Summary Under the proposed Cloud and AI Development Act (CADA), the integrity of the Union assurance framework relies on a rapid response mechanism to operational changes. When a cloud computing service provider reports a "material change" in circumstances, Article 23(2) mandates that the auditing organisation must immediately assess whether the existing audit report or the 'positive' audit opinion needs to be amended or revoked. If the auditor determines that an amendment or revocation is necessary, they must, "as soon as possible," notify the national competent authority of establishment. This triggers a regulatory cascade where the authority reviews the service's recognition status, ensuring the central repository of sovereign services remains accurate for public sector buyers.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a dynamic sovereignty framework rather than a static certification. While the initial recognition of a cloud service at Union assurance levels 1 through 4 relies on independent third-party audits (Article 20), the Act recognises that the operational reality of a provider can shift. To prevent a service from retaining a "sovereign" label while its underlying conditions degrade, CADA imposes strict transparency obligations and a specific reassessment protocol triggered by material changes.

The Trigger: Reporting Material Changes

The process is initiated by the cloud computing service provider. Under Article 23(1), a recognised provider is legally obligated to notify both the auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion... or the recognition."

The term "material change" is not exhaustively defined in a single list within the text but is interpreted against the cumulative criteria set out in Annex II (Union Assurance Levels) and the audit evidence requirements in Annex III. In practice, a material change would include events that directly impact the sovereignty criteria, such as:

  • A change in ownership structure introducing control by a third country or a legal entity established in a third country.
  • The relocation of critical infrastructure, assets, or personnel outside the Union.
  • The engagement of new subcontractors that fail to meet the specific assurance level requirements (e.g., non-EU support for a Level 3 service).
  • Changes in the legal jurisdiction that introduce extraterritorial access risks.
  • Any breach of the technical or organisational measures required to maintain the specific assurance level.

Failure to report such changes "as soon as possible" constitutes an infringement of the Regulation, potentially leading to penalties under Article 24.

The Auditor's Core Obligation: Assessment

Once the notification is received, the burden of technical assessment shifts to the auditing organisation. Article 23(2) explicitly states: "On the basis of the notification under paragraph 1, the auditing organisation shall assess whether the audit report or the audit opinion need to be amended or revoked."

This is a substantive, not merely administrative, duty. The auditor must re-evaluate the provider's compliance against the criteria for the claimed Union assurance level. The assessment must consider whether the reported change undermines the cumulative criteria. For example:

  • Scenario A (Downgrade): A provider at Union assurance level 3 outsources technical support to a third country. This violates the requirement in Annex II (3.1(h)) that support be initiated and performed exclusively within the Union. However, if the provider still meets the criteria for Level 2, the auditor may assess that the report needs to be amended to reflect a lower assurance level.
  • Scenario B (Revocation): A provider at Union assurance level 2 is found to be under the control of a third country that compels data access, violating Annex II (2.1(g)). If the provider fails to meet the criteria for any assurance level (including Level 1, which has different but still strict establishment requirements), the auditor must assess that the opinion needs to be revoked.

The text of Article 23(2) does not grant the auditor discretion to ignore the change; the assessment is mandatory. The auditor must determine if the change is significant enough to alter the validity of the original audit opinion.

The Notification Chain

The auditor's assessment is the critical link in the regulatory chain. Article 23(2) further mandates: "Where the auditing organisation amends or revokes the audit report or the audit opinion, it shall, as soon as possible, notify the national competent authority of establishment."

This notification is the trigger for regulatory action. The national competent authority (NCA) is the body responsible for the formal recognition of the service under Article 17. While the NCA relies on the auditor's technical expertise, the NCA holds the legal authority to grant, amend, or withdraw recognition across the Union. The auditor's notification ensures that the NCA is immediately aware that the technical basis for the recognition has changed.

The Regulatory Consequence: NCA Action

Upon receiving the notification from the auditor, the national competent authority of establishment must act. Article 23(3) states: "On the basis of the notification referred to in paragraph 1 or 2, the national competent authority of establishment shall assess whether its recognition needs to be amended or revoked."

If the NCA concludes that the recognition must be amended (e.g., downgrading the level) or revoked (removing the service from the list of recognised providers), it must then notify the national competent authorities of the other Member States and the Commission. This pan-European notification is essential for maintaining the integrity of the central repository established under Article 22.

The central repository is the single source of truth for public sector bodies and Union entities procuring cloud services. When the NCA updates the repository following an auditor's notification, it ensures that:

  1. Public Sector Buyers are alerted that a service they are using or considering no longer holds its claimed sovereignty status.
  2. Procurement Compliance is maintained, preventing contracting authorities from inadvertently procuring services that no longer meet the assurance levels required by their risk assessments under Article 29.
  3. Market Transparency is preserved, allowing the market to react to changes in the sovereignty credentials of providers.

What this means for you

For in-house counsel, compliance officers, and procurement teams, the provisions of Article 23 create a high-stakes environment where operational changes have immediate regulatory consequences.

1. For Cloud Service Providers: Continuous Compliance is Mandatory

Sovereignty assurance under CADA is not a "one-and-done" certification. It is an ongoing operational state. You must establish internal monitoring systems capable of detecting "material changes" in real-time. This requires:

  • Legal and Corporate Governance Monitoring: Immediate detection of changes in shareholding, board composition, or jurisdictional exposure.
  • Subcontractor Oversight: Continuous verification that all subcontractors (including those providing technical support) meet the specific criteria for your assurance level.
  • Rapid Reporting Protocols: Ensure your internal processes allow you to notify the auditor and the NCA "as soon as possible." Delays in reporting can be viewed as an infringement, potentially leading to penalties under Article 24 and reputational damage.

2. For Auditing Organisations: The Duty to Assess is Non-Delegable

If you are an auditing organisation, Article 23(2) imposes a strict duty. You cannot simply log a notification and wait for the NCA to decide. You must actively assess whether the audit report or opinion needs to be amended or revoked. Your assessment must be documented, and if you determine a change is necessary, you must notify the NCA "as soon as possible." Failure to do so could compromise the integrity of the framework and expose your organisation to liability.

3. For Public Sector Buyers: Verify Before You Procure

Contracting authorities must understand that a service's recognition status can change rapidly. Before procuring a cloud service, especially for activities contributing to public order (requiring Level 2, 3, or 4 under Article 30), you must check the central repository. If a service has been recently amended or revoked, you must cease using it or migrate to a compliant alternative within the transition period allowed (not exceeding 12 months under Article 29(6)).

4. Strategic Planning for Downgrades

Be prepared for the commercial impact of an amendment. If a provider is downgraded from Level 3 to Level 2, public sector clients who required Level 3 for their specific risk assessment (e.g., for law enforcement or defence) may be forced to terminate contracts. Providers should have contingency plans to remediate issues quickly or to migrate workloads to compliant infrastructure.

Common misconceptions

Misconception 1: The auditor automatically revokes the opinion upon any change. Reality: The auditor must assess the impact. Not every change leads to revocation. Some changes may be remediable, or may only affect specific criteria that allow for an amended report (e.g., a downgrade to a lower assurance level) rather than a full revocation. The outcome depends entirely on whether the provider still meets the cumulative criteria for any assurance level.

Misconception 2: The provider can notify the NCA directly and bypass the auditor. Reality: Article 23(1) requires notification to both the auditing organisation and the NCA. However, the assessment of whether the audit report needs amendment or revocation is explicitly the auditor's duty under Article 23(2). The NCA relies on the auditor's professional judgment for the technical aspects of compliance. Bypassing the auditor for the assessment phase would leave a gap in the regulatory chain, as the NCA is not equipped to perform the technical audit reassessment itself.

Misconception 3: This only applies to the initial audit. Reality: Article 23 applies to the ongoing lifecycle of the recognised service. While auditors conduct annual reviews under Article 20(8), Article 23 creates a separate, event-driven obligation triggered by material changes, regardless of when the last annual review occurred.

Misconception 4: The auditor's decision is final. Reality: While the auditor's opinion is central, the final recognition decision lies with the national competent authority. Under Article 23(3), the NCA assesses whether its recognition needs amendment or revocation based on the auditor's notification. Furthermore, under Article 17(11), the NCA can revoke recognition if the provider supplied incorrect or misleading information, which is a separate ground from the auditor's technical finding.

Related

This is general information about a draft EU regulation, not legal advice.