(e)).

Because these criteria are susceptible to change (e.g., a change in corporate structure, a shift in personnel nationality, or a new foreign law), the annual review is essential to ensure that the "Union assurance" label remains accurate. Without this mechanism, a provider could theoretically meet the criteria on day one and fail them on day 365, leaving public buyers exposed to sovereignty risks.

What this means for you

For public-sector bodies, contracting authorities, and legal teams managing cloud procurement, the annual review mechanism transforms compliance from a one-time event into an ongoing due diligence process.

1. Dynamic Verification in Procurement

Do not treat a cloud provider's Union assurance level as a static credential. Before renewing contracts or onboarding new critical workloads, verify the provider's status in the central repository established under Article 22. Ensure that the repository reflects a confirmed or updated opinion from the most recent annual review. If the repository shows a revocation or an amendment, the provider may no longer be eligible for your specific procurement needs.

2. Contractual Safeguards

While CADA mandates notification to authorities, you should reinforce this in your contracts. Include clauses requiring the provider to:

  • Notify you immediately if their audit opinion is updated or revoked.
  • Provide evidence of the annual review submission and outcome upon request.
  • Cooperate with any ad-hoc audits triggered by material changes under Article 23.

This ensures you are not dependent solely on the public repository for timely information and can activate contingency plans (such as migration) immediately if a provider loses their status.

3. Risk Assessment Integration

When conducting the risk assessments required under Article 29 to determine the appropriate assurance level for your activities, consider the provider's audit history. A provider with a consistent record of confirmed annual reviews demonstrates operational stability. Conversely, a history of updates or revocations may indicate higher risk, potentially influencing your decision to require a higher assurance level or to avoid that provider entirely for public-order-relevant activities.

4. Multi-Cloud Resilience

The annual review process supports the CADA's broader goal of reducing dependency on single providers. By regularly verifying the compliance status of multiple providers, you can maintain a resilient, multi-cloud portfolio. If one provider fails their annual review and is revoked, you can pivot to another verified provider without a systemic disruption to your operations.

Common misconceptions

"The annual review is just a formality." Incorrect. Article 20(8) explicitly grants the auditing organization the power to revoke the audit opinion if the provider fails to meet the criteria. Revocation removes the provider's recognized status, which can legally disqualify them from public procurement contracts that mandate specific assurance levels.

"Once a provider is recognized, they stay recognized." No. Recognition is conditional on continued compliance. The CADA framework is designed to be dynamic. The annual review ensures that changes in infrastructure, personnel, or legal control are captured. A provider recognized today could lose that status tomorrow if they fail the annual reassessment.

"Providers can hide non-compliance until the next annual review." This is prevented by Article 23. Providers are legally obligated to notify authorities of any "material change in circumstances" as soon as they become aware of them. This triggers an immediate assessment by the auditor and the competent authority, ensuring that significant risks are addressed in real-time, not just at the annual checkpoint.

"Level 1 providers also need annual audits." No. The mandatory annual third-party audit applies only to Union assurance levels 2, 3, and 4. Level 1 relies on a self-assessment by the provider (Article 19) and does not require the same annual independent review, reflecting the lower risk profile associated with Level 1 services.

Related

This is general information about a draft EU regulation, not legal advice.