Summary Under the proposed Cloud and AI Development Act (CADA), a 'negative' audit opinion is a definitive finding that a cloud computing service provider does not comply with the mandatory criteria for Union assurance levels 2, 3, or 4. As proposed, this opinion blocks the provider from receiving formal recognition for that specific assurance level, rendering the service ineligible for public procurement where higher assurance is required. Crucially, Article 20(5)(h) mandates that such a report must include "operational recommendations on specific measures to achieve compliance and the recommended timeframe to achieve compliance." Without a 'positive' audit opinion, the provider cannot satisfy the submission requirements of Article 17(4), preventing the national competent authority from issuing a recognition decision.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous Union cloud computing sovereignty framework to safeguard public order and reduce dependencies on third-country providers. While Union assurance level 1 relies on a self-assessment, Article 20 mandates that providers seeking recognition for levels 2, 3, or 4 must undergo independent third-party audits. The outcome of this audit is not merely a pass/fail metric but a structured document that dictates the provider's market access.

The Legal Mechanism: Article 20 and the Audit Opinion

The core of the audit process is defined in Article 20. When an auditing organisation concludes its assessment, it must produce a substantiated audit report. Article 20(5) explicitly lists the required contents of this report. Specifically, Article 20(5)(g) requires the report to include a "'positive' or 'negative' audit opinion and any information on whether the audited service of the audited provider complies with the applicable audit criteria for Union assurance level 2, 3 or 4 pursuant to Annex II."

A 'negative' opinion is issued only when the auditing organisation "considers that the provider does not comply with the criteria set out in this Regulation." This is a distinct legal finding of non-compliance. It differs from a situation where the auditor is unable to form a conclusion due to insufficient evidence or lack of access; in such cases, Article 20(6) requires the report to include "an explanation of the circumstances and the reasons why those aspects could not be audited." A negative opinion, by contrast, confirms that the evidence was sufficient to prove a failure to meet the cumulative criteria.

The Consequence: Blocking Recognition under Article 17

The immediate legal consequence of a negative opinion is the inability to secure recognition. Article 17 governs the recognition procedure. Article 17(4) states that for Union assurance levels 2, 3, and 4, the candidate provider "shall submit to the evaluating national competent authority the audit report, the 'positive' audit opinion referred to in Article 20 and all the evidence provided to the auditing organisation during the audit procedure."

The text of Article 17(4) is explicit: the submission must include a 'positive' audit opinion. If the provider submits a report with a negative opinion, the statutory condition for recognition is not met. Consequently, the evaluating national competent authority cannot proceed to adopt a recognition decision under Article 17(5). Without this recognition, the service cannot be registered in the central repository established under Article 22, and public sector bodies are legally barred from procuring it for activities requiring those assurance levels.

The Remediation Roadmap: Article 20(5)(h)

While a negative opinion blocks immediate recognition, the proposal is designed to be corrective rather than purely punitive. Article 20(5)(h) imposes a specific obligation on the auditing organisation when issuing a negative opinion. The report must include:

"operational recommendations on specific measures to achieve compliance and the recommended timeframe to achieve compliance."

This requirement ensures that a negative opinion is not a dead end. It provides the provider with a clear, actionable roadmap. The "operational recommendations" detail the specific technical, organisational, or legal changes required to meet the criteria in Annex II. The "recommended timeframe" sets a target for when these measures should be implemented. This structured approach allows providers to understand exactly what is missing and how long they have to fix it before re-applying.

Cumulative Criteria and the "Lower Level" Rule

The impact of a negative opinion is further compounded by the cumulative nature of the assurance levels. Article 20(1) establishes that "An audited provider undergoing an audit procedure at a higher Union assurance level shall satisfy all the applicable cumulative criteria under Annex II applicable to the lower Union assurance levels." It further states that "Failure to meet any requirements of a lower assurance level shall preclude conformity with the higher Union assurance levels."

Therefore, if a provider receives a negative opinion for Level 2, they are automatically non-compliant for Levels 3 and 4, as the foundational criteria were not met. Conversely, if a provider fails at Level 3 but meets Level 2 criteria, the negative opinion at Level 3 does not necessarily negate their ability to seek Level 2 recognition, provided they can secure a positive opinion for that lower tier. However, the negative opinion at the higher level remains a barrier to that specific tier of public procurement.

The Path to Re-assessment

The proposal acknowledges that compliance is an ongoing process. Article 20(8) requires that "The audited provider shall annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation." While this clause specifically references the submission of a positive opinion for annual review, the iterative nature of the framework implies that a provider who has rectified the deficiencies identified in a negative opinion can undergo a new audit.

Once the provider implements the "specific measures" and adheres to the "recommended timeframe" outlined in the initial negative report, they can engage an auditing organisation for a fresh assessment. If the new audit results in a 'positive' opinion, the provider can then submit the documentation under Article 17(4) to the national competent authority to seek recognition.

What this means for you

For cloud computing service providers (CSPs) and their legal/compliance teams, a negative audit opinion under the proposed CADA is a critical event that requires immediate strategic action.

  1. Immediate Loss of Market Access: A negative opinion effectively removes your service from the market for public sector activities requiring Union assurance levels 2, 3, or 4. Under Article 30, contracting authorities must procure services recognised at these levels for activities contributing to public order. Without a positive opinion and subsequent recognition, you cannot bid on these contracts.
  2. Mandatory Remediation Plan: Do not view the negative opinion as a final rejection. Article 20(5)(h) guarantees you a roadmap. The audit report must contain "operational recommendations" and a "recommended timeframe." Treat this document as your primary compliance project plan. Prioritise the specific measures identified to close the gaps.
  3. Strategic Re-audit Timing: While the proposal does not explicitly set a waiting period before a re-audit, the "recommended timeframe" in the report serves as a guide. Attempting a re-audit before implementing the recommended measures is likely to result in another negative opinion. Use the timeframe to align your internal remediation efforts with the auditor's expectations.
  4. Cumulative Impact: Be aware that a failure at a lower level (e.g., Level 2) cascades to higher levels. If you are aiming for Level 4 but fail at Level 2, you must first resolve the Level 2 deficiencies. A negative opinion at Level 2 precludes conformity with Level 4 under Article 20(1).
  5. Documentation is Key: When you eventually re-apply, your submission under Article 17(4) must include the new positive opinion. Ensure your internal records clearly demonstrate how you addressed the specific "operational recommendations" from the previous negative report. This evidence will be crucial for the auditing organisation to verify compliance.

Common misconceptions

  • "A negative opinion means the provider is banned from the EU market entirely." This is incorrect. A negative opinion only blocks recognition for the specific assurance level audited. Providers can still offer services to private sector entities or to public sector bodies whose activities have not been identified as contributing to the preservation of public order (which would require Level 1 or no specific assurance level under Article 30(2)).
  • "A negative opinion is final and cannot be overturned." The proposal is designed for continuous improvement. Article 20(5)(h) explicitly provides a mechanism for rectification via operational recommendations and timeframes. Providers can re-audit once they have implemented the necessary measures.
  • "A negative opinion is the same as an inconclusive audit." They are legally distinct. A negative opinion is a definitive finding of non-compliance based on available evidence. An inconclusive audit occurs when the auditor cannot reach a conclusion due to lack of access or data, requiring an explanation under Article 20(6) rather than a negative opinion.
  • "The provider can ignore the recommended timeframe." While the timeframe is a recommendation, ignoring it significantly increases the risk of failing the next audit. The "recommended timeframe" is part of the operational recommendations mandated by Article 20(5)(h); deviating from it without justification suggests the provider has not fully addressed the compliance gaps.

Related

This is general information about a draft EU regulation, not legal advice.