How much does a CADA audit cost and how long does it take?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking Union assurance levels 2, 3, or 4 must bear the full financial burden of independent third-party audits. Article 20(1) explicitly states these audits are conducted "at their own expense," with no EU or Member State subsidy. Costs are variable, driven by provider complexity, assurance level, and subcontractor scope. Crucially, Article 20(8) mandates an annual review, creating a recurring cost obligation to maintain recognition. While the proposal does not set a fixed duration for the audit itself, the recognition process involves a 60-day assessment period by national authorities, implying providers must complete audits well in advance of application.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous sovereignty framework to reduce dependencies on third-country providers. A cornerstone of this framework is the requirement for independent third-party audits for any cloud service seeking recognition at Union assurance levels 2, 3, or 4. For providers, understanding the financial and temporal implications of these audits is critical for compliance planning and budgeting.

Who Pays for the Audit?

The proposal is unequivocal regarding the allocation of financial responsibility. Article 20(1) mandates that cloud computing service providers seeking recognition for Union assurance levels 2, 3, or 4 "shall undergo at their own expense, independent third-party audits to obtain an audit report and an audit opinion from an auditing organisation."

This provision establishes that the cost of the audit is a direct operational expense for the provider. Neither the EU budget, Member State funds, nor the public sector clients purchasing the services subsidise these assessments. The provider must contract an auditing organisation that meets strict independence and competence criteria outlined in Article 20(4). These criteria include prohibitions on providing non-audit services to the same provider within a 12-month period before and after the audit, ensuring the auditor's objectivity. The provider bears the cost of securing an auditor that satisfies these rigorous standards.

Factors Influencing Audit Costs

Because CADA does not establish a standardised fee schedule or a fixed price cap, the cost of a CADA audit will vary significantly based on several dynamic factors:

1. Assurance Level Complexity: Higher assurance levels (3 and 4) involve substantially stricter criteria than Level 2. For instance, Level 3 and 4 require personnel to be Union citizens (with security clearances where necessary) and demand a European cybersecurity certificate of at least 'substantial' (Level 3) or 'high' (Level 4) assurance. Auditing these complex, high-stakes requirements naturally incurs higher fees than Level 2 audits, which may rely on national schemes or demonstrate compliance with the highest standards if no Union scheme exists yet.
2. Provider Size and Infrastructure Scope: Larger providers with global infrastructures, multiple data centres, and complex network architectures will require more extensive auditing. Article 20(2) requires providers to give auditing organisations access to "all relevant data and premises." The physical and logical scope of this access directly correlates with the auditor's workload, travel requirements, and time spent, driving up the fee.
3. Subcontractor Ecosystem: The audit criteria in Annex II extend beyond the primary provider to include subcontractors involved in service provision. Auditors must verify that these third parties also meet location, control, and personnel requirements. Providers with extensive, multi-tiered subcontractor networks will face higher audit costs due to the increased volume of evidence required to demonstrate compliance across the entire supply chain.
4. Auditing Organisation Selection: While providers are free to select their auditing organisation, provided it meets the independence and competence standards in Article 20(4), market dynamics will influence pricing. In the early stages of CADA implementation, a scarcity of qualified auditors with specific expertise in cloud sovereignty and the new CADA criteria could drive costs up. Conversely, as the market matures, competition may stabilise fees.

Recurring Costs: The Annual Review

The financial obligation under CADA is not a one-time event. Article 20(8) states that the audited provider shall "annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation which shall assess the continued compliance of the audited service with the applicable criteria set out in Annex II."

This annual review is a mandatory recurring cost that providers must budget for indefinitely. While a review may be less intensive than a full initial audit, it still requires the provider to engage an auditing organisation to assess continued compliance. The auditing organisation may confirm, update, or revoke the initial audit report and opinion based on this review. Failure to complete this annual review could result in the loss of recognition, effectively barring the provider from serving public sector bodies requiring those assurance levels.

Timelines for Audit Completion

The CADA proposal does not specify a fixed number of days or weeks for the audit process itself. The duration is left to the agreement between the provider and the auditing organisation, dependent on the complexity of the service and the readiness of the provider. However, the regulatory framework implies significant time commitments:

• Preparation Time: Providers must prepare extensive documentation, including software bills of materials (SBOMs), data flow diagrams, evidence of supply chain controls, and personnel records. Annex III details the specific audit evidence required, which can take months to compile, especially for large providers with legacy systems.
• Audit Execution: The auditor must access premises, interview staff, and review technical and organisational measures. The time required depends on the provider's cooperation and the complexity of its infrastructure.
• Recognition Process: While the audit itself has no fixed deadline, the subsequent recognition process under Article 17 involves a 60-day assessment period by the national competent authority after the application is submitted. This suggests that providers should aim to complete their audits well in advance of their application for recognition to avoid delays in entering the market.
• Annual Review Cycle: The annual review under Article 20(8) is recurring and must be completed every year to maintain the provider's recognised status. Providers must plan their fiscal year to accommodate this recurring audit cycle.

What this means for you

For cloud service providers and data centre operators, the CADA audit requirements represent a significant shift in cost structure and operational planning.

• Budgeting for Compliance: You must allocate substantial funds for initial audits and recurring annual reviews. These costs should be factored into your pricing models for EU public sector clients. Do not assume these costs will be passed on or subsidised; Article 20(1) places the burden squarely on the provider.
• Internal Readiness: To minimise audit costs and duration, invest in robust internal documentation and compliance systems before engaging an auditor. Having clear, pre-organised evidence of supply chain controls, data localisation, and cybersecurity measures will streamline the auditor's work and reduce billable hours.
• Subcontractor Management: Ensure your subcontractors are compliant with CADA criteria. Auditors will scrutinise their involvement, and non-compliant subcontractors can lead to audit failures or additional costs for remediation.
• Auditor Selection: Begin identifying potential auditing organisations early. Build relationships with firms that have the necessary expertise and independence to conduct CADA audits efficiently. The pool of qualified auditors may be limited initially.

Common misconceptions

• "The EU pays for CADA audits." False. Article 20(1) clearly states that providers undergo audits "at their own expense."
• "A one-time audit is sufficient." False. Article 20(8) mandates an annual review to maintain recognition. The cost is recurring.
• "Small providers are exempt from audit costs." False. While SMEs have a simplified recognition path for Level 1 (self-assessment), any provider seeking Levels 2, 3, or 4 must undergo independent audits, regardless of size.
• "Audit timelines are fixed by law." False. The proposal does not specify exact durations for the audit process itself, though the recognition process has a 60-day assessment window for the authority.

Related

• CADA Recognition Timeline: How long does the process take?
• Who pays for the CADA audit? Provider costs explained
• Which CADA assurance levels require an independent audit?
• When does CADA require self-assessment versus an independent audit?
• CADA Transparency: Reporting Material Changes & Annual Audit Reviews

This is general information about a draft EU regulation, not legal advice.