CADA Recognition Validity

Summary Under the proposed Cloud and AI Development Act (CADA), recognition of a cloud computing service as offering a specific Union assurance level (Levels 1–4) does not have a fixed expiration date. Instead, it is a continuous status that remains valid indefinitely, provided the provider maintains compliance with the criteria in Annex II. However, this status is conditional on a rigorous annual review cycle. For Levels 2, 3, and 4, providers must submit their audit report and 'positive' audit opinion to an auditing organisation every year for reassessment (Article 20(8)). Additionally, providers have a proactive duty to notify authorities "as soon as possible" of any material changes affecting compliance (Article 23). Failure to undergo the annual review, supply misleading information, or maintain the required criteria can lead to the revocation of recognition by the auditing organisation or the national competent authority.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a sovereignty framework that prioritizes ongoing operational integrity over static, time-bound certification. Unlike traditional cybersecurity certifications that often expire after a fixed period (e.g., three years), CADA recognition is designed to be a dynamic status. It persists as long as the cloud computing service provider (CCSP) continues to meet the cumulative criteria for their specific Union assurance level.

The Continuous Nature of Recognition

The proposal does not stipulate a "validity period" for the recognition decision itself. Once a national competent authority of establishment recognizes a service, that recognition is valid across the Union. However, the legal mechanism ensuring this validity is not a one-time event but a recurring obligation. The status is effectively "conditional" on the provider's ability to demonstrate, year after year, that they have not drifted from the strict requirements regarding establishment, data localisation, personnel, and third-country control.

This approach aligns with the proposal's objective to safeguard public order and ensure operational autonomy. A provider that was compliant at the time of initial recognition might become non-compliant six months later due to a change in ownership, a shift in infrastructure location, or a new subcontracting arrangement. The continuous model ensures that the "sovereign" status of the service reflects its current reality, not its past state.

The Mandatory Annual Audit Review (Article 20(8))

For cloud computing services seeking or holding recognition at Union assurance levels 2, 3, or 4, the cornerstone of maintaining this status is the annual audit review.

Article 20(8) of the CADA proposal explicitly mandates this cycle:

"The audited provider shall annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation which shall assess the continued compliance of the audited service with the applicable criteria set out in Annex II. On the basis of the annual review, the auditing organisation may confirm, update, or revoke the initial audit report and audit opinion."

This provision creates a strict compliance loop:

1. Submission: The provider must proactively submit their existing audit report and positive opinion to an auditing organisation once every year.
2. Assessment: The auditing organisation (which may be the same entity as the previous year or a new one) must reassess the service against the full set of criteria in Annex II. This is not a mere formality; it is a full compliance check.
3. Outcome: The auditing organisation has three distinct powers based on the review:
   • Confirm: If the service still meets all criteria, the initial report and opinion are confirmed.
   • Update: If there are changes (e.g., new infrastructure) but compliance is maintained, the report and opinion are updated to reflect the new reality.
   • Revoke: If the service no longer meets the criteria, the auditing organisation must revoke the initial audit report and opinion.

For Union assurance level 1, which relies on a conformity self-assessment rather than an independent third-party audit, the mechanism is slightly different but equally continuous. While Article 20(8) specifically references the audit report for levels 2–4, the general principle of continuous compliance applies. A Level 1 provider must maintain the validity of their EU statement of conformity. If a material change occurs, the self-assessment becomes invalid, and the provider must issue a new statement. Failure to do so, or discovery of non-compliance by a competent authority, can lead to the rejection of the recognition.

Transparency and the Duty to Notify (Article 23)

Recognition is not a "set and forget" status. It relies heavily on the provider's transparency regarding changes in their operational environment. Article 23 imposes a strict obligation on recognised providers to act immediately upon discovering any issues.

Article 23(1) states:

"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

This "as soon as possible" requirement is critical. It means providers cannot wait for the annual review to disclose a change. Examples of "material changes" that trigger this duty include:

• Change in Control: A change in the ultimate beneficial ownership that introduces third-country control or alters the control structure.
• Infrastructure Shift: Moving data centres, assets, or personnel outside the Union (which would violate the criteria for Levels 2, 3, and 4).
• Subcontractor Changes: Engaging new subcontractors that do not meet the sovereignty criteria or failing to maintain the required separation from third-country subsidiaries.
• Cybersecurity Incidents: Events that compromise the state-of-the-art cybersecurity standards required for the assurance level.

The Chain Reaction of Notification: Once notified, the process moves swiftly:

1. The auditing organisation assesses whether the audit report or opinion needs to be amended or revoked.
2. If the organisation amends or revokes the report, it must notify the national competent authority of establishment "as soon as possible."
3. The national competent authority then assesses whether its recognition needs to be amended or revoked.
4. If the authority revokes the recognition, it must notify the competent authorities of other Member States and the Commission.

This cascade ensures that a loss of compliance in one Member State is immediately communicated across the Union, preventing a non-compliant provider from continuing to offer services under a false assurance level.

Revocation and the Central Repository

The consequences of failing to maintain compliance are severe and transparent. The proposal establishes a central repository of recognised services (Article 22), which is publicly available and regularly updated.

Article 22(3) mandates:

"The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This public listing serves as a critical warning to public sector bodies and other potential customers. If a provider's recognition is revoked, it will be visible to all, effectively barring them from public procurement contracts that require a specific Union assurance level.

Revocation can occur in several scenarios:

• Failure of Annual Review: If the provider fails to submit the annual review or the auditing organisation issues a negative opinion due to non-compliance.
• Material Change Not Reported: If a provider fails to notify authorities of a material change under Article 23, and this is discovered later.
• Incorrect Information: Article 17(11) explicitly allows the evaluating national competent authority to revoke recognition if it finds that the provider "intentionally or negligently, supplied incorrect or misleading information."
• Loss of Criteria: If the provider simply ceases to meet the cumulative criteria of Annex II (e.g., infrastructure moves outside the EU, or third-country control is established without the necessary derogation under Article 18).

What this means for you

For cloud service providers, data centre operators, and their legal/compliance teams, the CADA proposal demands a shift from "project-based compliance" to "operational compliance." You are not just seeking a certificate; you are entering a continuous state of verification.

1. Institutionalise the Annual Review: Do not treat the audit as a one-off event. Establish an internal calendar and budget for the annual submission required by Article 20(8). Ensure your contracts with auditing organisations explicitly cover the annual review cycle, not just the initial audit. A gap in this cycle could technically break the chain of recognition.
2. Build a "Material Change" Detection System: You need robust internal monitoring to detect changes in ownership, infrastructure location, or subcontracting relationships immediately. If a change occurs, you must trigger the notification process under Article 23 immediately. Waiting for the annual audit to report a change that happened six months ago is a violation of the transparency obligation.
3. Prepare for "Update" or "Revoke": Be prepared for the auditing organisation to update your report (if changes are minor but compliant) or revoke it (if changes are critical). Have a contingency plan for what happens if your recognition is revoked, including how to communicate with public sector clients and how to remediate the issue to regain recognition.
4. Monitor the Central Repository: Regularly check the central repository to ensure your status is correctly reflected. If a revocation is published due to an error or a misunderstanding, you must act quickly to correct it, as the revocation remains visible for five years.
5. Level 1 is Not "Low Effort": Even if you are only seeking Level 1 recognition, remember that your self-assessment must remain valid. If your infrastructure moves or your ownership changes, your self-assessment is no longer accurate. You must update your EU statement of conformity and be prepared for competent authorities to challenge your recognition if they find discrepancies.

Common misconceptions

Misconception 1: "CADA recognition expires after 3 or 5 years like a standard ISO certificate." Correction: This is incorrect. The CADA proposal does not set a fixed expiry date. Recognition lasts indefinitely, provided the provider passes the annual audit review (Article 20(8)) and maintains compliance. The "expiry" is not a date on a calendar but a failure to meet the continuous conditions.

Misconception 2: "I only need to tell the authorities about changes if they ask me during the annual audit." Correction: No. Article 23 imposes a proactive duty. You must notify the auditing organisation and the competent authority "as soon as possible" upon becoming aware of any material change. Waiting for the annual audit to disclose a change is a breach of the regulation and can lead to revocation.

Misconception 3: "Once I get Level 1 recognition, I don't need to do anything until I want to upgrade." Correction: Level 1 recognition is still subject to enforcement. If a national competent authority discovers that a Level 1 provider no longer meets the criteria (e.g., infrastructure is no longer in the Union) or supplied incorrect information, they can reject or revoke the recognition under Article 17(5)(c) and Article 17(11). The status is not permanent if the underlying facts change.

Misconception 4: "If I miss the annual review, my recognition is just 'paused' until I catch up." Correction: There is no "pause" mechanism in the text. If the annual review is not submitted or results in a negative opinion, the auditing organisation may revoke the audit report and opinion. Without a valid positive opinion, the national competent authority will likely revoke the recognition, removing the provider from the central repository.

Related

• Which National Competent Authority Do I Apply to for CADA Recognition?
• What is the timeline and deadlines for getting CADA recognition?
• CADA Compliance Checklist for Cloud Providers: Steps to Recognition
• What happens if another Member State objects to my CADA recognition?
• What evidence do I submit for CADA recognition?

This is general information about a draft EU regulation, not legal advice.