Summary Under the proposed Cloud and AI Development Act (CADA), the "audited service" is not merely a software interface but a comprehensive ecosystem defined by strict territorial and control boundaries. As proposed in Article 16 and detailed in Annex II, the boundary of an audited service encompasses the specific cloud computing service, the infrastructure and assets used to deliver it, the personnel involved in its operation, and all relevant subcontractors. For Union Assurance Levels 2, 3, and 4, these elements must be located exclusively within the Union and free from third-country control. The resulting audit report, mandated by Article 20(5)(a), must explicitly name the provider and the period covered, serving as the formal validation that the service operates within these defined sovereign boundaries.

Detail

The proposed CADA establishes a rigorous framework for assessing cloud sovereignty, where the definition of the "audited service" is critical to determining compliance. Unlike traditional cybersecurity audits that may focus primarily on software configurations or network perimeters, the CADA framework defines the boundary of an audited service through a holistic set of technical, operational, and organizational controls. This scope is anchored in Article 16, which establishes the Union cloud computing sovereignty framework, and the specific cumulative criteria set out in Annex II.

The Legal Definition of the Audited Service

The term "audited service" is defined in Article 2 as "a cloud computing service being audited for the purpose of receiving an audit report and an audit opinion." However, the practical boundary of this service is far broader than the definition suggests. When a provider seeks recognition for Union Assurance Levels 2, 3, or 4, the audit scope expands to include every element that contributes to the provision and delivery of that service.

Article 20 mandates that cloud computing service providers seeking recognition for these higher levels must undergo independent third-party audits. The scope of these audits is not arbitrary; it is strictly dictated by the criteria in Annex II. The framework requires that the audit assesses the compliance of the specific service against the cumulative criteria, ensuring that the entire value chainβ€”from the physical data centre to the individual engineer managing the systemβ€”remains within the Union's sovereign control.

1. Infrastructure, Assets, and Personnel Localization

The primary boundary of the audited service is defined by the physical and logical location of its components. For Union Assurance Levels 2, 3, and 4, Annex II establishes a cumulative requirement that "the infrastructure, assets, and personnel of the audited provider, including those of its subcontractors which are involved in the provision of the service, are located in the Union."

This definition is granular. Annex III explicitly clarifies the scope of these terms:

  • Infrastructure: This includes physical data centre infrastructure, network, cooling, and IT systems that allow for the management of the data centre. It is not limited to the servers running the application but extends to the entire facility and its supporting systems.
  • Assets: This encompasses hardware and software, including libraries, the internal network needed for software components to communicate, and cryptographic materials that enable the provision of the cloud computing service.
  • Personnel: This includes individuals who support the delivery, administration, security, availability, or operation of the audited service. Crucially, this definition extends to personnel managed by subcontractors.

The audit must verify that no elements within these categories that store, transmit, access, process, or otherwise handle customer data are located outside the Union. Furthermore, the audit must assess whether any compromised or misconfigured element outside the Union could reasonably result in the disruption or unavailability of the audited service. This ensures that the "boundary" is not just a line on a map but a functional perimeter of control.

2. Data Localization and Flow

The boundary of the audited service also strictly confines data. Annex II requires that "the customer data, including metadata and telemetry data, that is processed, stored and transferred by the audited provider and the subcontractors which are involved in the provision of the service, remain exclusively within the Union."

This requirement applies at all times, including before, during, or after the configuration or use of the service, unless the public sector body explicitly requires otherwise. The audit evidence required to prove this boundary is detailed in Annex III, which mandates data flow diagrams, access logs, and monitoring records. These documents must demonstrate that third parties or subcontractors not meeting the Union establishment criteria are technically and operationally unable to access, obtain, or process customer data without prior authorization. The boundary is thus defined by the inability of non-compliant entities to touch the data.

3. The Subcontractor Boundary

A critical aspect of the CADA framework is that the boundary of the audited service extends to the entire supply chain. Annex II clarifies that for Union Assurance Levels 2, 3, and 4, the subcontractors referred to must be "third parties that have a direct contractual relationship with the cloud computing service provider and that contribute to the provision and delivery of the cloud computing service."

This means that if a provider outsources technical support, maintenance, or any operational assistance to a third party, that third party becomes part of the audited service boundary. For higher assurance levels, these subcontractors must also meet the localization and control criteria. The audit must verify that the provider has implemented necessary legal, technical, and organisational measures to ensure traceability and governance of these operations, ensuring they do not compromise the operational autonomy of the service.

4. The Audit Report as the Boundary Validator

The formal document that validates this boundary is the audit report. Article 20(5) outlines the mandatory content of this report, ensuring it is specific to the service and the period audited. Specifically, Article 20(5) requires the auditing organisation to include:

  • "The name, address and point of contact of the provider subject to the audit, and the period covered;"
  • "The name and address of the auditing organisation or organisations performing the audit;"
  • "A description of the specific aspects audited, and the methodology applied;"
  • "A description and a summary of the main findings drawn from the audit."

This report is not a generic certificate. It is a substantiated, written account that confirms the specific service, within the defined boundary of infrastructure, data, personnel, and subcontractors, complies with the applicable Union Assurance Level criteria. The "period covered" is essential, as the boundary is dynamic; the report confirms that the service remained within the sovereign boundary for the entire duration of the audit.

What this means for you

For technical leaders, architects, and compliance officers, understanding the boundary of the audited service is the first step in achieving CADA recognition. You cannot simply certify a software application; you must certify the entire ecosystem that delivers it.

  • Map the Full Stack: You must identify every physical and logical component involved in your service. This includes not just your application code, but the data centre facilities, the cooling systems, the network paths, the internal libraries, and the cryptographic keys. If any of these elements are located outside the Union, the service cannot meet the criteria for Levels 2, 3, or 4.
  • Audit Your Supply Chain: Your subcontractors are part of your boundary. You must ensure that any third party involved in the provision of your service is established in the Union and that their personnel and infrastructure are also located within the Union. You must have contractual and technical controls in place to enforce this.
  • Prepare for Specific Reporting: When you undergo an audit, expect a report that is highly specific. Under Article 20(5)(a), the report will name your provider, define the exact period covered, and detail the specific aspects audited. Ensure your internal controls are consistent and documented throughout this entire period.
  • Data Flow Transparency: You must be able to demonstrate, through data flow diagrams and logs, that customer data never leaves the Union. This includes metadata and telemetry, which are often overlooked but are explicitly included in the definition of customer data in Annex II.

Common misconceptions

"The audit is only about software security." Incorrect. The boundary of the audited service under CADA is defined by Annex II to include physical infrastructure, personnel location, and data flows. A service with secure software but non-EU data centres or personnel would fail the audit.

"Subcontractors are out of scope." Incorrect. The framework explicitly includes subcontractors in the boundary of the audited service. If a subcontractor contributes to the provision or delivery of the service, they must meet the same localization and control criteria as the primary provider.

"The audit report is a generic certificate of compliance." Incorrect. Article 20(5)(a) requires a substantiated report that names the provider, specifies the period covered, and describes the specific aspects audited. It is a service-specific validation, not a blanket certification.

"Data localization is the only requirement." Incorrect. While data localization is critical, the boundary also includes the location of infrastructure, assets, and personnel, as well as the absence of third-country control. All these elements must be satisfied cumulatively.

Related

This is general information about a draft EU regulation, not legal advice.