Summary Under the proposed Cloud and AI Development Act (CADA), the transparency notification chain is a mandatory, sequential mechanism designed to preserve the integrity of the Union assurance levels. As outlined in Article 23, when a cloud computing service provider becomes aware of any "material change in circumstances" that could affect its compliance status, it must immediately notify both its auditing organization and the national competent authority (NCA) of establishment. The auditor must then reassess the audit report and opinion, notifying the NCA of any amendments or revocations. Finally, the NCA must reassess the official recognition; if the status changes, the NCA is required to notify all other Member States and the European Commission to ensure the central repository is updated and cross-border recognition is adjusted. This process ensures that public sector bodies across the EU are not relying on outdated or invalid assurance levels.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised framework for cloud sovereignty based on four Union assurance levels. While the initial recognition of these levels is critical, the dynamic nature of cloud infrastructure means that compliance is not a one-time event. Providers may change subcontractors, shift data locations, or alter ownership structures. To prevent the erosion of trust in the sovereignty framework, Article 23 establishes a rigorous "transparency notification chain." This chain ensures that any material change triggering a potential loss of assurance status is detected, assessed, and communicated across the Union in real-time.

The mechanism is strictly sequential and involves three distinct actors: the cloud computing service provider, the auditing organization, and the national competent authority (NCA) of establishment.

The Trigger: Material Change in Circumstances

The process is initiated by the cloud computing service provider. Article 23(1) imposes a continuous, proactive duty on providers to monitor their own operations. The text mandates that a provider shall, "as soon as possible," notify the auditing organization and the national competent authority of establishment upon becoming aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17."

This obligation is broad and applies regardless of the assurance level. While Article 20 (independent audits) specifically governs levels 2, 3, and 4, Article 17 covers the recognition process for all levels, including level 1 (which relies on conformity self-assessment). Therefore, a material change affecting a level 1 provider's self-declared compliance also triggers this chain.

Examples of "material changes" that would activate this obligation include:

  • Infrastructure Shifts: A change in the location of data storage or processing that moves data outside the Union without the explicit requirement or approval of the public sector body.
  • Subcontractor Changes: The introduction of a new subcontractor that fails to meet the strict sovereignty criteria (e.g., lack of Union establishment or control by a third country).
  • Ownership Alterations: A change in the corporate structure that introduces third-country control, potentially violating the criteria for levels 3 or 4.
  • Certification Lapses: The expiration or revocation of the required European cybersecurity certificate (e.g., moving from "substantial" to "basic" or losing certification entirely).

The phrase "as soon as possible" in Article 23(1) implies a duty of urgency. While the proposal does not define a specific number of hours or days, the context of safeguarding public order and operational autonomy suggests that delays are not permissible. The provider bears the primary responsibility for identifying these changes and initiating the chain.

Step 1: The Auditor's Reassessment

Once the auditing organization receives the notification from the provider, the second leg of the chain activates. Under Article 23(2), the auditing organization is obligated to assess whether the audit report or the audit opinion needs to be amended or revoked.

This is a critical technical and legal checkpoint. The auditor does not merely act as a conduit for information; they must perform a reassessment based on the new circumstances provided by the provider. This ensures that the "positive" audit opinion, which is the cornerstone of recognition for levels 2, 3, and 4, remains valid and accurate.

If the auditor determines that the material change invalidates the previous findings or renders the service non-compliant with the criteria in Annex II, they must amend or revoke the audit report and opinion. Crucially, Article 23(2) mandates that the auditing organization must, "as soon as possible, notify the national competent authority of establishment" of this decision. The auditor cannot keep a revoked opinion secret; the NCA must be informed immediately so that the regulatory status of the service can be updated.

Step 2: The National Competent Authority's (NCA) Action

The third and final step in the notification chain involves the national competent authority of establishment. Under Article 23(3), the NCA acts on the notifications received from either the provider (under paragraph 1) or the auditing organization (under paragraph 2).

The NCA must assess whether its official recognition of the cloud computing service needs to be amended or revoked. This is a regulatory decision. Even if an auditor amends a report, the NCA has the final say on whether the service retains its recognized status in the central repository. The NCA evaluates the auditor's findings and the provider's notification to determine if the service still meets the criteria for its current Union assurance level.

If the NCA amends or revokes the recognition, it has a further transparency obligation to ensure the integrity of the single market. Article 23(3) requires the NCA to, "as soon as possible, notify the national competent authorities of the other Member States and the Commission."

This cross-border notification is vital for the functioning of the internal market. CADA operates on a "one-stop-shop" model where a service recognized in one Member State is recognized across the Union (as per Article 17). Therefore, if a provider loses its status in its home state, all other Member States must be informed immediately to prevent public sector bodies in other countries from continuing to procure or use a service that no longer meets the required assurance level. The Commission is also notified to maintain the integrity of the central repository established under Article 22.

The Role of the Central Repository

While Article 23 details the notification chain, its ultimate purpose is to keep the central repository accurate. Article 22 requires the Commission to establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17. Article 23(3) ensures that any revocation or amendment is reflected in this system.

Furthermore, Article 22(3) notes that the revocation of an audit report or recognition "shall be published in the central repository and shall remain available there for five years." This creates a historical record for public sector buyers, auditors, and other stakeholders, ensuring transparency about a provider's compliance history. The notification chain in Article 23 is the engine that drives these updates, ensuring the repository reflects the current reality of the cloud market.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, Article 23 imposes a strict, proactive duty of care that goes beyond annual compliance cycles. You cannot wait for the next scheduled audit to disclose material changes. The notification chain is designed to catch risks in real-time to protect public order.

1. Establish Internal Detection Mechanisms Your compliance program must include robust internal monitoring to detect "material changes" immediately. This requires close coordination between IT operations, legal, security, and procurement teams. Any change in infrastructure, subcontracting, data flow, or ownership must be evaluated against the CADA assurance criteria in Annex II. If a change occurs, the clock starts ticking for the "as soon as possible" notification.

2. Manage Auditor Relationships Proactively Do not treat the auditor as a passive recipient of information. Since the auditor must reassess the opinion upon notification, you should engage with them early when a material change is identified. Provide them with all necessary evidence to facilitate their assessment. Delaying this interaction could lead to a delayed or negative reassessment, which would then trigger a revocation by the NCA.

3. Prepare for Rapid Regulatory Response If your service is at risk of losing recognition, the NCA will act quickly. You must be prepared to mitigate the impact on your public sector clients. Article 29(6) notes that if a risk assessment requires migration to another service, the transition period should not exceed 12 months. However, a sudden revocation of recognition could force immediate action. Your contracts with public sector bodies should include clauses that address scenarios where regulatory status changes, ensuring you have a clear path for migration or service continuity.

4. Document Everything The notification chain relies on clear evidence. When notifying the auditor and NCA, provide detailed documentation of the material change and the steps you are taking to address it. If you believe the change does not affect your assurance level, you must be able to prove this to the auditor and NCA to prevent unnecessary revocation.

5. Penalties and Liability Failure to comply with these transparency obligations can have severe consequences. Article 24 outlines that Member States must lay down effective, proportionate and dissuasive penalties for infringements. This includes considering the nature, gravity, scale and duration of the infringement, as well as the financial benefits gained. Furthermore, Article 24(3) grants recipients of the service (public sector bodies) the right to seek compensation for any damage or loss suffered due to an infringement of these obligations. If a provider fails to notify a material change and a security incident occurs, the provider could face significant liability.

Common misconceptions

Misconception 1: Only the auditor needs to be notified. Some providers may assume that notifying their auditing organization is sufficient, as the auditor is responsible for the technical opinion. However, Article 23(1) explicitly requires notification to both the auditing organization and the national competent authority of establishment. The NCA is the regulatory body that grants recognition; they must be aware of material changes directly, not just through the auditor.

Misconception 2: The notification chain only applies to Levels 2, 3, and 4. While independent audits are required for levels 2, 3, and 4, Article 23 applies to the recognition under Article 17, which covers all Union assurance levels. Even for level 1, which relies on a self-assessment and a statement of conformity, the recognition is granted by the NCA (with an automatic recognition exception for SMEs, see Article 17(3)). If a material change affects a level 1 service, the provider must still notify the NCA, which may then revoke the recognition if the change violates the criteria.

Misconception 3: "As soon as possible" allows for significant delay. In regulatory contexts, "as soon as possible" is not a vague suggestion but a strict obligation to act without undue delay. Given the focus on public order and security in CADA, regulators will likely interpret this as requiring immediate action, potentially within days or even hours for critical changes. Waiting for the next scheduled audit or quarterly report would likely be considered a breach of this obligation.

Misconception 4: The NCA notifies the public, not other authorities. The primary obligation under Article 23(3) is to notify other Member States and the Commission, not the general public. The public is informed via the central repository (Article 22), but the inter-agency notification chain is a peer-to-peer regulatory communication to ensure consistent enforcement across the Union.

Related

This is general information about a draft EU regulation, not legal advice.