What conflict-of-interest rules apply to CADA auditors?

Summary As proposed, the Cloud and AI Development Act (CADA) imposes strict independence requirements on auditing organisations to prevent conflicts of interest when assessing cloud computing services for Union assurance levels 2, 3, and 4. Under Article 20(4)(a), auditors must not have provided non-audit services related to the audited matters within the 12 months preceding the audit or commit to providing them in the 12 months following completion. Additionally, Article 20(4)(a)(ii) prohibits auditing organisations from having performed an audit for the same provider within the previous 10 years, and Article 20(4)(a)(iii) bans contingent fees tied to the audit result. These rules are designed to ensure objective, unbiased evaluation of sovereignty criteria.

Detail

The Cloud and AI Development Act (CADA) establishes a rigorous framework for sovereign cloud computing services, categorising them into four Union assurance levels. While Union assurance level 1 relies on conformity self-assessment by the provider, levels 2, 3, and 4 require independent third-party audits to verify compliance with strict sovereignty, data localisation, and cybersecurity criteria. To guarantee the integrity of these audits, CADA introduces robust conflict-of-interest rules in Article 20, specifically targeting the independence of auditing organisations.

The Three Pillars of Auditor Independence

The cornerstone of CADA's auditor independence regime is found in Article 20(4)(a), which mandates that auditing organisations must be independent from the cloud computing service provider and any connected legal persons. The proposal explicitly defines independence through three cumulative prohibitions aimed at eliminating financial and operational dependencies that could compromise objectivity.

1. The 12-Month Non-Audit Services Ban First, Article 20(4)(a)(i) prohibits auditing organisations from having provided non-audit services related to the matters being audited to the cloud computing service provider or any connected legal person during the 12-month period before the beginning of the audit. Furthermore, the auditor must commit to not providing such services in the 12-month period after the completion of the audit. This "cooling-off" period prevents auditors from auditing their own work or maintaining commercial relationships that might create a bias in favour of the client. For example, if an auditor has recently helped a cloud provider design its security architecture, implement a software bill of materials (SBOM), or configure data localisation controls, it cannot then audit that provider's compliance with Union assurance level 3, as it would effectively be evaluating its own prior contributions. The rule applies to both the period preceding and following the audit to ensure a complete separation of duties.

2. The 10-Year Audit Rotation Rule Second, Article 20(4)(a)(ii) introduces a strict rotation rule. An auditing organisation must not have provided auditing services pursuant to Article 20 to the same cloud computing service provider or any connected legal person within the 10-year period before the beginning of the audit. This long-term rotation requirement is designed to prevent the development of overly familiar or entrenched relationships between auditors and providers, which can erode professional scepticism over time. By forcing a decade-long hiatus, CADA ensures that each audit is conducted by a fresh, independent entity. This rule is particularly significant for providers seeking long-term recognition, as it limits the pool of eligible auditors for any given provider to those who have not engaged in a CADA audit for that specific provider in the last decade.

3. The Ban on Contingent Fees Third, Article 20(4)(a)(iii) prohibits contingent fees. Auditing organisations must not perform the audit in return for fees that are contingent on the result of the audit. This rule eliminates the financial incentive for auditors to issue a "positive" opinion to secure payment or avoid penalties, ensuring that the audit opinion is based solely on evidence and compliance with the criteria set out in Annex II of CADA. Whether the fee is structured as a percentage of the contract value, a bonus for a successful certification, or a penalty for a failed one, such arrangements are strictly forbidden.

Broader Independence and Competence Standards

Beyond the specific prohibitions in Article 20(4)(a), CADA imposes broader independence and competence standards to ensure the quality and reliability of the audit process.

Article 20(4)(b) requires auditing organisations to have proven expertise, technical competence, and capabilities in auditing cloud computing services. Given the technical complexity of sovereignty criteria—such as verifying data localisation, assessing software supply chain transparency, and evaluating personnel citizenship—auditors must possess specialised knowledge.

Article 20(4)(c) further mandates that auditors demonstrate proven objectivity and professional ethics, based in particular on adherence to codes of practice or appropriate standards. This ensures that auditors not only lack conflicting interests but also adhere to high ethical benchmarks. The proposal explicitly states that if an auditing organisation's independence or technical competence is not beyond doubt, it should abstain or resign from the audit engagement.

The Audit Report and Declaration of Interests

To operationalise these rules, Article 20(5) requires auditing organisations to prepare a substantiated audit report for each audit. This report must include a declaration of interests (Article 20(5)(c)), which serves as a formal attestation of the auditor's compliance with the independence requirements. The report must also include a "positive" or "negative" audit opinion based on whether the audited service complies with the applicable criteria.

If an auditor fails to disclose a conflict or violates the independence rules, the audit report may be deemed invalid. The national competent authority, upon receiving the audit report, assesses the evidence for recognition under Article 17. If it is discovered that the auditor was not independent—for instance, if a conflict of interest under Article 20(4)(a) existed—the competent authority may reject the recognition application.

Consequences of Non-Independence and Enforcement

While CADA does not specify fixed fines for auditors in Article 24, it requires Member States to lay down rules on penalties applicable to infringements by cloud computing service providers. Article 24(2) lists criteria for imposing penalties, including the nature, gravity, and duration of the infringement. Although Article 24 primarily targets providers, the integrity of the audit is a prerequisite for the provider's recognition.

If a provider knowingly engages a non-independent auditor to obtain a Union assurance level, it may face penalties for supplying incorrect or misleading information to the competent authority under Article 17(11). Article 17(11) allows the evaluating national competent authority to revoke its recognition where it finds that a cloud computing service provider, whose service was recognised across the Union as providing a specific Union assurance level, intentionally or negligently supplied incorrect or misleading information. Using a disqualified auditor would likely fall under this provision.

Furthermore, the auditing organisation itself is subject to the obligation of confidentiality and professional secrecy under Article 20(3). Breaches of independence rules could also trigger professional sanctions under national laws governing auditing professions, depending on the Member State's designation of competent authorities under Article 25. The competent authorities are granted investigative powers under Article 26 to require information and carry out inspections, which could be used to verify compliance with independence rules.

What this means for you

For in-house counsel and compliance officers overseeing cloud strategy, these conflict-of-interest rules significantly impact vendor selection and audit planning.

1. Vet Your Auditors Rigorously: Before engaging an auditing organisation for Union assurance levels 2, 3, or 4, verify their independence history. Request written confirmation that they have not provided non-audit services to your organisation in the preceding 12 months and have not audited you in the last 10 years. Ensure their fee structure is fixed and not contingent on the audit outcome.
2. Manage Service Boundaries: If you have recently hired a consultancy or technical firm to help implement sovereignty measures (e.g., data localisation, software bill of materials, or security architecture), that firm cannot be your auditor for at least 12 months after the work is completed. Plan your procurement cycles to separate implementation and auditing phases to avoid disqualification.
3. Document Independence: Maintain records of auditor declarations of interests and independence confirmations. These documents are required components of the audit report under Article 20(5) and may be scrutinised by national competent authorities during the recognition process under Article 17.
4. Plan for Rotation: If you have used a specific auditor for a Union assurance level 1 self-assessment review or prior audits, be aware that you cannot use the same organisation for a CADA audit under Article 20 for 10 years. Start identifying alternative auditors early to ensure continuity in your certification timeline.
5. Monitor Connected Legal Persons: The independence rules apply not just to your primary entity but to any connected legal persons. Ensure that affiliates or subsidiaries do not have conflicting relationships with the proposed auditor that could compromise independence.

Common misconceptions

• "Only the audit fee matters for independence." Independence is not just about how the auditor is paid. Article 20(4)(a) explicitly bans non-audit services and prior audit relationships, regardless of fee structure. A fixed fee does not cure a conflict arising from recent consulting work or a lack of rotation.
• "A 10-year rule applies to all audit services." The 10-year prohibition in Article 20(4)(a)(ii) specifically applies to auditing services performed pursuant to Article 20 of CADA. It does not necessarily ban an auditor from performing other types of audits (e.g., financial audits) for the same client, but it strictly bars them from CADA sovereignty audits for that decade.
• "Self-assessment (Level 1) has the same auditor rules." Union assurance level 1 relies on conformity self-assessment by the provider (Article 19), not third-party audits. Therefore, the conflict-of-interest rules in Article 20 apply only to audits for levels 2, 3, and 4. However, the provider still bears responsibility for the accuracy of its self-assessment.
• "Auditors can audit their own security designs." If an auditor helped design the security controls or software supply chain measures being audited, it violates the 12-month non-audit service ban. Auditors must evaluate independent evidence, not their own prior work.

Related

• CADA Auditing Independence: Article 20 Conflict Rules Explained
• Which authority do I apply to for CADA recognition?
• CADA Level 3 Support & Personnel Rules: Residents, Location & Control
• CADA Level 4 Personnel Rules: Union Citizens, Clearances & Subcontractors
• CADA Open-Source Controls: Remote Tampering Rules for Levels 2–4

This is general information about a draft EU regulation, not legal advice.