Summary As proposed, an "auditing organisation" under CADA is not limited to a single legal entity. Article 2(17) defines it as an individual organisation, a consortium, or other combination of organisations, including any subcontractors, that the audited provider has contracted to perform an independent audit. This gives providers flexibility to assemble multi-disciplinary teams for the higher Union assurance levels (2, 3, 4). But the independence, competence, and confidentiality conditions in Article 20 would apply across the whole arrangement — the contracted organisation remains accountable for every member and subcontractor.

Detail

CADA, as proposed, would require cloud computing service providers to undergo independent third-party audits to be recognised at Union assurance levels 2, 3, and 4. Who may perform those audits is therefore central.

The definition of auditing organisation

Article 2(17) defines an "auditing organisation" as:

"an individual organisation, a consortium or other combination of organisations, including any subcontractors, that the audited cloud computing service provider has contracted to perform an independent audit"

This deliberately moves beyond the single-firm model. By naming consortia, other combinations of organisations, and subcontractors, the proposal accommodates the breadth of expertise needed to audit complex cloud infrastructure.

Flexibility for complex audits

Services aiming at the higher assurance levels involve intertwined technical, legal, and operational criteria in Annex II. A single firm may not hold every relevant competence in-house. The consortium model lets a lead auditor combine specialists, enabling:

  1. Multi-disciplinary expertise: cybersecurity, third-country-control legal analysis, and technical architecture under one engagement.
  2. Scale: absorbing the volume of large or hyperscaler audits.
  3. Specialisation: niche competence for specific criteria, such as software-supply-chain transparency.

Continuing independence and accountability

Flexibility does not dilute the conditions in Article 20(4), which apply to the auditing organisation as engaged — consortium and subcontractors included.

  • Independence (Article 20(4)(a)): the auditing organisation must be independent of, and free of conflicts with, the provider and any connected legal person. In particular, under point (i) it must not have provided non-audit services related to the matters audited in the 12-month period before the audit begins (and must commit not to for the 12 months after completion); under point (ii) it must not have provided auditing services under this Article to that provider (or any connected legal person) in the 10-year period before the audit begins; and under point (iii) it must not be paid fees contingent on the audit result. Where a member of a consortium triggers any of these, the engagement can be compromised.
  • Technical competence (Article 20(4)(b)): proven expertise, technical competence, and capability in auditing cloud computing services — which each participating member, including subcontractors, must support.
  • Objectivity and ethics (Article 20(4)(c)): proven objectivity and professional ethics, based on codes of practice or appropriate standards.
  • Cooperation and confidentiality: under Article 20(2) the audited provider must cooperate and not hamper the audit; under Article 20(3) the auditing organisation must ensure adequate confidentiality and professional secrecy, including after the audit ends. The lead organisation must manage subcontractors so these obligations hold across the chain.

Subcontractor management

Including subcontractors in the definition implies a chain of responsibility: the contracted organisation must vet them against the same independence and competence standards. Under Article 21, audit evidence must be relevant, sufficient, and reliable, so the contracted organisation answers for the quality of evidence any subcontractor gathers.

Implications for audit reports

The audit report required under Article 20(5) must include, among other things, the name and address of the auditing organisation or organisations performing the audit, and a declaration of interests. In a consortium this means identifying the participating organisations, supporting transparency for the national competent authority of establishment that handles the recognition application under Article 17.

What this means for you

For providers and data centre operators, the consortium route offers strategic upside with management overhead.

  1. Assemble a tailored team. You can contract a consortium that brings together complementary specialists rather than relying on one firm holding every competence — useful for multi-jurisdictional or cutting-edge operations.
  2. Do diligence on subcontractors. Confirm your contracted organisation has robust vetting for its subcontractors' independence and competence; you must provide access and cooperation under Article 20(2), so you need confidence across the chain.
  3. Get the contract right. Define the roles of the lead organisation and each member or subcontractor, who owns the final audit opinion, and how confidentiality is maintained across the group.
  4. Watch the 10-year bar. Under Article 20(4)(a)(ii), an organisation that audited you under this Article within the past decade is ineligible. If you use a consortium, verify none of its members are caught by that history.

Common misconceptions

  • Misconception: "Any group of firms can form an auditing consortium." Reality: Every member must satisfy the independence, competence, and ethics conditions of Article 20(4). A member with a conflict or without the required competence undermines the engagement.
  • Misconception: "Subcontractors are held to a lower standard." Reality: The definition expressly folds subcontractors into the "auditing organisation." The contracted organisation is accountable for their compliance, including confidentiality and independence.
  • Misconception: "A consortium sidesteps the independence bars." Reality: The Article 20(4) conditions, including the 10-year prior-audit bar and the 12-month non-audit-services bar, apply to the auditing organisation as engaged. The history of any member can disqualify the group.

Related

This is general information about a draft EU regulation, not legal advice.