What are the transparency obligations introduced by CADA?

Summary As proposed, the Cloud and AI Development Act (CADA) would require cloud computing service providers recognised under the Union assurance framework to maintain transparency about their sovereignty status. The Commission would establish a publicly available central repository of recognised services (Article 22), and recognised providers would have to report any material change that could affect their audit report, positive opinion or recognition (Article 23). The aim is to give public-sector buyers reliable, up-to-date information for procurement decisions while protecting EU public order.

Detail

The transparency obligations sit in Title IV (Autonomy and Adoption), within the Union cloud computing sovereignty framework. As proposed, they address imperfect information in the cloud market, where buyers struggle to verify whether a provider meets the sovereignty, security and operational-autonomy standards needed for sensitive public-sector activities.

The cornerstone is a central repository. Under Article 22, the Commission would establish and maintain a dedicated repository of cloud computing services recognised in accordance with Article 17. The national competent authority of establishment that recognises a service would register it in the repository (Article 22(2)). The repository would be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated, easily accessible website (Article 22(4)). Where an audit report and opinion are revoked by an auditing organisation, or a recognition is revoked by a competent authority, that revocation would be published in the repository and remain available there for five years (Article 22(3)). Buyers could therefore verify current status and see recent losses of recognition.

Complementing the repository is a dynamic reporting duty. Under Article 23, a recognised provider that becomes aware of any information or material change in circumstances that may affect the audit report and the "positive" opinion under Article 20, or the recognition under Article 17, must as soon as possible notify the auditing organisation and the national competent authority of establishment. This is a proactive duty: providers must monitor their own operations and supply chains.

On the basis of that notification, the auditing organisation must assess whether the audit report or opinion needs to be amended or revoked; if it amends or revokes either, it must notify the national competent authority of establishment (Article 23(2)). The competent authority must then assess whether its recognition needs to be amended or revoked, and if it changes the recognition, it must notify the competent authorities of the other Member States and the Commission (Article 23(3)). This chain keeps the central repository accurate across the Union.

These measures connect directly to procurement. Under Article 30, contracting authorities would procure services recognised at specific Union assurance levels (at least level 1, and levels 2, 3 or 4 for public-order activities). The repository and the reporting duties under Articles 22 and 23 provide the evidentiary basis for those decisions.

Transparency also features at Union assurance level 1. Under Article 19, a provider seeking level 1 carries out a conformity self-assessment and issues an EU statement of conformity, which it must make publicly available (Article 19(3)). Although a self-assessment, public availability adds market transparency at the baseline level.

For higher assurance levels (2, 3 and 4), transparency is underpinned by independent third-party audits (Article 20). The audit report and opinion form the basis of recognition; while the full report may contain confidential business information, the recognition outcome is public via the central repository — balancing market transparency with protection of trade secrets.

The proposal also requires penalties. Under Article 24, Member States would lay down rules on penalties for infringements of this Chapter by providers; those penalties must be effective, proportionate and dissuasive, with non-exhaustive criteria (such as the nature, gravity and duration of the infringement) guiding their imposition. Recipients of the services would also have a right to seek compensation for damage caused by a provider's infringement (Article 24(3)).

What this means for you

If you are a cloud provider or data-centre operator aiming to serve the EU public sector, you would need robust internal monitoring and reporting. Obtaining recognition would not be a one-off.

1. Monitor for material changes: Put in place a system to detect changes that could affect compliance with the Union assurance levels — for example, changes in subcontractors, data locations, certifications or ownership/control that might introduce third-country control.
2. Notify promptly: As soon as you identify a material change, notify your auditing organisation and your national competent authority of establishment. Delay could be treated as an infringement and lead to penalties or revocation.
3. Prepare for repository listing: Ensure your service details are ready for registration; this information would be publicly accessible.
4. Maintain audit readiness: Work with your auditing organisation so that reported changes are properly assessed and your audit opinion stays positive.
5. Understand revocation: A revocation would remain visible in the central repository for five years, which could affect future public-sector bids.

Common misconceptions

Misconception 1: Transparency only applies to the highest sovereignty levels. As proposed, the central repository (Article 22) covers services recognised under Article 17 across the framework. At Union assurance level 1, providers must additionally make their EU statement of conformity public (Article 19(3)). The Article 23 reporting duty applies to recognised providers in respect of changes affecting their audit report or positive opinion under Article 20, or their recognition under Article 17.

Misconception 2: The central repository is a private database for regulators. The central repository would be publicly available (Article 22(4)) — a deliberate feature designed to empower buyers and create market pressure for compliance.

Misconception 3: Reporting material changes is optional if the change is minor. Article 23 requires notification of any information or material change in circumstances that may affect the audit report, the positive opinion or the recognition. The threshold is broad; providers should err on the side of caution.

Misconception 4: Once recognised, a provider's status is static. As proposed, recognition is a status that must be maintained: providers must report changes (Article 23), and a competent authority may revoke a recognition — for example, where a provider intentionally or negligently supplied incorrect or misleading information (Article 17(11)).

Related

• Why was the Cloud and AI Development Act (CADA) proposed?
• Why is the EU dependent on non-EU cloud providers?
• Why does CADA have two legal bases (Articles 114 and 173(3) TFEU)?
• Why does CADA focus so heavily on the public sector?
• Why can't existing EU laws already solve cloud sovereignty? (CADA)

This is general information about a draft EU regulation, not legal advice.