What are the transparency obligations on cloud providers under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider that has been recognised at a Union assurance level must, as soon as possible, notify its auditing organisation and its national competent authority of establishment of any information or material change in circumstances that may affect its audit report, its positive audit opinion (Article 20) or its recognition (Article 17). This is the core transparency obligation in Article 23. It keeps the central repository of recognised services accurate so that public-sector buyers can continue to rely on it. CADA is a draft proposal, so these obligations are not yet in force.

Detail

CADA's sovereignty framework recognises services at Union assurance levels 1 to 4 against the cumulative criteria in Annex II. Recognition, however, reflects circumstances at a point in time, and ownership, infrastructure, personnel and the surrounding legal environment can change. Article 23 ("Transparency obligations") addresses this by turning compliance into a continuing duty.

The core obligation: notify material changes

Article 23(1) provides that, on becoming aware of any information or any material change in circumstances that may affect the audit report and the positive opinion under Article 20 or the recognition under Article 17, the recognised provider must, as soon as possible, notify:

1. the auditing organisation (for providers recognised at levels 2, 3 or 4, where an audit underpins the recognition); and
2. the national competent authority of establishment.

The trigger is broad. The duty is engaged by any change that may affect the report, opinion or recognition — not only changes that have already broken compliance. Recital 58 frames the aim as ensuring the continued accuracy and reliability of a service's assurance-level status by requiring providers to report relevant information or material changes promptly.

What counts as a "material change"

Article 23 does not set out an exhaustive list. In practice, materiality is judged against the cumulative Annex II criteria for the relevant level and the audit evidence in Annex III. Changes that could plausibly bear on those criteria include, for example:

• Ownership or control — a change in the entity that controls the provider, particularly relevant where third-country control is in issue.
• Location of infrastructure or data — moving infrastructure, assets or customer data outside the Union, where Annex II requires Union location.
• Personnel and subcontracting — engaging personnel or subcontractors in ways that bear on the applicable criteria (Annex II addresses personnel and subcontractor requirements, with some elements, such as additional personnel screening and Union citizenship at level 2, framed as conditional on the public-sector body's determination).
• Cybersecurity posture — an incident or change affecting compliance with the cybersecurity criteria, including any applicable European cybersecurity certification.
• Legal environment — changes in a controlling third country's laws or practices that bear on the Annex II conditions.

Because the standard is "may affect," the prudent course is to notify where a change could be material rather than wait for certainty.

The auditing organisation's role (Article 23(2))

On the basis of the provider's notification, the auditing organisation must assess whether the audit report or audit opinion needs to be amended or revoked. Where it amends or revokes either, it must, as soon as possible, notify the national competent authority of establishment.

The competent authority's role (Article 23(3))

On the basis of the notification under paragraph 1 or 2, the national competent authority of establishment must assess whether its recognition needs to be amended or revoked. Where it amends or revokes the recognition, it must, as soon as possible, notify the national competent authorities of the other Member States and the Commission. That cross-border notification keeps the status of the service consistent across the single market and feeds the central repository.

Link to the central repository

These obligations connect directly to the central repository under Article 22. Where a recognition or an audit report/opinion is revoked through the Article 23 chain, Article 22(3) requires the revocation to be published in the repository and to remain available there for five years. That is what lets public-sector buyers and others verify current status and see recent loss of status.

How the obligation fits with the annual review

Article 23 is a continuous, event-driven duty, and it sits alongside the periodic checkpoints in the audit regime. For audited levels, Article 20(8) requires the provider to submit the audit report and positive opinion annually for review by the same or a different auditing organisation, which may confirm, update or revoke them. Article 23 covers the time between those reviews: if a material change arises three months after the last annual review, the provider cannot wait nine months for the next one — it must notify as soon as possible. In effect, the annual review is the scheduled health check and Article 23 is the duty to call for help between check-ups.

Confidentiality and what is actually shared

Transparency here does not mean exposing commercially sensitive detail. Article 20(3) requires auditing organisations to maintain confidentiality and professional secrecy over information obtained during audits, and provides that, under Article 23, the auditing organisation is to share only information necessary for reporting purposes that does not contain anything reasonably considered confidential. So the notification chain is calibrated: enough flows to the authority for it to reassess recognition, without the audit's confidential contents being broadcast.

The consequences of getting it wrong

Failing to notify a material change is not a neutral omission. If undisclosed changes come to light, they can support a finding that the provider negligently or intentionally supplied incorrect or misleading information — a direct ground for revocation by the competent authority (Article 17(11)) or by the auditing organisation (Article 20(7)). Beyond revocation and its five-year publication, Member States must lay down effective, proportionate and dissuasive penalties for infringements by providers (Article 24), with the penalty criteria in Article 24(2) including the nature, gravity, scale and duration of the infringement and any financial benefit gained. Prompt, honest notification is therefore both the compliance route and the risk-mitigation route.

What this means for you

If you are a provider serving (or aiming to serve) EU public-sector bodies or Union entities, treat transparency as an ongoing operational duty.

1. Build internal monitoring. Do not rely on the annual audit review to surface problems. Monitor ownership and control, your infrastructure and subcontractor map, and — where you are subject to third-country control — relevant changes in that country's law.

2. Define "material" internally, and err towards notifying. CADA does not define the term; set a clear internal threshold and, where a change might affect your report, opinion or recognition, notify. Late or inaccurate notification risks penalties under Article 24 (effective, proportionate and dissuasive) and can amount to the kind of negligent or misleading conduct that grounds revocation (Articles 17(11), 20(7)).

3. Notify the right parties. For levels 2 to 4, notify both the auditing organisation and the competent authority. The auditor reassesses the report/opinion; the authority reassesses the recognition.

4. Anticipate publication. Any resulting revocation is published in the repository for five years (Article 22(3)). Transparency here is a matter of market reputation as much as regulatory form.

Common misconceptions

"Transparency obligations apply only at levels 3 and 4." Article 23 applies to any provider recognised under Article 17, across levels 1 to 4. The mechanics differ: a level 1 provider relies on a self-assessment and EU statement of conformity (Article 19) and has no auditing organisation to notify, but still must notify the competent authority of material changes. The duty to notify an auditing organisation arises for the audited levels 2, 3 and 4.

"I only need to notify once I am definitely non-compliant." The trigger is a change that may affect the report, opinion or recognition. You should notify before a definitive breach is established, so the auditor and authority can assess the position.

"Notification is part of the annual review." Article 23 requires notification "as soon as possible" on becoming aware of a change — a continuous, interim obligation, distinct from the annual review of the audit report under Article 20(8).

"Only the competent authority needs to know." For levels 2 to 4, both the auditing organisation and the competent authority must be notified. Skipping either step does not satisfy Article 23.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Who enforces CADA transparency obligations on cloud providers?
• CADA vs GDPR: How Transparency Obligations Differ for Cloud Providers
• CADA Transparency Obligations: Why Article 23 Matters for Public Buyers
• CADA Transparency Checklist: How Cloud Providers Must Report Material Changes
• How do CADA transparency obligations affect cloud contracts and SLAs?

This is general information about a draft EU regulation, not legal advice.