Summary The transparency obligations under the proposed Cloud and AI Development Act (CADA) are fundamentally distinct from those under the General Data Protection Regulation (GDPR). While GDPR transparency focuses on informing data subjects about personal data processing, Article 23 of CADA mandates a continuous, business-to-government (B2G) duty for cloud providers to notify auditing organisations and national competent authorities of any "material change in circumstances" affecting their Union assurance level recognition. CADA transparency is a mechanism to preserve the integrity of the sovereignty framework, ensuring that a provider's status (Levels 1–4) remains accurate in real-time, whereas GDPR transparency is a consumer-facing right to know. Confusing these regimes risks non-compliance with both privacy laws and the new sovereignty procurement rules.

Detail

As the EU moves to regulate the cloud infrastructure layer beneath AI systems, the proposed Cloud and AI Development Act (CADA) introduces a novel transparency regime. For legal and compliance teams, it is critical to understand that CADA's transparency is not a subset of GDPR; it is a parallel, structural obligation with different triggers, audiences, and consequences. The core of this regime is Article 23, which operates as a dynamic feedback loop for the Union cloud computing sovereignty framework.

The Core Mechanism: Article 23 of CADA

Article 23 establishes a continuous monitoring and notification duty for cloud computing service providers (CCSPs) that have been recognised under the Union assurance levels. Unlike GDPR, which often triggers on specific processing events (e.g., collection, breach), CADA Article 23 is triggered by the status of the provider's compliance with the sovereignty criteria.

Article 23(1) explicitly states:

"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

This provision creates a "duty to report" that is immediate ("as soon as possible") and directed at regulatory bodies, not the end-user. The obligation is triggered by the provider's own awareness of a change. The scope of "material change" is defined by the criteria in Annex II (Union assurance levels). If a change occurs that would alter the provider's ability to meet the criteria for their current assurance level (e.g., a change in ownership, infrastructure location, or personnel citizenship), the provider must report it.

The downstream effects are outlined in Article 23(2) and Article 23(3):

  • Article 23(2): The auditing organisation must assess whether the audit report or the "positive" opinion needs to be amended or revoked based on the notification.
  • Article 23(3): The national competent authority of establishment must assess whether its recognition of the service needs amendment or revocation. If recognition is amended or revoked, the authority must notify other Member States and the Commission.

This creates a chain reaction: a material change reported by the provider can lead to the revocation of the provider's Union assurance level, which in turn affects their eligibility to supply public sector bodies under Article 30.

The Nature of GDPR Transparency

In stark contrast, GDPR transparency (primarily Articles 12, 13, and 14) is a fundamental right of the data subject. Its purpose is to ensure individuals are informed about how their personal data is processed.

  • Trigger: The processing of personal data, specifically at the point of collection or when the purpose of processing changes.
  • Audience: The natural person (data subject) whose data is being processed.
  • Content: Information on the identity of the controller, purposes of processing, legal basis, retention periods, and data subject rights.
  • Goal: To enable individuals to exercise control over their personal data (e.g., right to access, rectification, erasure).

While GDPR requires transparency about data, CADA requires transparency about the provider's structural integrity. A cloud provider can be fully compliant with GDPR transparency (informing users about data processing) while simultaneously violating CADA Article 23 by failing to report a change in corporate control that compromises their Union assurance level.

Comparative Analysis: Triggers, Audiences, and Content

The following table highlights the structural differences between the two regimes as proposed in CADA and established in GDPR.

Feature CADA Transparency (Article 23) GDPR Transparency (Articles 12–14)
Primary Trigger Material change in circumstances affecting the audit report, positive opinion, or recognition status (e.g., change in control, infrastructure location). Processing of personal data (collection, change of purpose, data breach).
Audience Regulatory bodies: Auditing organisations and National Competent Authorities of establishment. Data subjects: Natural persons whose data is processed.
Content Focus Operational autonomy, third-country control, infrastructure location, personnel citizenship, cybersecurity certification status, and software supply chain integrity. Lawful basis, data retention, rights of access/rectification/erasure, data sharing with third parties, and identity of the controller.
Legal Goal Preserve public order, ensure operational autonomy, and prevent extraterritorial data access or service disruption. Protect fundamental rights and freedoms of natural persons (privacy and data protection).
Timing "As soon as possible" upon becoming aware of the material change. Before or at the time of collection; or within one month of a change in processing.
Nature of Duty Continuous monitoring of structural and operational compliance. Event-based disclosure regarding data processing activities.

Defining "Material Change" under CADA

The term "material change in circumstances" in Article 23 is the linchpin of the obligation. While the article itself does not list every scenario, the criteria in Annex II for Union assurance levels (Levels 1–4) provide the definitive scope. A "material change" includes, but is not limited to:

  • Change in Control: A third-country entity acquiring a controlling stake or voting rights that could influence the provider's ability to refuse data access requests (Annex II, Level 2/3/4 criteria).
  • Infrastructure Relocation: Moving data storage or processing assets outside the Union (Annex II, Level 1/2/3/4 criteria).
  • Personnel Changes: Loss of Union citizenship status for key personnel or security clearances required for Levels 3 and 4 (Annex II, Level 3/4 criteria).
  • Certification Status: Revocation or lapse of a European cybersecurity certificate (Annex II, Level 2/3/4 criteria).
  • Supply Chain Disruption: Changes in the software bill of materials (SBOM) or the introduction of third-country components that cannot be audited (Annex II, Level 2/3/4 criteria).

These are structural and operational changes. A GDPR transparency update might be triggered by adding a new marketing analytics tool; a CADA Article 23 notification might be triggered by a parent company in a third country gaining voting rights that could legally compel the provider to share data.

Penalties and Enforcement Risks

Non-compliance with CADA Article 23 carries significant legal and commercial risks, distinct from GDPR fines.

  • Regulatory Penalties: Article 24 mandates that Member States lay down rules on penalties for infringements of Chapter IV (which includes Article 23). These penalties must be "effective, proportionate and dissuasive." Article 24(2) lists criteria for imposing penalties, including the nature, gravity, and duration of the infringement, and the financial benefits gained.
  • Civil Liability: Crucially, Article 24(3) grants recipients of cloud services the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under Chapter IV.
  • Contractual Breach: Under Article 30, public sector bodies must procure services at specific Union assurance levels. If a provider fails to notify a material change under Article 23, leading to the revocation of their recognition, they may be in breach of contract with public sector clients, triggering the compensation rights in Article 24(3).

This creates a dual risk: regulatory fines from national competent authorities and civil liability from clients who relied on the provider's assurance level.

What this means for you

For in-house counsel, compliance officers, and cloud providers, the introduction of CADA Article 23 requires a new layer of governance that sits alongside existing GDPR compliance programs. You cannot rely on your privacy officer's transparency logs to satisfy CADA obligations.

  1. Establish a Material Change Monitoring Framework: You must implement processes to detect "material changes in circumstances" that affect your Union assurance level. This goes beyond privacy impact assessments. It requires monitoring corporate governance changes, infrastructure migrations, subcontractor changes, and cybersecurity certification statuses.
  2. Define "As Soon As Possible": Article 23 requires notification "as soon as possible." Given the high stakes of recognition revocation, your internal SLAs for reporting these changes to your auditing organisation and competent authority should be tighter than GDPR's one-month window for privacy notices.
  3. Integrate Audit and Legal Teams: Unlike GDPR, which is often siloed in legal/privacy, CADA transparency requires close collaboration between technical audit teams, legal counsel, and executive management. Changes in ownership or control are often strategic decisions made by the board, not privacy teams.
  4. Contractual Implications: Review contracts with public sector clients. Article 30 requires contracting authorities to procure services at specific Union assurance levels. If your transparency failure under Article 23 leads to a loss of recognition, you may be in breach of contract with public sector clients, triggering the compensation rights in Article 24(3).
  5. Documentation for Auditors: Maintain a clear audit trail of notifications sent under Article 23. Auditing organisations will assess whether you have fulfilled this obligation as part of their annual reviews (Article 20(8)).

Common misconceptions

  • Misconception 1: "GDPR transparency covers all transparency needs."
    • Reality: GDPR transparency is about data processing. CADA transparency is about service integrity and sovereignty. A provider can be fully GDPR-transparent while failing to notify a material change in ownership that violates Union assurance level criteria.
  • Misconception 2: "Only public sector clients are affected."
    • Reality: While CADA's procurement rules (Article 30) target the public sector, the transparency obligation in Article 23 applies to any cloud computing service provider seeking recognition under the Union assurance framework. Private sector entities in critical sectors (NIS2 entities) may also conduct similar impact assessments (Article 31) and rely on this transparency.
  • Misconception 3: "A material change is only a data breach."
    • Reality: A data breach is a GDPR trigger. Under CADA Article 23, a material change is any event affecting the audit criteria (Annex II). This includes changes in legal control, infrastructure location, or personnel citizenship. A data breach might be a material change if it reveals a failure in cybersecurity certification, but the triggers are much broader.
  • Misconception 4: "Transparency is a one-time event at recognition."
    • Reality: Article 23 creates a continuous obligation. Recognition is not static; it is contingent on ongoing compliance. Providers must proactively monitor and report changes throughout the service lifecycle.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.