Summary Under the proposed Cloud and AI Development Act (CADA), the rigour of compliance verification is strictly tiered by Union assurance level. Article 19 mandates a provider-led conformity self-assessment and an "EU statement of conformity" for Union assurance level 1, relying on internal controls and ex-post enforcement. In contrast, Article 20 requires independent third-party audits for levels 2, 3, and 4, introducing strict auditor independence, detailed evidence collection per Annex III, and a mandatory annual review mechanism. Crucially, under Article 20, the auditing organisation itself holds the power to revoke the audit opinion if evidence is found to be incorrect or misleading, creating a continuous compliance risk absent in the Level 1 self-declaration model.
Detail
The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" comprising four assurance levels. The verification mechanisms for these levels are fundamentally distinct, creating a bifurcated compliance landscape: a lighter-touch self-declaration route for the baseline level, and a rigorous, externally verified route for higher sovereignty tiers.
Article 19: The Self-Assessment Route (Level 1)
Article 19 of the proposal defines the procedure for cloud computing service providers seeking recognition at Union assurance level 1. This pathway is designed for services where the public sector body has not identified a specific public order risk requiring higher assurance.
The Mechanism: Under Article 19(1), the provider must carry out a "conformity self-assessment" of its compliance with the criteria for Union assurance level 1 set out in Annex II. These criteria generally cover establishment in the Union, location of infrastructure, and data residency, but do not yet mandate the strict personnel citizenship or "high" cybersecurity certification required for higher levels.
The Output and Responsibility: Following the assessment, the provider must issue an "EU statement of conformity" pursuant to Article 19(2). By issuing this statement, the provider explicitly "assumes responsibility for the compliance of the cloud computing service with the criteria." This is a unilateral declaration. Article 19(3) further mandates that this statement be made "publicly available."
Rigour and Oversight: The rigour of Article 19 relies on the provider's internal governance and the threat of ex-post enforcement by national competent authorities. There is no mandatory pre-market third-party verification. While Article 17(3) provides a derogation for SMEs (whose statements are automatically recognised), the general rule is that the burden of proof lies entirely with the provider to maintain "documented evidence, internal control procedures and continuous monitoring." If a competent authority later finds the statement false, the provider faces enforcement, but the initial gatekeeping is internal.
Article 20: The Independent Audit Route (Levels 2, 3, and 4)
For providers seeking Union assurance levels 2, 3, or 4, the proposal imposes a significantly more rigorous regime under Article 20. These levels are required for public sector activities contributing to the preservation of public order (e.g., defence, law enforcement, critical infrastructure).
Mandatory Third-Party Verification: Article 20(1) states that providers "shall undergo at their own expense, independent third-party audits to obtain an audit report and an audit opinion from an auditing organisation." The audit must verify compliance with the cumulative criteria for the specific level, which include stricter requirements on personnel, cybersecurity certification (e.g., "substantial" for L2/L3, "high" for L4), and software supply chain transparency.
Strict Auditor Independence: To ensure the integrity of the verification, Article 20(4) sets rigorous conditions for auditing organisations:
- Independence: Auditors must be independent from the provider and free from conflicts of interest. They must not have provided non-audit services related to the audited matters in the 12-month period before or after the audit.
- Rotation: Auditors cannot have provided auditing services to the same provider in the 10-year period before the audit.
- Competence: They must demonstrate "proven expertise, technical competence and capabilities" and adhere to codes of practice.
The Audit Report and Opinion: The auditing organisation must prepare a substantiated audit report (Article 20(5)). This report must include a description of the methodology, main findings, and a definitive "positive" or "negative" audit opinion. A "positive" opinion is issued only if "all evidence shows that the provider complies." A "negative" opinion triggers operational recommendations for remediation.
Annual Review and Revocation Risk: The most significant differentiator in rigour is the ongoing nature of the audit obligation. Article 20(8) mandates that the audited provider "annually submit for review the audit report and the associated 'positive' audit opinion" to an auditing organisation. This is not a one-time event. Based on this annual review, the auditor may "confirm, update, or revoke the initial audit report and audit opinion."
Furthermore, Article 20(7) grants the auditing organisation the power to revoke its report and opinion if the provider "intentionally or negligently, supplied incorrect or misleading audit evidence." This creates a continuous, active risk of decertification that does not exist under the static self-declaration of Article 19.
Evidence Standards: Article 21 complements Article 20 by requiring that audits be based on "relevant and sufficient" and "reliable" evidence listed in Annex III. This includes detailed proof of infrastructure location, data flow diagrams, personnel citizenship documents, and software bills of materials (SBOMs). The evidence standard is objective and externally verifiable, unlike the internal documentation of Level 1.
Comparative Summary of Rigour
| Feature | Article 19 (Level 1) | Article 20 (Levels 2-4) |
|---|---|---|
| Verification Method | Provider self-assessment | Independent third-party audit |
| Output | EU Statement of Conformity | Audit Report & Opinion (Positive/Negative) |
| Frequency | Ongoing self-monitoring | Annual review mandatory |
| Independence | Internal controls only | Strict auditor independence & 10-year rotation |
| Revocation Risk | Enforcement by competent authority | Direct revocation by auditing organisation |
| Evidence Standard | Internal documentation | Verified evidence per Annex III |
What this means for you
For legal counsel and compliance officers, the choice between the Article 19 and Article 20 pathways is dictated by the intended customer base and the risk assessment under Article 29. If your service targets public sector bodies with public order relevance, you must pursue the Article 20 audit route.
Strategic Implications:
- Budgeting for Recurring Costs: Under Article 20(1), audits are at the provider's expense. You must budget not only for the initial audit but for the mandatory annual review required by Article 20(8). This is a recurring operational cost, not a one-off compliance fee.
- Auditor Selection: You cannot hire just any consultant. Under Article 20(4), you must engage an organisation that meets strict independence criteria, including the 10-year rotation rule and conflict-of-interest checks. Failure to select a qualified auditor invalidates the recognition process.
- Evidence Readiness: Prepare for the granular evidence requirements of Annex III. This includes maintaining up-to-date software bills of materials, data flow diagrams, and personnel records proving Union citizenship. The audit will not accept general assertions; it requires specific, verifiable proof.
- Continuous Compliance: The annual review under Article 20(8) means compliance is dynamic. You must implement systems for real-time monitoring. If your status changes (e.g., a third-country subsidiary acquires control), you must notify the auditor immediately under Article 23. Failure to do so risks the auditor revoking the opinion under Article 20(7), which would immediately disqualify you from public procurement under Article 30.
Enforcement Context: While the audit opinion is issued by a private auditor, the ultimate enforcement power lies with national competent authorities designated under Article 25. These authorities have powers to impose fines and order cessation of infringements under Article 26. However, the loss of the audit opinion itself is an immediate commercial disqualification, as public bodies cannot procure services without a valid recognition under Article 17.
Common misconceptions
"Self-assessment is 'easier' and therefore less risky." While Article 19 avoids the cost of third-party audits, it does not reduce liability. Under Article 19(2), the provider assumes sole responsibility for the statement. If the statement is false, the provider faces direct enforcement actions, including fines under Article 24. The risk is simply shifted from a pre-market audit failure to a post-market enforcement penalty, which can be equally severe.
"Audit is a one-time certification." This is incorrect. Article 20(8) explicitly requires an annual review. Providers must submit their audit report and opinion every year. The auditing organisation has the power to revoke the opinion if compliance lapses. This transforms compliance from a "check-the-box" exercise into a continuous operational requirement.
"Any qualified auditor can perform the audit." Not true. Article 20(4) imposes strict barriers to entry. Auditors must be independent, have no non-audit service relationship in the preceding 12 months, and have no prior audit relationship in the preceding 10 years. Providers must vet their auditors rigorously to ensure they meet these statutory independence criteria.
Related
- When does CADA require self-assessment versus an independent audit?
- Which CADA assurance levels require an independent audit?
- What is the required quality of CADA audit evidence?
- CADA Conformity Self-Assessment: The Level 1 Pathway Explained
- CADA Audit Evidence: What is Annex III and how is it assessed?
This is general information about a draft EU regulation, not legal advice.