Summary As proposed, the Cloud and AI Development Act (CADA) allows for the revocation of Union assurance recognition if a cloud provider intentionally or negligently supplies incorrect or misleading information. This applies to both the initial application and ongoing audit evidence. Crucially, Article 22(3) mandates that any revocation be published in the central repository and remain publicly visible for five years, creating a lasting reputational barrier. To avoid this, providers must implement rigorous internal verification of all evidence, maintain strict ongoing compliance, and immediately notify authorities of any material changes under Article 23.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised framework for recognising cloud computing services that meet specific "Union assurance levels" regarding sovereignty, security, and operational autonomy. For cloud service providers (CSPs), obtaining this recognition is the primary gateway to serving Union entities and public sector bodies under the procurement mandates of Article 30. However, this status is not a permanent badge of honour; it is a conditional privilege contingent on continuous, accurate compliance.

The proposal outlines a robust "teeth" mechanism to ensure the integrity of the recognition system. If a provider fails to meet the criteria or misrepresents their status, the recognition can be withdrawn. The specific provisions governing this process are found in Title IV of the proposal, particularly Articles 17, 20, and 22. Understanding the interplay between these articles is essential for any provider seeking to maintain their market access.

The Dual Triggers for Revocation

Revocation under CADA can originate from two distinct sources: the national competent authority (the regulator) or the auditing organisation (the independent third party). The grounds for revocation in both cases are identical: the provision of false or misleading information.

1. Revocation by the National Competent Authority

For all Union assurance levels, the final decision to recognise a service rests with the evaluating national competent authority of establishment. Article 17(11) explicitly grants this authority the power to withdraw recognition:

"The evaluating national competent authority may revoke its recognition where it finds that a cloud computing service provider, whose service was recognised across the Union as providing a specific Union assurance level, intentionally or negligently, supplied incorrect or misleading information."

This provision is critical because it establishes a strict liability standard regarding the truthfulness of the information provided. It does not matter if the error was a deliberate fraud (intentional) or a result of poor internal governance, outdated records, or a lack of due diligence (negligent). The outcome is the same: the loss of recognised status.

This applies to the evidence submitted for Union assurance level 1 (the EU statement of conformity based on self-assessment) as well as the evidence for levels 2, 3, and 4 (audit reports and opinions). If a provider submits a self-assessment that overlooks a critical infrastructure location outside the EU, or if they submit an audit report based on incomplete data, the authority can revoke the recognition once the error is discovered.

2. Revocation by the Auditing Organisation

For providers seeking Union assurance levels 2, 3, or 4, independent third-party audits are mandatory under Article 20. The auditing organisation acts as the first line of defence in verifying compliance. Article 20(7) mirrors the authority's power, stating:

"The auditing organisation may revoke its audit report and audit opinion where the audited provider, intentionally or negligently, supplied incorrect or misleading audit evidence."

If an auditor discovers that the provider has supplied false data—such as falsified ownership structures, inaccurate software bills of materials (SBOMs), or misleading data flow diagrams—they can revoke their audit opinion. Since the competent authority's recognition for levels 2–4 is predicated on a "positive" audit opinion (as per Article 17(4)), the revocation of the audit report effectively collapses the foundation of the recognition.

Once an auditor revokes an opinion, the provider is obligated to notify the competent authority under Article 23. The authority will then assess whether to amend or revoke the official recognition. This creates a dual-layer risk: a provider can lose their status either because the regulator finds the initial application flawed, or because the auditor finds the ongoing evidence flawed.

The Five-Year Public Record: A Lasting Consequence

The consequences of revocation extend far beyond the immediate loss of eligibility for public procurement. CADA is designed to ensure market transparency and trust. To achieve this, Article 22(3) establishes a permanent public record of non-compliance:

"The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This five-year retention period is a significant deterrent. Unlike a temporary suspension, a revocation becomes a permanent part of the service's digital footprint within the EU's central repository.

  • Visibility: The record is publicly available to all potential clients, including public sector bodies, Union entities, and private sector entities in regulated industries.
  • Impact on Procurement: Under Article 30, contracting authorities must procure services recognised at specific assurance levels. A service with a revoked status in the repository will likely fail the eligibility checks of any public tender.
  • Reputational Damage: The public nature of the record means that a history of "intentional or negligent" misrepresentation will be visible to the entire market for half a decade, severely impacting the provider's ability to compete.

How to Avoid Revocation: A Strategic Approach

Avoiding revocation requires a shift from a "check-the-box" compliance mindset to a culture of continuous, accurate transparency. Providers must focus on two pillars: accuracy of initial evidence and promptness of ongoing notifications.

1. Rigorous Verification of Initial Evidence

To prevent revocation under Article 17(11) and Article 20(7), providers must ensure that every piece of evidence submitted is accurate, complete, and verifiable at the time of submission.

  • For Union Assurance Level 1: Since this relies on self-assessment, the provider assumes full responsibility. You must implement internal controls that verify your compliance with Annex II criteria before issuing the EU statement of conformity. Do not rely on assumptions; verify that infrastructure is in the Union, data flows are contained, and subcontractors are vetted.
  • For Union Assurance Levels 2–4: The audit process is collaborative but rigorous. Providers must cooperate fully with auditing organisations, providing access to all relevant data, premises, and personnel as required by Article 20(2). Ensure that your internal documentation (e.g., ownership charts, SBOMs, data flow diagrams) is up-to-date before the audit begins. Supplying incomplete or outdated evidence can be deemed "negligent," triggering revocation.

2. Prompt Transparency Notifications

Recognition is dynamic. A service that meets criteria today may not meet them tomorrow due to changes in infrastructure, ownership, or subcontracting arrangements. Article 23 imposes a strict transparency obligation on recognised providers:

"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

  • What constitutes a material change? This includes changes in the ultimate beneficial owner (potentially affecting third-country control assessments), the relocation of infrastructure outside the Union, the appointment of new subcontractors, or changes in the software supply chain.
  • The "As Soon As Possible" Standard: There is no grace period. Providers must notify authorities immediately upon becoming aware of a change. Delaying notification can be interpreted as supplying misleading information by omission, which is a ground for revocation under Article 17(11).
  • Proactive Remediation: By notifying authorities promptly, providers allow the competent authority to assess whether the recognition can be maintained, amended, or if a transition period is needed. This proactive approach demonstrates good faith and can often prevent a full revocation.

What this means for you

For cloud service providers and data centre operators, the revocation provisions of CADA mean that compliance is not a "one-and-done" certification exercise. It is a continuous operational discipline that requires active management.

  • Internal Governance: You must establish internal controls that mirror the audit requirements. Your legal, technical, and compliance teams must work together to ensure that the evidence you generate (e.g., data flow diagrams, access logs, ownership charts) is accurate and up-to-date at all times.
  • Change Management: Your change management processes must include a compliance check. Before implementing any significant change to your service architecture, ownership structure, or subcontracting network, you must assess whether it triggers a notification obligation under Article 23.
  • Auditor Relations: For Levels 2–4, your relationship with your auditing organisation is critical. Ensure they have unfettered access to the evidence they need. Do not attempt to hide negative findings; instead, work with them to remediate issues before they lead to a negative audit opinion or revocation.
  • Reputation Management: Be aware that any revocation will be publicly visible for five years in the central repository. This will impact your ability to win public sector contracts. Proactive communication with clients about your compliance status and any remediation efforts can help mitigate reputational damage, but prevention is far superior.

Common misconceptions

  • "Revocation only happens if I intentionally lie." Incorrect. Article 17(11) and Article 20(7) both specify "intentionally or negligently." Negligence—such as failing to update your records, relying on outdated documentation, or having poor internal verification processes—is sufficient grounds for revocation. You do not need to have malicious intent to lose your recognition.

  • "If I pass the audit, I'm safe for the next few years." Incorrect. Audits are snapshots in time. If your circumstances change after the audit (e.g., you sell a subsidiary to a third-country entity), you must notify the authorities. If you fail to notify, your recognition can be revoked for supplying misleading information (by omission) even if the initial audit was clean.

  • "Revocation is an internal matter between me and the auditor." Incorrect. If an auditor revokes an opinion under Article 20(7), it triggers a mandatory notification to the competent authority under Article 23, which can then revoke the official recognition. Furthermore, the revocation is published in the public central repository for five years under Article 22(3), making it a matter of public record.

  • "I can just reapply immediately after revocation." While the text does not explicitly ban immediate reapplication, the five-year public record of revocation (Article 22(3)) will severely hinder your ability to gain trust from public sector clients. Moreover, if the revocation was due to negligence, you must demonstrate concrete improvements in your internal controls before a competent authority will likely grant recognition again.

Related

This is general information about a draft EU regulation, not legal advice.