Summary Under the proposed Cloud and AI Development Act (CADA), a "material change in circumstances" is any event or update that could compromise a cloud provider's recognized Union assurance level (1–4). Article 23(1) mandates that providers must notify their auditing organisation and their national competent authority of establishment "as soon as possible" upon becoming aware of such changes. These changes include shifts in ownership control, infrastructure relocation outside the Union, loss of cybersecurity certification, or supply chain disruptions. Failure to report these changes can lead to the amendment or revocation of the provider's audit opinion and official recognition, resulting in removal from the central repository and loss of eligibility for public sector contracts.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a dynamic framework for cloud sovereignty. Unlike static compliance regimes, CADA requires continuous adherence to the criteria set out in Annex II. To maintain the integrity of the Union assurance levels, the regulation imposes a strict ongoing transparency obligation on recognized providers.

The Core Obligation: Immediate Notification

Article 23(1) of the proposal sets the standard for ongoing compliance. It states that a recognized cloud computing service provider must, "as soon as possible," notify two specific entities if they become aware of any information or material change in circumstances:

  1. The auditing organisation that issued the audit report and the "positive" audit opinion under Article 20.
  2. The national competent authority of establishment that granted the recognition under Article 17.

The trigger for this notification is broad and risk-based. It applies to any information or change that "may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17."

This provision ensures that the "snapshot" of compliance captured during the initial audit remains valid in a rapidly evolving operational environment. It shifts the burden of proactive monitoring onto the provider, requiring them to identify and report risks to their sovereignty status before they result in systemic non-compliance. The regulation does not define "material change" with a rigid list; instead, it ties the definition to the cumulative criteria of the specific assurance level the provider holds.

What Constitutes a "Material Change"?

While CADA does not provide an exhaustive list of every possible scenario, the definition of a material change is derived directly from the criteria for Union assurance levels in Annex II and the audit evidence requirements in Annex III. A change is "material" if it undermines the cumulative criteria required for the provider's specific assurance level.

Based on the assurance criteria, the following scenarios would typically constitute a material change requiring immediate notification:

1. Changes in Ownership or Third-Country Control

For Union assurance levels 2, 3, and 4, the provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country (with specific derogations for Level 3 under Article 18).

  • Material Change Example: A third-country investor acquires a significant stake (e.g., exceeding 5% of voting rights or capital) or gains veto rights over strategic decisions, thereby altering the control structure.
  • Material Change Example: A change in the board of directors or executive management that introduces individuals with direct ties to a third-country government, potentially influencing strategic decisions in a way that conflicts with Union sovereignty requirements.
  • Material Change Example: The loss of an implementing act under Article 18 that previously allowed a third-country-controlled provider to qualify for Level 3.

2. Infrastructure, Asset, and Data Location Shifts

Providers at Levels 2–4 must ensure that infrastructure, assets, and personnel are located exclusively within the Union, and that customer data remains within the Union unless explicitly required otherwise by the public sector body.

  • Material Change Example: Migrating a backup site, disaster recovery facility, or log storage from a data center in Frankfurt to one in a third country.
  • Material Change Example: Introducing a new subcontractor for technical support who operates support desks outside the EU, violating the requirement that technical and operational support be initiated and performed exclusively within the Union.
  • Material Change Example: A change in data routing protocols that inadvertently causes customer data to transit through or be stored in a third country, even temporarily.

3. Cybersecurity and Certification Status

Levels 2, 3, and 4 require specific cybersecurity certifications (e.g., a European cybersecurity certificate of at least assurance level "substantial" for Levels 2 and 3, and "high" for Level 4).

  • Material Change Example: The expiration, suspension, or revocation of the provider's European cybersecurity certificate (EUCS) or the equivalent national certification.
  • Material Change Example: A significant cybersecurity incident that compromises the integrity of the software supply chain, reveals critical vulnerabilities in the infrastructure, or results in unauthorized access to customer data.
  • Material Change Example: A failure to maintain the "substantial" or "high" assurance level required by Annex II due to a lapse in security controls.

4. Subcontractor and Supply Chain Changes

Providers must maintain transparency and due diligence over subcontractors, ensuring they meet the same sovereignty criteria.

  • Material Change Example: Onboarding a new critical subcontractor that does not meet the same sovereignty criteria (e.g., established in the Union, no third-country control) as the primary provider.
  • Material Change Example: A subcontractor losing their required certifications, facing legal proceedings that affect their operational autonomy, or being acquired by a third-country entity.
  • Material Change Example: A change in the software bill of materials (SBOM) where a critical third-party component is replaced by one from a third-country entity without adequate mitigation plans (e.g., source code audits, migration plans).

5. Software and Open Source Updates

Providers must demonstrate control over their software supply chain, including blocking remote tampering features.

  • Material Change Example: Integrating a new third-party software component that contains undisclosed remote access capabilities or is owned by a third-country entity without adequate mitigation plans.
  • Material Change Example: A change in the licensing or control of open-source software used in the service that comes under the control of a third-country entity, potentially introducing remote tampering risks.

The Consequences of a Material Change

Once a provider notifies the auditing organization and the competent authority, a cascade of assessments begins, as outlined in Article 23(2) and Article 23(3):

  1. Auditor Assessment: The auditing organization assesses whether the audit report or the "positive" opinion needs to be amended or revoked. If they determine that the provider no longer complies with the criteria, they must amend or revoke the report and notify the national competent authority.
  2. Competent Authority Assessment: The national competent authority of establishment then assesses whether its recognition of the cloud computing service needs to be amended or revoked. If revoked, they must notify other Member States' competent authorities and the Commission.

This process ensures that the central repository of recognized services (maintained by the Commission under Article 22) remains accurate. Revocations are published in the repository and remain visible for five years, serving as a public record of non-compliance. This transparency is critical for public sector bodies relying on the repository to select compliant providers.

What this means for you

For cloud service providers and data centre operators aiming to serve the EU public sector, Article 23 imposes a continuous compliance burden that extends far beyond the initial audit. You cannot treat sovereignty certification as a one-time achievement.

1. Implement Internal Monitoring Systems You must have robust internal governance to detect changes in real-time. This includes:

  • Ownership Monitoring: Regularly reviewing cap tables and shareholder agreements to detect any new third-country interests or changes in voting rights.
  • Subcontractor Due Diligence: Continuously monitoring the compliance status of your supply chain partners, including their certification status and ownership structure.
  • Infrastructure Audits: Ensuring that no data or processing capabilities are inadvertently shifted outside the EU, including by new automated routing protocols, cloud bursting mechanisms, or disaster recovery failovers.

2. Establish Clear Reporting Protocols Define internal workflows for when and how to report changes. The phrase "as soon as possible" implies urgency. Delays in notification can be viewed as negligence, potentially leading to stricter penalties under Article 24 (which requires penalties to be "effective, proportionate and dissuasive"). Ensure that your legal, compliance, and technical teams have a direct line to your auditing organization.

3. Prepare for Re-Audits Be prepared for the possibility that a material change will trigger an immediate re-assessment. Maintain up-to-date documentation (as required by Annex III) to facilitate rapid verification by auditors. If a change is material, proactively engaging with your auditor to discuss mitigation measures may help preserve your assurance level, rather than waiting for a formal revocation.

4. Impact on Public Sector Contracts Public sector bodies rely on the central repository to identify compliant providers. If your recognition is revoked due to an unreported material change, you will be removed from the repository. This can lead to the immediate termination of contracts or the inability to bid for new public sector tenders, which often mandate specific Union assurance levels (e.g., Level 3 for critical infrastructure or Level 4 for classified information).

Common misconceptions

Misconception 1: "Only major structural changes are material." Many providers assume that only mergers, acquisitions, or physical relocations are material. However, changes in software dependencies, subcontractor agreements, or cybersecurity certifications are equally critical. If a change affects the criteria in Annex II, it is material.

Misconception 2: "I only need to notify the competent authority." Article 23(1) explicitly requires notification to both the auditing organization and the national competent authority. The auditor is the first line of defense in assessing technical compliance, while the authority handles the legal recognition. Skipping the auditor can lead to a breakdown in the audit trail and delay the necessary assessment.

Misconception 3: "If the change is temporary, I don't need to report it." Even temporary changes, such as a short-term migration to a third-country cloud for maintenance or a temporary failure of a Union-based data center, can violate the requirement that data and infrastructure remain exclusively within the Union. Unless explicitly permitted by the public sector body (for Level 1) or if it violates the strict localization rules for Levels 2–4, it must be reported and assessed.

Misconception 4: "The auditor decides what is material." While the auditor assesses the impact, the provider has the primary obligation to identify and report potential material changes. Relying on the auditor to discover changes during a routine annual audit is insufficient and risky. The provider must proactively identify risks to their compliance status and report them "as soon as possible."

Official sources

Related

This is general information about a draft EU regulation, not legal advice.