Summary Under the proposed Cloud and AI Development Act (CADA), "audit criteria" are the standards an auditing organisation would use to verify whether a cloud service meets Union assurance levels 2, 3, or 4. Defined in Article 2(19), they are the criteria set out in Annex II, and they are cumulative — a provider would have to satisfy every criterion for the lower levels before qualifying for a higher one. A positive audit opinion against these criteria would be the mandatory gateway to formal sovereignty recognition and, in turn, to supplying EU public sector bodies at the higher levels.

Detail

CADA (COM(2026) 502 final) would introduce a harmonised framework for sovereign cloud computing services that goes beyond technical cybersecurity to address third-country control, data localisation, and operational autonomy. The audit criteria are the substantive heart of that framework.

The definition: Article 2(19)

Article 2(19) of the proposal defines "audit criteria" as:

"the criteria, pursuant to Annex II to this Regulation, against which the auditing organisation assesses whether the audited provider and its audited service comply with each cumulative criterion to be met for it to be recognised as offering Union assurance levels 2, 3, or 4"

Three elements matter for compliance teams:

  1. Source: The criteria live in Annex II of the Regulation.
  2. Function: They are the benchmark an independent auditing organisation uses to measure compliance.
  3. Scope: They apply to Union assurance levels 2, 3, and 4. (Level 1 would rest on a conformity self-assessment and an EU statement of conformity under Article 19, not an independent audit.)

The cumulative nature of the criteria

The assurance levels would be cumulative. Article 20(1) provides that a provider undergoing an audit at a higher Union assurance level "shall satisfy all the applicable cumulative criteria under Annex II applicable to the lower Union assurance levels," and that "[f]ailure to meet any requirements of a lower assurance level shall preclude conformity with the higher Union assurance levels."

In practice, reaching level 4 would require meeting every criterion for levels 1, 2, and 3 as well. Each level would be a strict escalation of sovereignty and security controls, not a swap of one rule set for another.

The criteria in Annex II

Annex II sets out detailed criteria per level. They broadly cluster around several pillars:

  • Establishment and location: The provider, and relevant subcontractors and assets, must be established or located in the Union (Annex III audit criteria A and B).
  • Data localisation: Customer data must be located in the Union, with the requirement tightening across levels (audit criterion C).
  • Cybersecurity certification: The service must hold a European cybersecurity certificate at the relevant level — assurance level "substantial" for Union assurance levels 2 and 3, and "high" for level 4.
  • Absence of third-country control: For higher levels, the provider and the parties involved in the service must not be subject to the control of a third country or a third-country entity. Union assurance level 4 prohibits such control outright; for level 3 a limited derogation is possible where the Commission has identified an "associated third country" under Article 18.

Other criteria address Union citizenship of personnel for certain functions, restrictions on AI systems operated by or for a third country, technical and operational support being provided from within the Union, software supply chain transparency, and open-source software (audit criteria D through K in Annex III). Where a provider is subject to third-country control, lower levels also require, for example, guarantees against laws compelling the reporting of unexploited software vulnerabilities to third-country authorities.

Connection to sovereignty recognition (Articles 17-22)

The audit criteria are the mechanism that drives recognition:

  1. Application: A provider applies to the national competent authority of its establishment for recognition (Article 17).
  2. Audit: For levels 2-4, the provider undergoes an independent third-party audit (Article 20). The auditing organisation assesses it against the Annex II criteria, using the audit evidence in Annex III (Article 21).
  3. Audit opinion: The organisation issues a report with a "positive" or "negative" opinion (Article 20(5)). A positive opinion indicates compliance with the applicable criteria.
  4. Recognition: The competent authority adopts a recognition decision; the audited service is then recognised throughout the Union at the appropriate assurance level (Article 17).
  5. Central repository: Recognised services are registered in a publicly available central repository maintained by the Commission (Article 22), which buyers consult when procuring.

Without a positive audit opinion against the Annex II criteria, a provider could not achieve recognition for levels 2-4, and could not meet tenders that require those levels.

What this means for you

For in-house counsel and compliance officers, the audit criteria would reshape procurement and compliance obligations.

For cloud providers:

  • Preparation for audit: To serve the EU public sector at levels 2-4, align operations with the cumulative Annex II criteria — verifying that subcontractors, data flows, and personnel arrangements meet the Union-centric rules.
  • Documentation: Maintain robust evidence. Article 21 requires audit evidence to be relevant, sufficient, and reliable, drawn from the Annex III list.
  • Continuous compliance: Audits would not be one-offs. Article 20(8) requires an annual review, and Article 23 requires you to notify the auditing organisation and competent authority of material changes that may affect the audit report, opinion, or recognition.

For public sector buyers:

  • Procurement constraints: Under Article 30, contracting authorities (and certain Union entities) would, as a baseline, procure services recognised at least at Union assurance level 1. Where a risk assessment under Article 29 identifies public-order activities (e.g. national security, critical infrastructure under the NIS2 sectors, law enforcement), they would have to procure at level 2, 3, or 4.
  • Verification: Check that the service is listed in the central repository (Article 22) with the appropriate recognition. For levels 2-4, a provider's self-declaration would not suffice — a valid audit report and recognition decision would be required.

Deadlines and penalties:

  • Member States would designate national competent authorities by one year after entry into force (Article 25).
  • Penalties for infringements of the relevant Chapter are to be laid down by Member States and must be effective, proportionate, and dissuasive; the criteria include the nature, gravity, scale and duration of the infringement, financial benefits gained, and the party's Union annual turnover (Article 24). Recipients would also have a right to seek compensation for damage caused by an infringement (Article 24(3)).

Common misconceptions

Misconception 1: Audit criteria are the same as cybersecurity standards. Cybersecurity is one component — the criteria reference a European cybersecurity certificate at "substantial" or "high" — but the CADA criteria are broader. They add sovereignty factors such as freedom from third-country control, data localisation, and personnel arrangements that standard cybersecurity certifications do not cover.

Misconception 2: Level 1 requires an independent audit. No. Article 19 would let a provider issue a self-assessment and an EU statement of conformity for Union assurance level 1. Independent audits, and the application of the audit criteria by an auditing organisation, would be mandatory only for levels 2, 3, and 4.

Misconception 3: You can skip lower levels to reach Level 4. Because the criteria are cumulative, you could not bypass the requirements of the lower levels. Recognition at level 4 would require full compliance with the applicable criteria across all levels.

Related

This is general information about a draft EU regulation, not legal advice.