Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers holding Union assurance levels 2, 3, or 4 are subject to a mandatory annual review cycle. As explicitly set out in Article 20(8) of the proposal, providers must submit their existing audit report and the associated 'positive' audit opinion to an auditing organisation every year. The auditor is then required to assess the continued compliance of the service with the applicable criteria in Annex II. Based on this assessment, the auditing organisation may confirm, update, or revoke the initial audit report and opinion. This mechanism ensures that sovereignty recognition remains dynamic and responsive to operational changes.

Detail

The CADA proposal establishes a rigorous, tiered sovereignty framework designed to mitigate risks associated with third-country control, data localization, and supply-chain integrity. While Union assurance level 1 relies on a conformity self-assessment by the provider, levels 2, 3, and 4 require independent third-party audits to verify compliance with stringent cumulative criteria. A critical pillar of this framework is the requirement for continuous monitoring, ensuring that a provider's status does not degrade over time.

The Statutory Annual Review Cycle

The core obligation for ongoing compliance is found in Article 20(8) of the CADA proposal. This provision mandates that an audited provider "shall annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation."

This requirement applies specifically to providers seeking recognition for Union assurance levels 2, 3, or 4. The text is unambiguous: the submission must occur on an annual basis. The auditing organisation receiving the submission is tasked with a specific duty: to "assess the continued compliance of the audited service with the applicable criteria set out in Annex II."

This annual cycle transforms the audit from a static certification event into a continuous governance obligation. It acknowledges that cloud infrastructures, personnel, and supply chains are dynamic. A provider that was compliant at the time of the initial audit may face new risks, such as a change in ownership structure, a shift in data routing, or the introduction of new software dependencies. The annual review is the mechanism designed to capture these changes and verify that the service still meets the high standards required for public sector procurement.

The Three Possible Outcomes

Upon completing the annual assessment, the auditing organisation must take one of three specific actions, as defined in Article 20(8):

  1. Confirm: If the auditor determines that the service continues to meet all applicable criteria without significant deviation, they may confirm the initial audit report and opinion. This confirms the provider's continued eligibility for the specific Union assurance level.
  2. Update: If the auditor finds that the service remains compliant but that certain aspects of the report or the service configuration have changed (e.g., minor updates to the software bill of materials or personnel changes that do not affect the overall compliance status), the auditor may update the audit report and opinion. This ensures the documentation reflects the current reality of the service while maintaining the 'positive' opinion.
  3. Revoke: If the auditor concludes that the service no longer complies with the criteria set out in Annex II, they may revoke the initial audit report and audit opinion. This is a severe outcome, effectively stripping the provider of the independent verification required for their assurance level.

The proposal explicitly states that the auditor may revoke the report if the provider "intentionally or negligently, supplied incorrect or misleading audit evidence" (Article 20(7)), but the annual review under Article 20(8) serves as a proactive check to prevent such situations or to address them as soon as they arise.

Interaction with Transparency and Recognition

The annual review does not operate in a vacuum; it is deeply integrated with the broader transparency and recognition framework of CADA.

Link to Transparency Obligations (Article 23): The annual review is complemented by the immediate notification requirements in Article 23. If a provider becomes aware of any material change in circumstances that may affect the audit report or the 'positive' opinion, they must notify the auditing organisation and the national competent authority of establishment "as soon as possible" (Article 23(1)). If the auditing organisation amends or revokes the report based on such a notification, it must notify the competent authority without delay (Article 23(2)). The annual review acts as a scheduled checkpoint to catch issues that might have been missed between ad-hoc notifications.

Impact on Recognition (Article 17): The outcome of the annual review directly impacts the provider's recognition status. Under Article 17, recognition is granted based on the submission of a valid audit report and a 'positive' audit opinion. If an auditor revokes the opinion during the annual review, the basis for the recognition disappears. The national competent authority of establishment is then obligated to assess whether its recognition of the cloud computing service needs to be amended or revoked (Article 23(3)).

Public Record (Article 22): Any revocation of an audit report or recognition must be published in the central repository of cloud computing services maintained by the Commission. Article 22(3) stipulates that such revocations "shall remain available there for five years." This ensures that contracting authorities and the public have visibility into a provider's compliance history.

Independence and Auditor Selection

A notable feature of the annual review process is the flexibility it offers regarding the choice of auditor. Article 20(8) explicitly allows the provider to submit the report to "the same or a different auditing organisation."

This flexibility is balanced by strict independence requirements. Regardless of whether the provider sticks with the original auditor or switches, the new or continuing auditor must meet the criteria in Article 20(4). These include:

  • Independence: The auditor must not have provided non-audit services related to the matters audited in the 12 months before or after the audit, and must not have provided auditing services to the provider in the 10-year period prior.
  • Competence: The auditor must have proven expertise and technical competence in auditing cloud computing services.
  • Objectivity: The auditor must adhere to codes of practice and ensure fees are not contingent on the audit result.

This structure prevents "auditor shopping" for lenient reviews while allowing providers to change auditors if necessary, provided the new auditor meets the rigorous independence and competence standards.

What this means for you

For cloud service providers targeting the European public sector market, the annual review is a non-negotiable operational requirement. It shifts the compliance burden from a one-time project to a permanent function of your governance structure.

1. Integrate into Your Compliance Calendar You must treat the annual review as a fixed milestone in your fiscal or operational year. Do not wait for a reminder from the auditor or the competent authority. The obligation to "annually submit" is statutory. Failure to submit the report and opinion on time could lead to the national competent authority withdrawing your recognition, as they rely on valid audit evidence to maintain your status in the central repository.

2. Prepare for Continuous Evidence Collection While the annual review may be less intensive than the initial full audit, it still requires the auditor to verify continued compliance. You must maintain up-to-date documentation year-round. This includes:

  • Software Bills of Materials (SBOMs): Ensure these are current and reflect any new dependencies.
  • Data Flow Diagrams: Verify that data routing has not changed and remains within the Union.
  • Personnel Records: Keep employment contracts and location data ready to prove that personnel remain Union citizens and residents where required.
  • Subcontractor Agreements: Ensure your contracts with subcontractors allow for the necessary transparency and evidence sharing with your auditor.

3. Leverage the "Update" Option If your service undergoes minor changes (e.g., a new data center in the same Member State, or a software patch), do not fear the review. The auditor has the power to "update" the report. Use this opportunity to demonstrate that your governance is robust enough to handle change without losing compliance. Proactive communication with your auditor about planned changes can facilitate a smooth update rather than a disruptive revocation.

4. Strategic Auditor Management Article 20(8) gives you the option to switch auditors. If you are dissatisfied with the current auditor's responsiveness, expertise, or cost, you may engage a different organisation for the annual review. However, be strategic: switching auditors requires the new organisation to perform a full assessment of your continued compliance. Ensure the transition is seamless to avoid gaps in your 'positive' opinion status.

5. Risk Mitigation and Remediation Use the annual review as a proactive risk management tool. If the auditor identifies a minor non-compliance, they may update the report with recommendations rather than revoking the opinion. Address these recommendations immediately. A pattern of minor non-compliances that are not rectified can escalate to a full revocation in subsequent years.

Common misconceptions

Misconception 1: "Once I pass the audit, I am certified for the life of the contract." This is incorrect. The CADA proposal explicitly rejects the concept of indefinite certification. Article 20(8) mandates an annual review. Without the annual submission and a resulting 'positive' opinion (whether confirmed or updated), your recognition is not valid.

Misconception 2: "The annual review is just a paperwork exercise." The review is a substantive assessment. The auditor must actively "assess the continued compliance" of the service. If material changes have occurred that affect compliance, the auditor is obligated to update or revoke the opinion. It is not a mere administrative formality.

Misconception 3: "Only Level 4 providers need to worry about annual reviews." The annual review requirement applies to all providers seeking recognition for Union assurance levels 2, 3, and 4. Level 1 relies on self-assessment, but any level requiring independent audit is subject to this annual cycle.

Misconception 4: "I can delay the review if my operations are stable." The regulation states the provider shall "annually" submit the report. While the text does not specify a calendar month, the expectation is a regular, annual cycle. Delays could be interpreted as a failure to maintain compliance, potentially jeopardizing your recognized status and your eligibility for public procurement.

Misconception 5: "A revoked audit means I lose all my contracts immediately." While a revoked audit leads to the loss of recognized status in the central repository and prevents you from winning new public sector contracts requiring that assurance level, it does not automatically terminate existing contracts. However, most public sector contracts include clauses requiring continuous compliance with sovereignty standards. A revocation could therefore trigger a breach of contract, leading to termination or penalties under the contract terms.

Related

This is general information about a draft EU regulation, not legal advice.