Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission is empowered to adopt delegated acts to specify the detailed procedural rules for independent third-party audits of cloud computing services. As explicitly stated in Article 20(9), these acts will define audit methodologies, the technical competences required for auditing organisations, and standardised templates for audit reports. These rules are essential for cloud providers seeking recognition at Union assurance levels 2, 3, and 4, ensuring consistent verification of sovereignty criteria across the EU. Until these acts are adopted, the main text of CADA sets the obligation to audit but leaves the specific "how" to secondary legislation.
Detail
The Cloud and AI Development Act (CADA) establishes a rigorous sovereignty framework for cloud computing services, requiring providers to meet specific "Union assurance levels" (UALs) to serve public sector bodies and Union entities. While Union assurance level 1 relies on a conformity self-assessment by the provider (Article 19), levels 2, 3, and 4 mandate independent third-party audits. To ensure these audits are robust, consistent, and legally sound across the single market, CADA grants the European Commission specific powers to supplement the regulation through delegated acts.
The Legal Basis: Article 20(9)
The primary provision governing these audit procedures is Article 20(9) of the CADA proposal. This article explicitly empowers the Commission to adopt delegated acts in accordance with Article 45 to supplement the Regulation. Specifically, these delegated acts will lay down detailed rules regarding four critical areas:
- Procedural steps for the performance of audits.
- Rules for auditing organisations, including their required technical competences.
- Auditing methodologies to be applied during the assessment.
- Templates for audit reports to ensure uniformity in findings.
This delegation of power is critical because the main text of CADA sets out the obligation to audit and the criteria to be audited against (detailed in Annex II), but it intentionally leaves the methodology to secondary legislation. This flexibility allows the regulatory framework to adapt to rapid technological changes in cloud infrastructure, cybersecurity threats, and auditing standards without requiring a full legislative amendment of the Regulation itself.
Scope and Application
These delegated acts will apply to all cloud computing service providers seeking recognition for Union assurance levels 2, 3, or 4. As established in Article 20(1), providers must undergo independent third-party audits at their own expense to obtain an audit report and an audit opinion from an auditing organisation. The auditing organisation must be independent, conflict-free, and possess proven expertise in auditing cloud computing services.
The delegated acts will standardise how auditors verify compliance with the cumulative criteria in Annex II. For example, they will dictate the specific steps an auditor must take to verify that:
- Infrastructure and assets are located exclusively within the Union.
- Customer data remains within the Union unless explicitly required otherwise by the public sector body.
- The provider is not subject to the control of a third country in a manner that compromises operational autonomy.
- Software supply chain measures, such as maintaining a complete and up-to-date Software Bill of Materials (SBOM), are in place.
By defining the methodologies, the acts will ensure that an audit in one Member State yields the same rigor and depth as an audit in another, preventing regulatory arbitrage.
Interaction with Article 45
The exercise of this delegation is strictly governed by Article 45, which outlines the conditions for adopting delegated acts. Before adopting any act, the Commission must consult experts designated by each Member State during its preparatory work, ensuring technical feasibility and Member State input. The European Parliament and the Council retain the right to revoke this delegation or object to the adopted acts within a specified period (typically two months, extendable by three months). This ensures democratic oversight over the technical standards that will govern the audit market.
Audit Evidence and Methodologies
While the delegated acts under Article 20(9) will set the procedural rules, they will work in tandem with Article 21, which requires audits to be based on specific "audit evidence" listed in Annex III. The delegated acts will likely clarify how this evidence must be collected, verified, and documented. For instance, they may specify the depth of penetration testing required to verify that no remote features exist that could tamper with software, or the precise legal documentation needed to verify the separation between a Union parent company and its third-country subsidiaries.
The templates for audit reports mandated by the delegated acts will ensure that the "positive" or "negative" audit opinions are presented in a standardised format, facilitating the recognition process by national competent authorities under Article 17.
What this means for you
For in-house counsel, compliance officers, and cloud providers, the adoption of these delegated acts under Article 20(9) represents a significant upcoming compliance milestone. While CADA is currently a proposal, you should prepare your cloud governance frameworks now to align with the expected standards.
1. Prepare for Standardised Audits
Currently, cloud sovereignty audits may vary significantly depending on the auditor or national approach. The delegated acts will harmonise these processes. You should review your current audit contracts and internal controls to ensure they can accommodate standardised methodologies and reporting templates. Anticipate that auditors will require granular data on infrastructure location, data flows, and third-country control structures, as the delegated acts will likely mandate specific evidence collection protocols.
2. Verify Auditor Competences
The delegated acts will define the technical competences required for auditing organisations. Ensure that your chosen auditor not only meets current industry standards but is also positioned to meet the specific technical criteria set out in the forthcoming delegated acts. This may include specific expertise in cloud architecture, cybersecurity, and legal sovereignty assessments, as the acts will likely detail the exact skills and certifications required for an organisation to be eligible to perform these audits.
3. Update Internal Documentation
Your internal documentation, including Software Bills of Materials (SBOMs), data flow diagrams, and subcontractor agreements, must be audit-ready. The delegated acts will likely mandate specific formats for these documents to ensure they can be easily verified against the criteria in Annex II. Proactively aligning your documentation with the evidence requirements in Annex III will streamline the audit process once the rules are finalised.
4. Monitor the Legislative Process
The delegated acts will be adopted after CADA enters into force. Monitor the Commission's consultations and the publication of draft delegated acts. Engage with industry groups to provide feedback on the proposed methodologies, ensuring they are practical and proportionate for your organisation's size and complexity. The consultation phase under Article 45 is a critical opportunity to influence the final rules.
5. Penalties and Non-Compliance
Failure to comply with the audit requirements, including the procedural rules set out in the delegated acts, can lead to severe penalties. Under Article 24, Member States must lay down rules on penalties that are effective, proportionate and dissuasive. Recipients of cloud services also have the right to seek compensation for damages resulting from non-compliance. Ensure your audit processes are robust to avoid reputational damage and financial liability.
Common misconceptions
Misconception 1: The delegated acts will change the sovereignty criteria. Clarification: No. The criteria for Union assurance levels are set out in Annex II of CADA. The delegated acts under Article 20(9) only govern the procedure of the audit, not the substance of the requirements. They tell auditors how to check compliance, not what the compliance standards are.
Misconception 2: These rules apply to all cloud providers. Clarification: No. The independent audit requirement and the associated delegated acts apply only to providers seeking recognition for Union assurance levels 2, 3, or 4. Providers at Union assurance level 1 only need to conduct a conformity self-assessment under Article 19, which does not require these specific delegated acts.
Misconception 3: The Commission will audit the cloud providers directly. Clarification: No. The Commission empowers independent auditing organisations to perform the audits. The Commission's role is to set the rules for these auditors via delegated acts and maintain the central repository of recognised services. The auditing organisations are selected by the cloud providers, subject to strict independence and competence requirements.
Misconception 4: The delegated acts are already in force. Clarification: No. CADA is a proposal. The delegated acts under Article 20(9) will be adopted only after the Regulation enters into force, following the standard legislative procedure involving expert consultation and parliamentary scrutiny. Until then, there are no binding EU-wide procedural rules for these specific audits.
Related
- What implementing acts govern the CADA recognition procedure?
- CADA Delegated & Implementing Acts: How the Sovereignty Framework Evolves
- Who pays for the CADA audit? Provider costs explained
- Which CADA assurance levels require an independent audit?
- When does CADA require self-assessment versus an independent audit?
This is general information about a draft EU regulation, not legal advice.