How does the CADA independent audit work? Levels 2–4 explained

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking recognition for Union assurance levels 2, 3, or 4 must undergo an independent third-party audit conducted at the provider's own expense. This audit, governed by Article 20, evaluates compliance with strict sovereignty criteria and results in a formal, substantiated audit report containing either a "positive" or "negative" opinion. A "positive" audit opinion is a mandatory prerequisite for national competent authorities to recognise the service at the requested assurance level. Unlike Level 1, which relies on self-assessment, higher tiers require external verification to ensure trustworthiness for public-order-relevant activities.

Detail

The CADA proposal establishes a tiered sovereignty framework designed to mitigate risks associated with third-country control and ensure the operational autonomy of the EU's digital infrastructure. While the baseline tier (Union assurance level 1) relies on a conformity self-assessment mechanism, the higher tiers (levels 2, 3, and 4) mandate external verification. This verification process is the core of the sovereignty framework for critical services and is explicitly detailed in Article 20 of the CADA proposal, titled "Independent audit."

Who is required to undergo an independent audit?

The obligation to undergo an independent audit is not universal for all cloud providers; it is triggered by the specific assurance level sought.

• Union Assurance Level 1: Providers seeking only Level 1 recognition are not subject to independent audit. Instead, they must carry out a conformity self-assessment under Article 19 and issue an EU statement of conformity.
• Union Assurance Levels 2, 3, and 4: Providers seeking recognition at these higher levels must undergo an independent third-party audit. This distinction reflects the increased sensitivity of the data processed, the criticality of the public sector functions supported, and the heightened risk to public order associated with these services. As stated in Article 20(1), providers seeking recognition for these levels "shall undergo at their own expense, independent third-party audits to obtain an audit report and an audit opinion from an auditing organisation."

The audit process and financial responsibility

A critical aspect of Article 20(1) is the allocation of financial responsibility. The audit must be conducted "at their own expense," meaning the cloud computing service provider bears the full cost of the audit. This ensures that the provider has a direct financial incentive to maintain compliance and that the audit is not subsidised by public funds, preserving the market-based nature of the recognition process.

The audit is performed by an "auditing organisation," defined in Article 2(17) as an individual organisation, a consortium, or a combination of organisations (including any subcontractors) that the audited provider has contracted to perform the independent audit. While the provider selects the auditor, the selection is constrained by strict independence and competence requirements to prevent conflicts of interest.

Provider cooperation obligations

The efficacy of the audit relies entirely on the transparency and cooperation of the provider. Article 20(2) imposes a robust set of obligations on the audited provider:

1. Cooperation: The provider must cooperate with the auditing organisation.
2. Assistance: The provider must provide all necessary assistance to enable the audit to be conducted "in an effective, efficient and timely manner."
3. Access: The provider must grant the auditor access to "all relevant data and premises."
4. Responsiveness: The provider must answer "oral or written questions" posed by the auditors.
5. Non-Interference: The provider must "refrain from hampering, unduly influencing or undermining the performance of the audit."

Failure to comply with these obligations can prevent the auditor from forming a conclusion. If the auditor is unable to audit certain aspects due to a lack of access or cooperation, Article 20(6) requires the audit report to include an explanation of the circumstances and reasons why those aspects could not be audited. This limitation can directly impact the issuance of a "positive" opinion.

Confidentiality and professional secrecy

Given the sensitive nature of cloud infrastructure, customer data, and trade secrets, Article 20(3) mandates that auditing organisations ensure an "adequate level of confidentiality and professional secrecy" regarding information obtained from audited providers and third parties. This obligation persists even after the audit has concluded. However, this duty of confidentiality is not absolute; it does not prevent the auditor from sharing information necessary for reporting purposes under Article 23 (transparency obligations), provided such sharing does not reveal confidential business information unnecessarily.

Auditor independence and competence

To guarantee the integrity and objectivity of the audit, Article 20(4) sets out rigorous conditions that auditing organisations must meet. These conditions are designed to eliminate conflicts of interest and ensure technical capability:

• Independence: The auditor must be independent from the cloud provider and have no conflicts of interest with the provider or any connected legal person.
• Non-Audit Services Restriction: The auditor must not have provided non-audit services related to the matters audited to the provider in the 12-month period before the audit begins, and must commit to not providing such services in the 12-month period after the audit is completed.
• Firm Rotation: The auditor must not have provided auditing services under Article 20 to the same provider in the 10-year period before the audit begins.
• Fee Structure: The auditor must not perform the audit in return for fees that are "contingent on the result of the audit."
• Expertise: The auditor must have "proven expertise, technical competence and capabilities in auditing cloud computing services."
• Ethics: The auditor must have "proven objectivity and professional ethics," based on adherence to codes of practice or appropriate standards.

The audit report and the "Positive" or "Negative" opinion

The primary output of the process is the audit report and the accompanying audit opinion. Article 20(5) requires the auditing organisation to prepare a substantiated, written report for each audit. This report must include specific elements to ensure transparency and traceability:

• The name, address, and point of contact of the provider and the period covered.
• The name and address of the auditing organisation.
• A declaration of interests.
• A description of the specific aspects audited and the methodology applied.
• A description and summary of the main findings.
• A list of third parties consulted.
• The Audit Opinion: A clear statement of whether the audited service complies with the applicable audit criteria for Union assurance level 2, 3, or 4.

The opinion must be either "positive" or "negative":

• A "positive" opinion is issued where "all evidence shows that the provider complies with the audit criteria and obligations set out by this Regulation." This is the critical outcome required for recognition.
• A "negative" opinion is issued where the auditing organisation considers that the provider "does not comply with the criteria set out in this Regulation." In such cases, the report must include operational recommendations on specific measures to achieve compliance and a recommended timeframe.

If the auditor cannot reach a conclusion on specific aspects, the report must explain why, as noted in Article 20(6).

Annual reviews and revocation mechanisms

The audit is not a one-time event but part of a continuous compliance cycle. Article 20(8) requires the audited provider to annually submit the audit report and the associated "positive" audit opinion for review. This review can be conducted by the same or a different auditing organisation. Based on this annual review, the auditing organisation may confirm, update, or revoke the initial audit report and opinion.

Furthermore, Article 20(7) provides a mechanism for revocation if the integrity of the audit is compromised. The auditing organisation may revoke its audit report and opinion if the audited provider "intentionally or negligently, supplied incorrect or misleading audit evidence."

From audit to recognition

The audit opinion is a necessary but not sufficient condition for market access. Under Article 17(4), providers seeking recognition for levels 2, 3, or 4 must submit the audit report and the "positive" audit opinion to the national competent authority of establishment. The authority then assesses the evidence. If satisfied, it issues a recognition decision, allowing the cloud service to be recognised across the Union. Without a positive audit opinion, this recognition cannot be granted for levels 2–4.

What this means for you

For cloud service providers targeting the EU public sector or Union entities, the independent audit is a significant operational and financial milestone.

1. Budget for External Costs: Unlike Level 1, where costs are internal, Levels 2–4 require you to pay for an external audit. These costs can be substantial, covering auditor fees, preparation time, and potential remediation. Factor these into your pricing models and compliance budgets.
2. Prepare for Deep Scrutiny: You must maintain meticulous records and be ready to grant auditors access to your premises, data, and personnel. Ensure your internal processes are documented, and your staff is trained to answer auditor questions accurately and promptly.
3. Select Auditors with Care: You have the freedom to choose your auditing organisation, but they must meet strict independence criteria. Do not select an auditor who has recently provided non-audit services to you, as this will disqualify them under the 12-month rule. Verify their technical competence in cloud auditing and their adherence to the 10-year rotation rule.
4. Maintain Annual Compliance: The audit is an ongoing obligation. You must submit your audit report for annual review. Failure to do so, or receiving a negative opinion during a review, can jeopardise your recognised status and your ability to serve public sector clients.
5. Ensure Full Transparency: If an auditor cannot access certain information, they must explain why in the report. While this doesn't automatically mean a negative opinion, it may delay or complicate the recognition process by the competent authority. Proactively removing barriers to audit access is essential.
6. Guard Against Misconduct: Be aware that intentionally or negligently supplying incorrect evidence can lead to the revocation of your audit report under Article 20(7), with severe reputational and commercial consequences.

Common misconceptions

Misconception 1: All cloud providers in the EU need an independent audit. Correction: No. Only providers seeking recognition for Union assurance levels 2, 3, or 4 are required to undergo an independent audit under Article 20. Providers seeking only Level 1 recognition perform a self-assessment under Article 19.

Misconception 2: A positive audit opinion guarantees market access. Correction: A positive audit opinion is a necessary condition, but not sufficient on its own. The national competent authority must still review the evidence and issue a formal recognition decision under Article 17. Furthermore, the service must be listed in the central repository under Article 22.

Misconception 3: The auditor can be any consulting firm. Correction: The auditing organisation must meet strict independence and competence requirements outlined in Article 20(4). They cannot have recent non-audit relationships with the provider (12-month rule), must not have audited the same provider in the last 10 years (firm rotation), and must demonstrate specific expertise in cloud computing audits.

Misconception 4: The audit is a one-time check. Correction: The audit process includes an annual review requirement under Article 20(8). Providers must submit their audit report and opinion for review every year to maintain their recognised status.

Misconception 5: Confidentiality prevents the audit report from being used. Correction: While auditors must maintain confidentiality, they are required to share necessary information for reporting purposes. The audit report and opinion are submitted to the competent authority and, upon recognition, the service is added to a public central repository. The confidentiality rules protect trade secrets but do not prevent the regulatory process from functioning.

Related

• Which CADA assurance levels require an independent audit?
• Who pays for the CADA audit? Provider costs explained
• When does CADA require self-assessment versus an independent audit?
• CADA Audit Rule: Why Higher Assurance Levels Require Lower-Tier Compliance
• CADA Audit Report vs. Audit Opinion: Key Differences Explained

This is general information about a draft EU regulation, not legal advice.