Summary Under the proposed Cloud and AI Development Act (CADA), buyersβspecifically public sector contracting authorities and Union entitiesβhave a defined right to request specific evidence to verify a vendor's compliance with Union assurance levels. For Union assurance level 1, the primary evidence is the EU statement of conformity, which the provider is legally obligated to make "publicly available" under Article 19(3). For higher assurance levels (2, 3, and 4), buyers can request confirmation of a "positive" audit opinion and evidence of entry into the central repository, but they generally cannot demand the full raw audit report or underlying technical data due to strict confidentiality protections under Article 20(3). Furthermore, Article 23 mandates that providers notify authorities of material changes affecting their status, creating a public record that buyers must monitor rather than relying solely on direct vendor notifications. This framework balances regulatory transparency with the protection of trade secrets.
Detail
The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework. This framework relies on four distinct "Union assurance levels" to categorise the sovereignty and resilience of cloud services. For legal and compliance teams, the critical question is not just what levels exist, but what evidence a buyer can legally demand from a vendor to prove compliance. The proposal draws a sharp line between self-declared compliance (Level 1) and independently audited compliance (Levels 2β4), with specific rules governing the disclosure of that evidence.
Level 1: The Public EU Statement of Conformity
For cloud computing service providers seeking recognition at Union assurance level 1, the compliance mechanism is a conformity self-assessment. Under Article 19(1), providers must carry out this self-assessment against the criteria set out in Annex II.
The critical disclosure requirement is found in Article 19(3), which states: "The cloud computing service provider shall make the EU statement of conformity publicly available."
This provision creates a specific obligation for buyers:
- Public Availability: The statement is not a private contractual document to be negotiated in confidence. It is a public declaration. A buyer can request this document directly, but they can also verify its existence and content through public channels.
- Content: The statement confirms that the provider has demonstrated compliance with the Level 1 criteria (e.g., establishment in the Union, data location, and cybersecurity standards).
- Liability: By issuing this statement, the provider "shall assume responsibility for the compliance of the cloud computing service with the criteria" (Article 19(2)). If the statement is false, the provider faces penalties under Article 24.
Therefore, for Level 1 services, the "evidence" a buyer asks for is the EU statement of conformity itself. If a vendor refuses to provide it or claims it is confidential, they are likely in breach of Article 19(3).
Levels 2, 3, and 4: Independent Audits and Confidentiality
For Union assurance levels 2, 3, and 4, the burden of proof shifts from self-assessment to independent third-party audits. Under Article 20(1), providers must undergo audits to obtain an "audit report" and an "audit opinion" from an auditing organisation.
However, the disclosure of this evidence is heavily regulated to protect commercial secrets. Article 20(3) establishes a strict confidentiality boundary:
"Auditing organisations shall ensure an adequate level of confidentiality and professional secrecy in respect of the information obtained from the audited providers and third parties as part of the audits, including after the audits have ended."
This creates a nuanced landscape for buyers:
- The Audit Report vs. The Audit Opinion: While the full audit report contains detailed findings, methodologies, and potentially sensitive technical data, the audit opinion is the formal conclusion. Article 20(5)(g) requires the report to include a "positive" or "negative" audit opinion.
- What Buyers Can Request: Buyers can request the positive audit opinion as proof that the service has been recognised. They can also request confirmation that the service is listed in the central repository.
- What Buyers Cannot Request: Buyers generally cannot demand the full raw audit report, the underlying audit evidence (such as source code access logs, detailed vulnerability scans, or internal control procedures), or the auditor's internal working papers. These are protected by Article 20(3) as confidential information and trade secrets. The auditing organisation is explicitly prohibited from sharing information that "could reasonably be considered confidential" (Article 20(3)).
The "positive" audit opinion serves as the gateway to recognition. Under Article 17(4), providers seeking Levels 2β4 must submit the audit report and the "positive" audit opinion to the national competent authority. Once the authority is satisfied, it issues a recognition decision.
The Central Repository: The Primary Verification Tool
Rather than relying on ad-hoc document requests, CADA establishes a central repository of recognised services under Article 22.
- Public Access: The repository is "publicly available" and "regularly updated" by the Commission and national competent authorities.
- Verification: Buyers should primarily verify a vendor's status by checking this repository. If a vendor claims to offer Union assurance level 3, the buyer must confirm the service is registered there.
- Revocation: If a recognition is revoked (e.g., due to incorrect information), this is published in the repository and remains available for five years (Article 22(3)).
This shifts the buyer's duty from "demanding documents" to "monitoring the public register." The repository acts as the single source of truth for the validity of the assurance level.
Transparency Obligations and Material Changes
A critical aspect of the CADA framework is the ongoing obligation to report changes. Article 23 imposes transparency obligations on recognised providers.
- Notification Duty: Under Article 23(1), if a provider becomes aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion... or the recognition," they must notify the auditing organisation and the national competent authority "as soon as possible."
- Impact on Buyers: While Article 23 does not explicitly mandate that the provider notify every individual buyer directly, the consequence of a material change is that the recognition may be amended or revoked. This change is then reflected in the central repository.
- Buyer Responsibility: Consequently, buyers have a duty to monitor the repository. If a vendor's status changes (e.g., from Level 3 to Level 2, or revoked), the buyer must act. Relying on a vendor to proactively email a notice of material change is insufficient; the regulatory mechanism is the public update of the repository.
Summary of Requestable Evidence
Based on the text of the proposal, the scope of evidence a buyer can legally request is as follows:
| Assurance Level | Requestable Evidence | Confidential/Restricted |
|---|---|---|
| Level 1 | EU Statement of Conformity (Article 19(3)). Must be publicly available. | None (Document is public). |
| Levels 2β4 | Positive Audit Opinion (Article 20(5)(g)). Confirmation of Repository Entry (Article 22). | Full Audit Report (Article 20(3)). Raw audit evidence (Annex III). Technical findings constituting trade secrets. |
| Ongoing | Confirmation of current status via Central Repository. | Direct notification of material changes (Article 23 requires notification to authorities, not necessarily buyers, though contracts may require it). |
Penalties for Non-Compliance
If a vendor fails to provide the required evidence or supplies misleading information, Article 24 applies. Member States must lay down rules on penalties that are "effective, proportionate and dissuasive." Factors for penalties include the nature, gravity, and duration of the infringement, as well as any financial benefits gained. Buyers should ensure their contracts include termination rights if a vendor loses their recognition or fails to maintain the required evidence.
What this means for you
For in-house counsel and compliance officers, the CADA proposal fundamentally changes the due diligence process from a private negotiation to a regulatory verification exercise.
- Shift to Public Verification: Do not rely solely on vendor-provided PDFs. For Level 1, verify the EU statement of conformity is publicly accessible. For Levels 2β4, the primary verification step is checking the central repository (Article 22). If a service is not listed, it is not recognised.
- Contractual Clauses for Evidence: Update procurement templates.
- For Level 1: Require the vendor to provide the EU statement of conformity and warrant that it remains publicly available.
- For Levels 2β4: Require the vendor to provide the positive audit opinion (not the full report) and warrant that the service remains listed in the central repository.
- Include a clause that loss of recognition or a material change affecting the assurance level constitutes a material breach.
- Respect Confidentiality Boundaries: When auditing vendors for Levels 2β4, do not demand the full audit report or raw data. Article 20(3) protects this information. If you require deeper technical assurance, consider whether a higher Union assurance level (which may have stricter criteria) is appropriate, or negotiate specific warranties that do not violate CADA's confidentiality rules.
- Active Monitoring: Implement a process to monitor the central repository. Under Article 23, vendors must report material changes to authorities, which are then published. Buyers must be proactive in checking for these updates rather than waiting for vendor notifications.
Common misconceptions
"Buyers can demand the full audit report to verify technical security."
- Reality: No. Article 20(3) explicitly mandates that auditing organisations ensure "adequate level of confidentiality and professional secrecy." The full report contains trade secrets and sensitive technical data. Buyers are entitled to the positive audit opinion and the repository status, but not the underlying raw data.
"Self-assessment for Level 1 means no formal evidence is needed."
- Reality: Incorrect. Article 19(3) requires the provider to make the EU statement of conformity "publicly available." This is a formal, legally binding document that serves as the primary evidence of compliance. It is not a mere internal memo.
"Vendors must notify buyers directly of every material change."
- Reality: Not under CADA. Article 23 requires vendors to notify the auditing organisation and the national competent authority. The regulatory mechanism for informing the market is the update of the central repository. While a contract can require direct notification, the regulation itself relies on the public record.
"The audit report is the same as the audit opinion."
- Reality: They are distinct. The audit report (Article 20(5)) contains the detailed findings and methodology. The audit opinion (Article 20(5)(g)) is the formal conclusion ("positive" or "negative"). Only the opinion is the key to recognition and is the primary evidence buyers can request without breaching confidentiality.
Related
- What questions should a CTO ask a vendor about its CADA tier?
- CADA Level 2 Personnel: Can a Buyer Require EU Citizenship?
- Can the Commission change CADA audit evidence requirements?
- Who can act as a CADA auditing organisation?
- Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
This is general information about a draft EU regulation, not legal advice.