What does CADA mean by 'relevant and sufficient' audit evidence?

Summary Under the proposed Cloud and AI Development Act (CADA), "relevant and sufficient" audit evidence is the legal standard required for an auditing organisation to issue a valid audit report and a formal opinion on a cloud provider's compliance with Union assurance levels. As explicitly defined in Article 21(2)(a), this evidence must be "relevant and sufficient to enable the auditing organisation to prepare an audit report and provide an audit opinion." Crucially, this evidence must be directly tied to the specific sovereignty criteria in Annex II and supported by the indicative checklist in Annex III. It must also be "reliable," judged by the auditor's professional scepticism. Without meeting this standard, a provider cannot achieve recognition at Union assurance levels 2, 3, or 4, effectively barring them from public-sector procurement under the proposed framework.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous sovereignty framework for cloud computing services. For providers seeking recognition at Union assurance levels 2, 3, or 4, the Act mandates independent third-party audits. The quality and nature of the evidence submitted during these audits are not merely administrative formalities; they are the legal bedrock upon which the entire recognition process rests. Article 21, titled "Content and quality of audit evidence," sets the definitive legal standard for what constitutes acceptable proof of compliance.

The Legal Standard: Article 21(2)(a)

The core definition of acceptable evidence is found in Article 21(2), which establishes two mandatory, cumulative conditions that all audit evidence must satisfy.

First, Article 21(2)(a) states that audit evidence must be "relevant and sufficient to enable the auditing organisation to prepare an audit report and provide an audit opinion." This phrasing is functional and outcome-oriented. It does not simply ask for "documents"; it demands information that is capable of supporting a definitive conclusion.

• Relevance implies a direct logical link between the evidence provided and the specific sovereignty criterion being tested. For instance, a general cybersecurity certificate is not "relevant" to proving the citizenship of personnel; only employment contracts and identity documents would be.
• Sufficiency implies that the volume and depth of the evidence are adequate to eliminate reasonable doubt. If evidence is sparse, fragmented, or relies on unverified assertions, it fails the sufficiency test, and the auditor cannot issue a "positive" opinion.

Second, Article 21(2)(b) mandates that the evidence must be "reliable, according to the auditing organisation's professional judgment and scepticism." This clause empowers the auditor to critically evaluate the source, accuracy, and integrity of the data. Providers cannot rely solely on self-declarations or marketing materials; they must provide verifiable, objective data such as system logs, binding contractual agreements, organisational charts, and source code access records that withstand professional scrutiny.

The Relationship Between Article 21, Annex II, and Annex III

The "relevance" of the evidence is strictly tethered to the Union assurance levels and their corresponding criteria set out in Annex II. The Act does not allow for generic compliance; the evidence must map precisely to the specific requirements of the target level.

• Annex II defines the substantive criteria. For example, Union assurance level 2 requires proof that infrastructure, assets, and personnel are located in the Union, and that customer data remains exclusively within the Union. Union assurance level 3 adds the requirement that personnel must be Union citizens (with security clearances where applicable) and that the service obtains a European cybersecurity certificate of at least "substantial" assurance. Union assurance level 4 imposes the highest bar, including strict controls on software supply chains and a prohibition on third-country control.

• Annex III, titled "Audit evidence for the audit procedure," provides the indicative checklist of evidence auditors should request to assess compliance with Annex II. The preamble to Annex III explicitly states that it "is indicative and does not limit the evidence that may be requested." This is a critical distinction: Annex III serves as a baseline, not a ceiling. Auditors retain the discretion to request additional information if the listed items are insufficient to form a reliable opinion under Article 21(2)(b).

For example, to prove Union establishment (Annex II, Criterion A), Annex III lists specific evidence such as national company extracts, tax residency documentation, VAT registration, and proof of physical offices or permanent staff in the Union. To prove Data localisation (Annex II, Criterion C), Annex III requires data flow diagrams, access logs, and contractual agreements demonstrating that no customer data leaves the Union without explicit public sector approval.

If a provider fails to supply evidence that meets the Article 21(2) standard—meaning the evidence is not relevant to the specific Annex II criterion, or is insufficient to support a conclusion—the auditor cannot issue a "positive" audit opinion. Under Article 17, a "positive" audit opinion is a prerequisite for the national competent authority to recognize the service. Without recognition, the provider is ineligible to supply cloud services to Union entities and public sector bodies that require Union assurance levels 2, 3, or 4.

The Role of Professional Scepticism

Article 21(2)(b) places a significant burden on the auditor's professional judgment. The Act requires auditors to apply "professional judgment and scepticism" when assessing reliability. This means auditors must verify that the evidence is not only present but also authentic and accurate. For instance, a provider might submit a data flow diagram, but if the auditor's professional scepticism suggests the diagram does not reflect actual operational reality (e.g., hidden backup routes to third countries), the evidence is deemed unreliable. The auditor is empowered to request further verification, such as on-site inspections or independent technical testing, to satisfy the "reliability" requirement.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the "relevant and sufficient" standard fundamentally shifts the burden of proof. You cannot rely on generic compliance certificates, high-level policy statements, or self-declarations (which are only permitted for Level 1 under Article 19). Instead, you must prepare granular, technical, and legal documentation that maps directly to the Annex II criteria.

Key Strategic Obligations:

• Evidence Mapping and Gap Analysis: Conduct a rigorous internal gap analysis against Annex III. Ensure you have documented evidence for every criterion relevant to your target assurance level. For example, if you aim for Level 3, you must have verifiable proof of Union citizenship for all personnel involved in service provision, not just senior management. This includes subcontractors.
• Data Integrity and Log Retention: Ensure your systems generate and retain logs that can serve as audit evidence. This includes access logs, data flow records, change management documentation, and incident response records. These logs must be tamper-proof, time-stamped, and readily accessible to auditors.
• Third-Party Management: If you use subcontractors, you must provide evidence that they also meet the relevant criteria. This includes contractual clauses, due diligence reports, and ongoing oversight records. Under Annex II, the provider is responsible for the compliance of its subcontractors.
• Auditor Cooperation: Article 20 requires providers to cooperate fully with auditors, providing access to all relevant data and premises. Failure to provide "sufficient" evidence can be interpreted as non-compliance or obstruction, potentially leading to a "negative" audit opinion.

Deadlines and Consequences: While CADA does not set a fixed deadline for evidence submission (as it depends on the audit schedule), the recognition process under Article 17 has strict timelines. The national competent authority has 60 days to assess the evidence after application. Delays in providing sufficient evidence can stall recognition, impacting your ability to bid for public contracts.

Penalties for non-compliance are outlined in Article 24. Member States must impose effective, proportionate, and dissuasive penalties. These can include fines based on the nature, gravity, and duration of the infringement, as well as the financial benefits gained. If a provider is found to have supplied incorrect or misleading evidence, the auditor can revoke the audit report, and the competent authority can revoke the recognition.

Common misconceptions

Misconception 1: Annex III is an exhaustive checklist. Many providers assume that if they provide all items listed in Annex III, they are compliant. This is incorrect. The Act explicitly states that Annex III is "indicative." Auditors may request additional evidence if they deem the provided information insufficient to form a reliable opinion under Article 21(2)(b). You must be prepared to provide supplementary documentation upon request.

Misconception 2: Self-declarations are sufficient for higher levels. Providers often believe that signing a statement of conformity is enough for higher assurance levels. However, Article 20 requires independent third-party audits for Levels 2, 3, and 4. Self-declarations are only permitted for Level 1 (Article 19). For Levels 2-4, you must provide objective, verifiable evidence that withstands professional scepticism.

Misconception 3: "Relevant" means any document related to cloud services. Evidence must be specifically relevant to the sovereignty criteria in Annex II. General cybersecurity certificates (unless they meet the specific assurance levels in Annex II), ISO standards, or financial reports, while valuable, do not automatically prove compliance with CADA's specific data localization or personnel citizenship requirements. You must provide evidence that directly addresses these specific legal criteria.

Misconception 4: Reliability is a formality. The requirement for "reliability" under Article 21(2)(b) is not a mere formality. It empowers auditors to reject evidence that appears self-serving, unverified, or inconsistent with other data. Providers must ensure their evidence is robust, verifiable, and capable of withstanding rigorous professional scrutiny.

Related

• What does reliable audit evidence mean under CADA?
• What is the required quality of CADA audit evidence?
• CADA Audit Evidence: What is Annex III and how is it assessed?
• What does a 'negative' CADA audit opinion mean for recognition?
• CADA Self-Assessment vs Independent Audit: Rigour, Evidence & Revocation

This is general information about a draft EU regulation, not legal advice.