Summary Under the proposed Cloud and AI Development Act (CADA), an audit report for Union assurance levels 2, 3, or 4 must include a specific "declaration of interests" to verify the independence of the auditing organisation. Article 20(5)(c) explicitly mandates this inclusion as a core component of the substantiated, written audit report. This declaration is not optional; it serves as the primary evidence that the auditor has no conflicts of interest with the cloud computing service provider or any connected legal persons. Without this declaration, the report fails to meet statutory requirements, preventing the provider from obtaining recognition of a Union assurance level.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous sovereignty framework for cloud computing services. For providers seeking recognition at Union assurance levels 2, 3, or 4, the Act requires independent third-party audits. The integrity of this entire framework hinges on the absolute independence of the auditing organisation. To guarantee this, CADA imposes strict content requirements on the audit report itself, with the declaration of interests serving as a critical compliance checkpoint.

The Mandatory Requirement: Article 20(5)(c)

Article 20 of the CADA proposal governs independent audits. Paragraph 5 of this Article outlines the minimum contents that every audit report must contain. The report must be "substantiated, in writing," and must include a specific list of elements.

Specifically, Article 20(5)(c) requires that the report include "a declaration of interests."

This is a non-discretionary element. The text of the proposal does not allow for exceptions or alternative forms of verification. The declaration must be embedded directly within the audit report issued by the auditing organisation. Its presence confirms that the auditor has formally assessed and declared their status regarding potential conflicts of interest before issuing the audit opinion.

The Link to Auditor Independence Rules

The declaration of interests is the procedural manifestation of the substantive independence rules set out in Article 20(4). The CADA proposal treats auditor independence as a cornerstone of the sovereignty framework. The declaration must reflect compliance with the following cumulative criteria found in Article 20(4):

  1. No Conflicts of Interest: The auditing organisation must be independent from, and have no conflicts of interest with, the cloud computing service provider concerned or any legal person connected to that provider.
  2. Non-Audit Services Restriction: The auditor must not have provided non-audit services related to the matters audited to the provider (or connected persons) in the 12-month period before the audit, and must commit to not providing such services in the 12-month period after the audit.
  3. Audit Rotation: The auditor must not have provided auditing services pursuant to Article 20 to the provider (or connected persons) in the 10-year period before the audit.
  4. No Contingent Fees: The audit must not be performed in return for fees that are contingent on the result of the audit.

By embedding the declaration of interests directly into the audit report, CADA ensures that the evidence of independence is permanently linked to the audit opinion. This creates a clear, auditable trail for national competent authorities and public sector bodies relying on the Union assurance level.

Context Within the Full Audit Report

The declaration of interests sits alongside other mandatory elements required by Article 20(5). A compliant report must also include:

  • The name, address, and point of contact of the provider and the auditing organisation.
  • The period covered by the audit.
  • A description of the specific aspects audited and the methodology applied.
  • A summary of the main findings.
  • A list of third parties consulted.
  • A 'positive' or 'negative' audit opinion regarding compliance with the applicable Union assurance level criteria (Annex II).

If the auditing organisation fails to include the declaration of interests, the report does not meet the statutory requirements of Article 20(5). Consequently, the cloud computing service provider cannot rely on this report to apply for recognition of a Union assurance level under Article 17. The competent authority would be entitled to reject the application or request further information, effectively halting the recognition process.

Consequences of Non-Compliance and Revocation

The requirement for a declaration of interests is backed by enforcement mechanisms. If an auditing organisation issues a report with a false, misleading, or missing declaration of interests, the consequences are severe:

  • Revocation of Audit Report: Under Article 20(7), the auditing organisation may revoke its audit report and audit opinion where the audited provider, intentionally or negligently, supplied incorrect or misleading audit evidence. While this clause focuses on the provider, the integrity of the declaration is part of the overall audit evidence. If the declaration itself is found to be incorrect (e.g., a hidden conflict of interest), the basis for the audit opinion collapses.
  • Revocation of Recognition: Under Article 23, if the auditing organisation amends or revokes the audit report or opinion (due to a conflict of interest discovered later), it must notify the national competent authority. The authority may then amend or revoke its recognition of the cloud computing service.
  • Enforcement Powers: National competent authorities have investigative powers under Article 26 to require information and conduct inspections. Providing incorrect or misleading information regarding independence can lead to enforcement actions against the provider and potentially impact the auditing organisation's ability to operate under the framework.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the requirement for a declaration of interests in the CADA audit report has several practical implications:

  1. Due Diligence on Auditors: When selecting an auditing organisation, you must verify their independence not just contractually, but through the final deliverable. Ensure your engagement letter explicitly requires the issuance of a declaration of interests as a mandatory part of the audit report, referencing Article 20(5)(c).
  2. Report Review Protocol: Upon receipt of the audit report, compliance teams should immediately check for the presence of the declaration of interests. Its absence is a critical red flag indicating the report is non-compliant with Article 20(5)(c). Submitting such a report to a national competent authority would likely result in the rejection of your application for Union assurance level recognition.
  3. Evidence of Independence: The declaration serves as your primary evidence to national competent authorities that the audit was conducted independently. Keep this report securely, as it will be part of the evidence submitted during the recognition process under Article 17.
  4. Conflict Monitoring: Ensure that your organisation has not provided non-audit services to the auditor (or vice versa) within the prohibited timeframes (12 months before/after for non-audit services, 10 years for prior audits). The declaration of interests will expose any such conflicts, potentially invalidating the audit and delaying your market entry.

Common misconceptions

"The declaration of interests is a separate document."

  • Reality: Article 20(5)(c) requires the declaration to be included in the audit report. It is not a standalone form submitted separately; it is an integral part of the substantiated written report.

"Only the auditor needs to worry about this."

  • Reality: While the auditor drafts the declaration, the cloud computing service provider is responsible for submitting the complete audit report to the competent authority. If the report lacks the declaration, the provider's application for recognition may be rejected or delayed. The provider bears the risk of an incomplete submission.

"A general statement of independence is sufficient."

  • Reality: The declaration must specifically address the independence criteria in Article 20(4), including the specific 12-month and 10-year look-back periods for services. A vague statement of "no conflicts" may not satisfy the requirement for a specific declaration of interests that aligns with the statutory criteria.

Related

This is general information about a draft EU regulation, not legal advice.