How should a provider pick a CADA auditing organisation?

Summary As proposed in the Cloud and AI Development Act (CADA), cloud service providers seeking recognition for Union assurance levels 2, 3, or 4 must select an auditing organisation that is strictly independent, technically competent, and free from conflicts of interest. Under Article 20(4), you must verify that the auditor has not provided non-audit services to your entity in the preceding 12 months, has not audited you under this Regulation in the last 10 years, and does not accept fees contingent on the audit result. Choosing an auditor that fails these cumulative conditions risks the invalidation of your audit opinion and the loss of your recognised sovereignty status.

Detail

The CADA proposal establishes a rigorous sovereignty framework where cloud computing service providers aiming for Union assurance levels 2, 3, or 4 must undergo independent third-party audits. Unlike Level 1, which relies on a self-assessment and an EU statement of conformity, these higher tiers demand external validation to ensure that infrastructure, data, and personnel remain under Union control and free from third-country interference. Consequently, the selection of the auditing organisation is not merely a commercial procurement decision but a critical compliance step that determines the validity of the entire sovereignty claim.

Legal Requirements for Auditor Selection

The core criteria for selecting an auditing organisation are explicitly set out in Article 20(4) of the CADA proposal. Providers do not have unrestricted freedom to choose any consultant; the chosen entity must meet strict cumulative conditions regarding independence, expertise, and ethics. Failure to meet any single condition disqualifies the organisation from performing the audit.

1. Independence and Conflict of Interest Rules Article 20(4)(a) mandates that the auditing organisation must be independent from the cloud computing service provider and any legal person connected to that provider. To operationalise this independence, the proposal establishes specific "cooling-off" periods and prohibitions designed to prevent familiarity threats and self-review threats:

• Non-audit services prohibition: The auditor must not have provided non-audit services related to the matters audited to the provider or connected entities in the 12-month period before the beginning of the audit. Furthermore, they must commit to not providing such services in the 12-month period after the completion of the audit. This ensures the auditor is not auditing their own work or designs.
• Audit rotation: The auditor must not have provided auditing services pursuant to Article 20 to the provider or connected entities in the 10-year period before the beginning of the audit. This decade-long rotation is significantly longer than standard financial audit rotations, reflecting the high sensitivity of sovereignty assessments.
• Fee structure: The auditor must not perform the audit in return for fees that are contingent on the result of the audit. A "positive" opinion cannot be a condition for payment; the fee must be fixed or based on time and resources, not the outcome.

2. Technical Competence and Expertise Under Article 20(4)(b), the auditing organisation must demonstrate "proven expertise, technical competence and capabilities in auditing cloud computing services." This is a specific requirement that goes beyond general IT auditing. The auditor must possess the capability to assess the complex sovereignty criteria set out in Annex II, which include:

• Verification of third-country control structures (ownership, governance, commercial links).
• Assessment of data localisation and the separation of Union and third-country subsidiaries.
• Review of software supply chain security, including the verification of Software Bills of Materials (SBOM) and source code auditability.
• Evaluation of personnel screening and Union citizenship requirements.

3. Objectivity and Professional Ethics Article 20(4)(c) requires the auditor to have "proven objectivity and professional ethics," based in particular on adherence to codes of practice or appropriate standards. This ensures that the audit is conducted impartially. The auditor must be willing to issue a "negative" audit opinion if the provider does not comply with the criteria, rather than succumbing to commercial pressure to secure a "positive" result.

Practical Steps for Providers

When evaluating potential auditing organisations, providers should implement a structured due diligence process aligned with these statutory requirements.

Step 1: Verify Independence against Article 20(4)(a) Before engaging an auditor, conduct a thorough review of the provider's contractual history and the auditor's client portfolio.

• Check the 12-month window: Review all contracts for consulting, system design, cybersecurity implementation, or other non-audit services. If a firm has advised you on your cloud architecture or sovereignty strategy within the last 12 months, it is legally disqualified from auditing that same architecture under CADA.
• Check the 10-year window: Review your audit history for the past decade. If a firm audited your Level 2 or 3 status under CADA (or a similar framework if the text implies continuity, though strictly it refers to "pursuant to this Article") in 2024, it cannot audit you again until 2034. This long rotation period is designed to prevent familiarity threats where an auditor becomes too closely aligned with the provider's management.
• Check fee structures: Ensure the proposed engagement letter explicitly states that fees are not contingent on the audit outcome.

Step 2: Assess Technical Competence per Article 20(4)(b) Cloud sovereignty auditing is highly specialized. Providers should request evidence of the auditor's prior experience with CADA-like frameworks or existing EU cybersecurity certifications (such as the European Cybersecurity Certification Scheme for Cloud Services, EUCS, once adopted). Ask for case studies or anonymized examples of audits involving:

• Assessment of third-country control structures (ownership, governance, commercial links).
• Verification of data localisation and sub-contractor chains.
• Review of software supply chain security (SBOMs and source code auditability). An auditor lacking specific cloud infrastructure expertise may fail to identify subtle sovereignty breaches, leading to a negative opinion or a flawed audit that is later challenged by competent authorities.

Step 3: Confirm Ethical Standards under Article 20(4)(c) Request the auditor's code of ethics and professional standards. Ensure they adhere to recognized international or EU auditing standards. The auditor must demonstrate a track record of objectivity, meaning they are willing to issue a negative opinion if criteria are not met.

Step 4: Evaluate Operational Capacity While not explicitly detailed in Article 20(4), the auditor must have the resources to perform the audit effectively. Article 20(2) requires providers to cooperate and provide access to all relevant data and premises. The auditor must be able to handle this volume of evidence efficiently. Delays in audit completion can jeopardize a provider's ability to bid for public contracts with strict sovereignty requirements.

Consequences of Non-Compliance

If a provider selects an auditor that does not meet the Article 20(4) criteria, the resulting audit report and opinion may be deemed invalid. Under Article 17(11), the evaluating national competent authority may revoke recognition if the provider supplied incorrect or misleading information, which could include using a disqualified auditor. Furthermore, Article 24 empowers Member States to impose effective, proportionate and dissuasive penalties for infringements of the sovereignty framework. A failed audit due to improper auditor selection can result in significant financial losses, reputational damage, and exclusion from the EU public sector market.

What this means for you

For cloud service providers and data centre operators, the selection of an auditing organisation is no longer a purely commercial decision; it is a compliance obligation with long-term strategic implications.

• Contractual Scrutiny: You must maintain detailed records of all services procured from external firms. This includes distinguishing between audit services and non-audit services (e.g., security consulting, cloud migration support). A failure to track these distinctions can inadvertently trigger the 12-month cooling-off period, disqualifying your preferred auditor.
• Long-Term Planning: The 10-year audit rotation rule means you cannot rely on a single auditor for your sovereignty credentials indefinitely. You must build a pipeline of qualified auditing organisations to ensure continuity. Start researching and qualifying alternative auditors well before your current audit term expires.
• Due Diligence Documentation: Keep written evidence of your auditor selection process. Document how you verified their independence, competence, and ethical standards. This documentation may be requested by national competent authorities during the recognition process (Article 17) or in the event of an investigation.
• Cost vs. Risk: While smaller or less specialized auditors may offer lower fees, they may lack the technical competence required by Article 20(4)(b). A negative audit opinion or a delayed audit can cost far more in lost contracts than the premium for a highly specialized, reputable auditing firm.

Common misconceptions

Misconception 1: "Any ISO 27001 auditor can audit my CADA compliance." Incorrect. While ISO 27001 competence is relevant, CADA requires specific expertise in cloud sovereignty, supply chain transparency, and the complex legal/technical criteria of Annex II. Article 20(4)(b) explicitly requires "proven expertise... in auditing cloud computing services" in the context of this Regulation. Generic IT auditors may lack the specific knowledge to assess third-country control structures or software bill of materials adequately.

Misconception 2: "The 10-year rule only applies if the same audit scope is used." Incorrect. Article 20(4)(a)(ii) states that the auditor must not have provided auditing services "pursuant to this Article" to the provider in the 10-year period. This is a broad prohibition on the auditor-provider relationship for CADA audits, regardless of the specific assurance level or minor variations in scope.

Misconception 3: "I can use the same firm for security consulting and auditing if they are separate teams." Incorrect. Article 20(4)(a)(i) prohibits non-audit services "related to the matters audited" to the provider or any connected legal person. Even if different teams are involved, the firm itself is disqualified if it has provided related non-audit services within the 12-month window before or after the audit. The prohibition applies to the organisation, not just the individual auditors.

Misconception 4: "Contingent fees are allowed if the audit is successful." Incorrect. Article 20(4)(a)(iii) explicitly prohibits audits performed "in return for fees that are contingent on the result of the audit." This is a fundamental conflict of interest that undermines the objectivity required by Article 20(4)(c).

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Who can act as a CADA auditing organisation?
• What requirements must a CADA auditing organisation meet?
• How should a provider prepare for a CADA audit?
• How should a non-EU cloud provider approach CADA recognition?
• Why choose a CADA Level 1 provider? The baseline for public procurement

This is general information about a draft EU regulation, not legal advice.