CADA Repository

Summary Under the proposed Cloud and AI Development Act (CADA), a revoked recognition or audit opinion must remain published in the central repository for five years. This mandatory retention period applies regardless of whether the revocation was initiated by an independent auditing organisation or a national competent authority. The rule ensures a permanent historical record of non-compliance for services seeking Union assurance levels 2, 3, and 4, directly impacting public procurement eligibility and market reputation.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a unified transparency mechanism to verify the sovereignty status of cloud computing services across the EU. Central to this framework is the central repository of cloud computing services, which the European Commission is mandated to establish and maintain. This repository serves as the single source of truth for public sector bodies, auditors, and market participants to verify whether a cloud service provider has been formally recognised as offering a specific Union assurance level (Levels 1 through 4).

While the repository lists currently recognised services, its most critical function for risk management is the publication of negative outcomes. Article 22(3) of the proposal explicitly mandates the retention of revocation records:

"The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This provision creates a fixed, non-negotiable "look-back" period for the market. The five-year clock starts from the moment the revocation is published, ensuring that a provider's past failures remain visible to contracting authorities and the public long after the immediate administrative decision has been made.

Scope of Application: What Triggers the Five-Year Rule?

The five-year retention obligation applies to two distinct types of administrative actions, both of which result in the loss of a provider's recognised status:

1. Revocation by an Auditing Organisation: Under Article 20(7), an auditing organisation may revoke its own audit report and audit opinion if the audited provider "intentionally or negligently supplied incorrect or misleading audit evidence." This typically occurs when a provider attempts to hide non-compliance during the audit process or fails to cooperate with the auditor's requests for evidence.
2. Revocation by a Competent Authority: Under Article 17(11), a national competent authority of establishment may revoke its recognition decision if it finds that the provider "intentionally or negligently supplied incorrect or misleading information" during the application process. This covers scenarios where a provider misrepresents its establishment, infrastructure location, or control structure to gain recognition.

Crucially, the text of Article 22(3) treats both scenarios identically regarding the repository. Whether the revocation originates from the auditor (who issued the opinion) or the authority (who granted the recognition), the record of that revocation must be published and retained for the full five-year duration.

The Distinction for Union Assurance Level 1

It is vital to note that this five-year publication rule specifically targets the higher assurance levels (2, 3, and 4). Union assurance level 1 operates on a self-assessment basis under Article 19, where the provider issues an EU statement of conformity without undergoing an independent third-party audit or receiving a formal recognition decision from a competent authority. Consequently, there is no "audit report" or "recognition decision" to revoke in the manner described in Article 22(3). While a Level 1 provider may face penalties for false declarations under Article 24, the specific mechanism of publishing a revoked audit opinion or recognition for five years in the central repository does not apply to Level 1 services.

Public Accessibility and Transparency

The repository is not a closed database for government use only. Article 22(4) mandates that the central repository "shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website." This ensures that the five-year record of revocation is visible to:

• Contracting authorities conducting risk assessments under Article 29.
• Private sector entities in critical sectors (e.g., those under the NIS2 Directive) seeking to verify supply chain resilience.
• Competitors and the general public, who can monitor the compliance history of major cloud providers.

What this means for you

For legal counsel, compliance officers, and procurement teams, the five-year retention rule in Article 22(3) represents a significant long-term liability. In the context of the proposed CADA, a revocation is not merely a temporary administrative hurdle; it is a five-year public stain on a provider's record that can fundamentally alter market access.

1. Procurement Eligibility and Risk Assessment

Public sector bodies are required to procure cloud services that meet specific Union assurance levels based on their risk assessments (Article 30). If a service's recognition is revoked, it is immediately ineligible for procurement in the relevant assurance tier. The five-year publication ensures that even if a provider attempts to re-apply or restructure its operations, the historical record of the revocation remains visible. Contracting authorities, when evaluating tenders, can see that a provider previously failed to meet the criteria. This transparency allows authorities to assess historical reliability and may lead to the exclusion of the provider from future tenders, even if the provider has since remedied the underlying issue.

2. Reputational Impact Beyond the Public Sector

Because the repository is publicly accessible, the impact of a revocation extends far beyond government contracts. Private sector entities, particularly those in critical infrastructure sectors, often mirror public procurement standards to ensure their own supply chain resilience. A five-year record of a revoked audit opinion signals to the market that the provider failed to meet stringent sovereignty, security, or operational autonomy criteria. For large hyperscalers or specialized EU providers, this visibility can erode trust among enterprise customers who rely on these guarantees for their own compliance and security posture.

3. Strategic Remediation and Re-application

If a revocation occurs, the five-year period is fixed. There is no mechanism in the proposal to request early removal of the record, even if the provider successfully corrects the issue or passes a subsequent audit. The focus for affected providers must therefore shift to:

• Root Cause Analysis: Immediately addressing the specific evidence or information that led to the revocation (e.g., correcting misleading data on infrastructure location or control structures).
• Re-application Strategy: Preparing a robust new application for recognition, acknowledging that the previous revocation will be part of the public record during the evaluation process. The new application must demonstrate not just current compliance, but also the lessons learned from the previous failure.
• Stakeholder Communication: Proactively communicating with existing and prospective clients to explain the remediation steps taken. Since the repository record provides the "what" but not the "why" or the "how fixed," providers must manage the narrative to prevent market panic.

Common misconceptions

Misconception 1: The record is removed once the issue is fixed. Reality: No. The five-year retention period is mandatory under Article 22(3) and does not reset or shorten based on subsequent corrective actions, successful re-certification, or the passage of time since the remediation. The record serves as a historical audit trail for market participants for the full duration.

Misconception 2: Only cases of intentional fraud trigger the five-year rule. Reality: The rule applies to any revocation of an audit report or recognition, regardless of whether the underlying cause was "intentional" or "negligent." As stated in Article 20(7) and Article 17(11), the threshold for triggering the publication is the administrative act of revocation itself, not the severity of the provider's intent.

Misconception 3: The repository is only accessible to government bodies. Reality: Article 22(4) explicitly states that the central repository shall be publicly available. This means competitors, journalists, analysts, and the general public can access revocation records, amplifying the reputational impact beyond just public procurement circles.

Misconception 4: Level 1 providers are subject to this retention rule. Reality: No. Level 1 recognition is based on a self-assessment and an EU statement of conformity (Article 19). It does not involve an independent audit report or a formal recognition decision by a competent authority that can be "revoked" in the manner described in Article 22(3). Therefore, the five-year publication rule specifically targets providers seeking Levels 2, 3, and 4.

Related

• Are revoked recognitions published in the CADA central repository?
• Why does CADA keep revoked recognitions visible for five years?
• What should a buyer do if a service is revoked in the CADA repository mid-contract?
• CADA Repository: How long are audit opinion revocations kept?
• Why list in the CADA repository? Public procurement access & market advantage

This is general information about a draft EU regulation, not legal advice.