CADA Article 23

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers must notify auditing organisations and national competent authorities of material changes "as soon as possible" (Article 23). The proposal does not define a fixed statutory deadline (e.g., 24 or 72 hours); instead, it imposes a continuous duty of prompt notification without undue delay to ensure the accuracy of Union assurance level recognitions. For in-house counsel, this requires establishing immediate internal escalation protocols for any event that could affect a provider's sovereignty status, as failure to comply triggers the penalty regime in Article 24.

Detail

The Legal Basis: Article 23 Transparency Obligations

The Cloud and AI Development Act introduces a rigorous sovereignty framework for cloud computing services, categorised into four Union assurance levels. To maintain the integrity of this framework, CADA imposes strict transparency obligations on providers. These are codified in Article 23, which mandates that providers actively monitor their operational and legal circumstances and report material changes that could impact their recognised assurance level.

The obligation is triggered by the provider becoming "aware of any information or any material change in circumstances." This is a broad standard that likely encompasses changes in ownership, control structures, data localisation practices, cybersecurity incidents, or alterations in subcontractor arrangements that affect compliance with the criteria in Annex II.

Article 23(1) establishes the primary duty:

"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

The phrase "as soon as possible" is a standard legal formulation in EU regulatory texts indicating immediacy relative to the provider's knowledge. It does not permit administrative lag or routine batching of reports. The notification must be directed to two distinct entities:

1. The Auditing Organisation: The independent third party that issued the audit report and opinion for Union assurance levels 2, 3, or 4.
2. The National Competent Authority of Establishment: The regulatory body in the Member State where the provider has its main establishment.

The Cascade of Consequences: Articles 23(2) and 23(3)

The notification under Article 23(1) is not an endpoint; it initiates a regulatory cascade designed to reassess the provider's status.

Article 23(2) places the onus on the auditing organisation to react to the notification:

"On the basis of the notification under paragraph 1, the auditing organisation shall assess whether the audit report or the audit opinion need to be amended or revoked. Where the auditing organisation amends or revokes the audit report or the audit opinion, it shall, as soon as possible, notify the national competent authority of establishment."

This creates a second layer of "as soon as possible" timing. If a provider notifies an auditor of a breach (e.g., a data centre fire forcing data migration outside the Union), the auditor must promptly evaluate if the service no longer meets the criteria for its claimed assurance level. If the auditor amends or revokes its opinion, it must immediately inform the competent authority.

Article 23(3) completes the loop with the regulator:

"On the basis of the notification referred to in paragraph 1 or 2, the national competent authority of establishment shall assess whether its recognition needs to be amended or revoked. Where the national competent authority of establishment amends or revokes it recognition of the cloud computing service, it shall, as soon as possible, notify the national competent authorities of the other Member States and the Commission."

This ensures that a loss of sovereignty assurance in one Member State is rapidly communicated across the Union, preventing other Member States from continuing to rely on a service that no longer meets the required standards.

Interpretation of "As Soon As Possible"

Because CADA does not specify a precise number of hours or days, in-house counsel must interpret this standard through the lens of regulatory intent and risk management.

1. Immediacy vs. Reasonable Time: "As soon as possible" generally implies that notification should occur within the same business day of becoming aware of the material change, or within 24 hours for complex events where initial verification is required. It does not mean "as soon as the legal department has reviewed the contract."
2. Materiality Threshold: The obligation triggers only for changes that "may affect" the audit report or recognition. Providers must have a clear internal policy defining what constitutes a "material change" under Annex II criteria (e.g., loss of EU citizenship for key personnel at Level 3, or data leaving the Union).
3. Good Faith and Proportionality: While speed is critical, the notification should contain sufficient detail to allow the auditor and authority to begin their assessment. However, if full details are not immediately available, the initial notification should still be sent promptly, with a follow-up containing complete information.

Penalties and Enforcement

The seriousness of these transparency obligations is underscored by Article 24, which empowers Member States to impose penalties for infringements of Chapter I of Title IV (which includes Article 23).

Article 24(1) states that penalties must be "effective, proportionate and dissuasive." Article 24(2) lists criteria for imposing penalties, including:

• The nature, gravity, scale, and duration of the infringement.
• Financial benefits gained or losses avoided.
• The infringing party's annual turnover in the Union.

Failure to notify a material change "as soon as possible" could be viewed as an infringement that undermines the entire sovereignty framework. If a provider delays notification, it may continue to operate under a false assurance level, exposing public sector bodies to unapproved risks. This could lead to severe financial penalties based on the provider's global turnover, similar to regimes under the GDPR or AI Act.

Furthermore, Article 24(3) grants recipients of cloud services the right to seek compensation for damages suffered due to a provider's infringement of these obligations. This creates significant commercial risk for providers who fail to maintain transparent communication with regulators.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, the "as soon as possible" requirement in Article 23 demands proactive operational changes:

1. Define "Material Change" Internally: Map all criteria in Annex II (e.g., data location, personnel citizenship, third-country control) to internal operational metrics. Create a definitive list of events that trigger Article 23 notifications.
2. Establish Escalation Protocols: Implement automated or manual triggers for immediate reporting. When a security incident or legal change occurs, the compliance team must be alerted within hours, not weeks.
3. Draft Pre-Agreed Notification Templates: Work with your auditing organisation to agree on a standard format for Article 23 notifications. This reduces administrative delay during crises.
4. Monitor Subcontractors: Since changes in subcontractors can affect assurance levels (especially for Levels 2–4), ensure your vendor management processes include immediate reporting clauses for any subcontractor that fails sovereignty criteria.
5. Prepare for Regulatory Scrutiny: National competent authorities will likely review the timeliness of past notifications during audits. Maintain detailed logs of when a change was discovered, when the decision to notify was made, and when the notification was sent.

Common misconceptions

• "I can wait until the next quarterly audit to report changes." Incorrect. Article 23 requires notification upon becoming aware of the change. Waiting for a scheduled audit could result in months of non-compliance, leading to severe penalties under Article 24.
• "Only cybersecurity incidents need immediate reporting." Incorrect. Any change affecting the criteria in Annex II is material. This includes corporate restructuring, changes in ultimate beneficial ownership, or even routine operational shifts that move data processing outside the Union without explicit public sector consent.
• "The auditing organisation is solely responsible for monitoring my compliance." Incorrect. While auditors assess compliance, Article 23 places the primary duty of notification on the provider. The provider must actively monitor and report; the auditor reacts to that report.
• "As soon as possible means within 30 days." Unlikely. Given the systemic risk nature of cloud sovereignty, regulators will interpret "as soon as possible" as requiring near-real-time notification (e.g., within 24–48 hours). A 30-day delay would likely be deemed unreasonable and a breach of the duty.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• CADA Transparency Obligations: Why Article 23 Matters for Public Buyers
• How should a CSP build an internal process for CADA transparency notifications?
• CADA Transparency Notification Chain: How Article 23 Works
• Who sets the penalties for CADA transparency infringements?
• Who enforces CADA transparency obligations on cloud providers?

This is general information about a draft EU regulation, not legal advice.