Must a provider cooperate with a CADA auditor?

Summary Yes. Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider seeking recognition for Union assurance levels 2, 3, or 4 is legally obligated to actively cooperate with independent auditing organisations. As proposed, Article 20(2) explicitly requires providers to grant auditors access to all relevant data and premises, answer oral or written questions, and strictly refrain from hampering, unduly influencing, or undermining the audit. Failure to meet these cooperation obligations can result in a negative audit opinion, the revocation of recognition, and exclusion from the EU public sector market.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous sovereignty framework to reduce dependencies on third-country providers and safeguard the Union's public order. While Union assurance level 1 relies on a conformity self-assessment, achieving levels 2, 3, or 4 requires a mandatory independent third-party audit. The integrity of this framework depends entirely on the provider's willingness to submit to scrutiny.

The Legal Obligation to Cooperate

The core legal duty is codified in Article 20 of the proposal, which governs independent audits. Specifically, Article 20(2) sets out a non-negotiable mandate: "Audited providers shall cooperate with auditing organisations and provide them assistance necessary to enable them to conduct those audits in an effective, efficient and timely manner."

The proposal breaks this broad obligation down into three concrete, actionable requirements that providers must fulfill:

1. Unrestricted Access to Data and Premises: Providers must give auditing organisations "access to all relevant data and premises." This is not a passive right; it is an active duty to facilitate the auditor's physical and digital inspection. This access is critical for verifying the physical location of infrastructure, the governance of data flows, and the technical controls in place to prevent third-country access.
2. Responsiveness to Inquiries: Providers must "answer oral or written questions" posed by the auditors. This requirement ensures that auditors can clarify technical configurations, understand contractual arrangements with subcontractors, and verify incident response procedures. Silence or evasion is not a valid strategy under the proposal.
3. Prohibition on Interference: Providers must "refrain from hampering, unduly influencing or undermining the performance of the audit." This clause is designed to prevent providers from obscuring evidence, delaying access to critical systems, or exerting pressure on auditors to overlook non-compliance.

The Scope of Required Cooperation

The scope of cooperation is extensive because the audit criteria in Annex II of the CADA proposal are comprehensive. Auditors must verify complex supply chain measures, including the absence of third-country control, the location of personnel, and the handling of customer data.

For instance, to verify compliance with the criteria for Union assurance levels 2, 3, and 4, auditors may need to:

• Inspect source code to ensure no remote features exist that could tamper with the system.
• Review complete and up-to-date Software Bills of Materials (SBOMs).
• Examine contractual clauses with subcontractors to ensure they meet Union legal obligations.
• Verify the physical location of servers and the nationality of personnel.

If a provider restricts access to these elements, the auditor cannot form a conclusion on compliance. As noted in Article 20(6), if an auditing organisation is unable to audit certain aspects or express an opinion, the audit report must explicitly state the reasons why. This limitation effectively blocks the path to recognition.

Consequences of Non-Cooperation

The consequences of failing to cooperate are severe and immediate. Under Article 20(7), an auditing organisation "may revoke its audit report and audit opinion where the audited provider, intentionally or negligently, supplied incorrect or misleading audit evidence." While this specifically mentions evidence, the inability to provide access or answer questions effectively constitutes a failure to supply the necessary evidence for a positive opinion.

Furthermore, Article 23 imposes transparency obligations, requiring providers to notify auditors and competent authorities of any material changes that could affect the audit report. A lack of cooperation during the initial audit or subsequent annual reviews can lead to a "negative" audit opinion. Without a "positive" audit opinion, a national competent authority cannot recognize the cloud service under Article 17. Consequently, a provider that fails to cooperate effectively cannot legally offer its services to public sector bodies whose activities have been identified as contributing to the preservation of public order.

What this means for you

If you are a cloud service provider aiming for Union assurance levels 2, 3, or 4, you must treat audit cooperation as a core operational requirement, not an occasional administrative task. The proposed regulation demands a proactive, transparent, and collaborative approach.

Prepare your internal teams: Your legal, technical, and compliance teams must be trained to respond to auditor inquiries promptly. Delays in providing data or answering questions can be interpreted as "hampering" the audit under Article 20(2). Establish clear internal protocols for handling auditor requests for access to premises and data, ensuring that the right personnel are available to answer questions without delay.

Ensure technical readiness: Auditors will need to verify that your infrastructure, assets, and personnel are located within the Union, and that your software supply chain is transparent. Ensure that your systems can generate the necessary logs, SBOMs, and documentation required by Annex III of the CADA proposal. If your technical architecture makes it difficult to prove compliance (e.g., if data flows are opaque or access paths are restricted), you must address these gaps before the audit begins.

Manage subcontractor relationships: The audit extends to your subcontractors. You must ensure that your subcontractors are also prepared to provide evidence of their compliance, as auditors will assess the entire service delivery chain. Include audit cooperation clauses in your contracts with subcontractors to ensure they can provide the necessary information when requested, as you remain responsible for the service as a whole.

Maintain ongoing transparency: Cooperation does not end with the initial audit. Article 20(8) requires providers to annually submit the audit report and opinion for review. Providers must continue to cooperate with auditors annually to confirm continued compliance. Failure to cooperate during these annual reviews can lead to the revocation of the initial audit opinion. Additionally, Article 23 requires you to notify auditors of any material changes immediately.

Common misconceptions

Misconception 1: Cooperation means granting unrestricted access to all company data. While providers must give access to "all relevant data," this does not mean auditors can inspect unrelated business secrets or unrelated services. However, the definition of "relevant" is broad and includes any data necessary to verify compliance with the assurance criteria. Providers should not withhold data under the guise of confidentiality if it is essential for the audit. Auditors are bound by confidentiality obligations under Article 20(3), which states they must ensure "an adequate level of confidentiality and professional secrecy," but providers cannot use confidentiality to block the audit.

Misconception 2: Self-assessment is enough for most services. Only Union assurance level 1 allows for self-assessment. Levels 2, 3, and 4, which are required for many public sector use cases involving public order, mandate independent audits. Assuming that self-certification is sufficient for broader market access is a significant risk. The proposal explicitly states that for levels 2-4, providers "shall undergo at their own expense, independent third-party audits."

Misconception 3: The audit is a one-time event. CADA requires annual reviews of the audit report and opinion under Article 20(8). Providers must continue to cooperate with auditors annually to confirm continued compliance. Failure to cooperate during these annual reviews can lead to the revocation of the initial audit opinion. The proposal states that on the basis of the annual review, the auditing organisation "may confirm, update, or revoke the initial audit report and audit opinion."

Misconception 4: I can influence the auditor's findings. Article 20(2) explicitly prohibits providers from "unduly influencing" the performance of the audit. Auditing organisations must be independent and free from conflicts of interest, as detailed in Article 20(4). Attempting to pressure an auditor or influence their findings is a direct violation of the proposal and can lead to the revocation of the audit opinion.

Related

• What criteria must a provider meet for CADA assurance level 4?
• What criteria must a provider meet for CADA assurance level 3?
• What criteria must a provider meet for CADA assurance level 2?
• What criteria must a provider meet for CADA assurance level 1?
• Why choose a CADA Level 1 provider? The baseline for public procurement

This is general information about a draft EU regulation, not legal advice.