How should a CSP build an internal process for CADA transparency notifications?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers (CSPs) holding a recognized Union assurance level must establish a proactive internal monitoring system to detect "material changes in circumstances" that could affect their audit reports or recognition status. As explicitly mandated in Article 23(1), CSPs are obligated to notify both their auditing organisation and the national competent authority (NCA) of establishment "as soon as possible" upon becoming aware of such changes. This duty applies to all assurance levels, including Level 1. Failure to trigger this rapid notification mechanism risks the amendment or revocation of your recognition, effectively barring you from public sector procurement under Article 30.

Detail

The CADA proposal establishes a dynamic sovereignty framework where recognition is not a one-time event but a continuous state of compliance. While Article 17 sets out the initial recognition procedure and Article 19 (for Level 1) or Article 20 (for Levels 2–4) govern the initial assessment, Article 23 serves as the critical "living document" clause. It ensures that the central repository maintained by the Commission remains accurate and that public sector bodies can rely on the current status of cloud services.

The Core Obligation: Article 23(1) and Dual Notification

The legal anchor for this process is Article 23(1), which states:

"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

This provision imposes a strict, dual-track notification duty. A CSP cannot limit its reporting to a single entity. The regulation requires simultaneous communication with:

1. The Auditing Organisation: The independent third party that issued the audit report and "positive" opinion for Union assurance levels 2, 3, or 4. Even for Level 1 providers, who rely on a self-assessment under Article 19, the text of Article 23(1) refers to the "auditing organisation" as a notification recipient. In the context of Level 1, this refers to the entity responsible for the conformity self-assessment process or the NCA acting in a supervisory capacity, ensuring the chain of accountability remains unbroken regardless of the assurance level.
2. The National Competent Authority (NCA) of Establishment: The regulatory body designated by the Member State where the CSP has its main establishment (defined in Article 25(4) as the place where the head office or registered office is located from which principal financial functions and operational control are exercised).

The phrase "as soon as possible" creates an immediate obligation. Unlike the 60-day review periods for initial recognition found in Article 17, there is no fixed grace period for reporting material changes. Given the proposal's focus on safeguarding public order and preventing third-country interference, delays in reporting could be construed as a failure to maintain the integrity of the sovereignty framework.

Designing Internal Monitoring for "Material Changes"

To comply with Article 23(1), a CSP must first operationalize the definition of a "material change." While the proposal does not provide a static checklist in Article 23, the criteria for Union assurance levels in Annex II provide the definitive scope. A change is material if it impacts the provider's ability to meet the cumulative criteria for its recognized level.

CSPs should design their internal monitoring processes to detect changes in the following critical areas:

• Infrastructure and Asset Location (Annex II, Levels 1–4): Any relocation of servers, data storage, backup facilities, or disaster recovery sites outside the Union, unless the public sector body explicitly requires otherwise. This includes changes in the location of subcontractor infrastructure.
• Personnel and Citizenship (Annex II, Levels 2–4): Changes in the citizenship, location, or security clearance of personnel involved in service provision.
  • Level 2: Personnel screening and Union citizenship requirements are conditional, applying only if the public sector body explicitly determines them necessary (Annex II, 2.1(d)). A material change here would be the loss of such personnel if a requirement was active.
  • Levels 3 & 4: Union citizenship is a mandatory cumulative criterion for all personnel involved in the service (Annex II, 3.1(d) and 4.1(d)). Any change in workforce composition that results in non-Union citizens performing these roles is an immediate material breach.
• Third-Country Control and Ownership (Annex II, Levels 2–4): Changes in the ownership structure, shareholding, or governance of the CSP or its subcontractors. If a new shareholder from a third country acquires a controlling interest, or if the CSP becomes subject to the control of a third-country legal entity, this is material.
  • Derogation Note: For Union assurance level 3, a derogation exists allowing third-country control only if the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances (Annex II, 3.1(g)). Any change affecting the status of this implementing act or the provider's eligibility under it must be reported immediately.
• Data Flows and AI Training (Annex II, Levels 2–4): Changes in how customer data is processed, stored, or transferred. Specifically, any new practice where data generated by using the service is used to train or fine-tune AI systems operated by a third country, or transferred outside the Union, is a material breach of the criteria for Levels 2, 3, and 4 (Annex II, 2.1(f), 3.1(f), 4.1(f)).
• Technical and Operational Support (Annex II, Levels 2–4): Any outsourcing of technical support or operational assistance to entities outside the Union, or to personnel not located in the Union. The criteria require that such support be initiated and performed exclusively within the Union (Annex II, 2.1(h), 3.1(h), 4.1(h)).
• Software Supply Chain (Annex II, Levels 2–4): Changes in the software bill of materials (SBOM), dependencies, or the introduction of new software components from third-country vendors that have not been subject to the required source code audits or migration plans (Annex II, 2.1(i), 3.1(i), 4.1(i)).

Setting Up Rapid Notification Mechanisms

Once a material change is detected, the internal process must trigger a rapid notification workflow. This workflow should be automated where possible to ensure the "as soon as possible" standard is met.

1. Immediate Internal Assessment: Upon detection (e.g., via a change in the corporate registry, a server migration alert, or a personnel database update), a designated compliance team must assess whether the change is "material" under the criteria of Annex II. If there is any doubt regarding the impact on the assurance criteria, the safer and legally prudent approach is to notify.
2. Notification to the Auditing Organisation: The CSP must inform the auditor of the change. Under Article 23(2), the auditing organisation is then obligated to assess whether the audit report or opinion needs to be amended or revoked. If the auditor amends or revokes the report, they must notify the NCA.
3. Notification to the NCA: Simultaneously, the CSP must notify the NCA of establishment. Under Article 23(3), the NCA will assess whether its recognition of the CSP needs to be amended or revoked. If the NCA amends or revokes the recognition, it must notify other Member States' NCAs and the Commission, which will update the central repository.

The internal process must document all notifications, including the date, time, content, and recipient, to demonstrate compliance in case of an investigation.

Consequences of Non-Notification

Failure to notify can have severe repercussions. If a material change is discovered by the auditor or NCA through other means (e.g., during a subsequent audit or investigation), the CSP may face penalties. Article 24(1) requires Member States to lay down rules on penalties that are "effective, proportionate and dissuasive." Article 24(2) lists criteria for imposing penalties, including the nature, gravity, scale, and duration of the infringement, and the financial benefits gained.

Moreover, if the audit report or recognition is revoked, the CSP loses its status in the central repository maintained by the Commission under Article 22. This effectively bars the CSP from procuring cloud services for public sector bodies that require Union assurance levels 2, 3, or 4, as mandated by Article 30(3). For Level 1 providers, loss of recognition would similarly impact their ability to serve public sector bodies under Article 30(2).

What this means for you

For cloud service providers and data centre operators, building an internal process for CADA transparency notifications is not just a compliance checkbox; it is a strategic imperative to maintain market access to the public sector. The proposal treats the sovereignty framework as a continuous state of verification, not a static certification.

Actionable Steps:

1. Map Your Assurance Level Criteria: Review Annex II of the CADA proposal in detail for your specific assurance level. Create a matrix of "material change triggers" based on these criteria, distinguishing between conditional requirements (Level 2 personnel) and mandatory ones (Levels 3–4 personnel).
2. Integrate with Existing Monitoring: Leverage existing IT service management (ITSM) and security information and event management (SIEM) tools to detect changes in infrastructure, personnel, and data flows. Add specific alerts for sovereignty-related metrics, such as data residency violations, unauthorized third-country access, or changes in corporate ownership structures.
3. Establish a Compliance Liaison: Designate a team or individual responsible for liaising with the auditing organisation and the NCA. This team should be trained on the nuances of "materiality" under CADA and the specific notification requirements of Article 23.
4. Draft Notification Templates: Prepare standardized templates for notifications to the auditor and NCA. These should include fields for describing the change, its potential impact on assurance criteria, and any remedial actions taken.
5. Conduct Regular Drills: Simulate scenarios where a material change occurs (e.g., a sudden acquisition by a third-country entity, a server migration to a non-EU location, or a change in key personnel citizenship) to test the speed and accuracy of your notification process.

Common misconceptions

Misconception 1: "I only need to notify if I lose my assurance level." Incorrect. Article 23(1) requires notification of any material change that may affect the audit report or recognition. This includes changes that might require an amendment to the report or a reassessment, even if the final outcome is that the assurance level is maintained. Proactive notification is key to maintaining the integrity of the framework.

Misconception 2: "My auditor will handle all notifications to the NCA." Incorrect. While the auditor must notify the NCA if they amend or revoke the audit report (Article 23(2)), the CSP has an independent obligation to notify the NCA directly (Article 23(1)). Relying solely on the auditor creates a risk of delay or miscommunication, potentially leading to penalties for non-notification.

Misconception 3: "Minor operational changes don't need to be reported." Incorrect. What constitutes "minor" is subjective. Under CADA, any change that impacts the criteria in Annex II is material. For example, moving a single backup server to a non-EU location might seem minor operationally, but it is a material breach of the data localization criteria for Levels 1–4. When in doubt, notify.

Misconception 4: "This only applies to Level 4 providers." Incorrect. Article 23 applies to all recognized cloud computing service providers, including those with Level 1 recognition. While Level 1 relies on self-assessment, the obligation to notify material changes that affect the EU statement of conformity remains. The text of Article 23(1) does not distinguish between levels regarding the recipient of the notification; it applies to "the recognised cloud computing service provider" generally.

Misconception 5: "The third-country derogation for Level 3 is a drafting error." Incorrect. There is no drafting error in the proposal. Annex II, Section 3.1(g) correctly references Article 18 as the legal basis for the Commission to adopt implementing acts identifying third countries for Level 3. Article 18 is titled "Associated third countries" and explicitly establishes this mechanism. The proposal is internally consistent on this point.

Related

• CADA Marketplace Transparency: How Articles 22 & 23 Build Trust
• CADA Article 23: What 'as soon as possible' means for transparency notifications
• Who sets the penalties for CADA transparency infringements?
• Who enforces CADA transparency obligations on cloud providers?
• What should a buyer do if a service is revoked in the CADA repository mid-contract?

This is general information about a draft EU regulation, not legal advice.