Summary Under the proposed Cloud and AI Development Act (CADA), "reliable" audit evidence is not merely a checklist of documents; it is information that is relevant, sufficient, and critically, deemed reliable according to the auditing organisation's professional judgment and scepticism. Article 21(2)(b) of the proposal explicitly mandates this standard to ensure that audits for Union assurance levels 2, 3, and 4 are robust and defensible. For in-house counsel, this means cloud providers must prepare for rigorous, sceptical scrutiny where auditors actively challenge the validity of the evidence provided, rather than passively accepting documentation. A "positive" audit opinion is only possible if the auditor, exercising this scepticism, concludes the evidence supports the claim of compliance.
Detail
The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. While Level 1 relies on a conformity self-assessment, Union assurance levels 2, 3, and 4 require independent third-party audits to obtain an audit report and a "positive" audit opinion. The integrity of these higher assurance levels hinges entirely on the quality of the evidence collected. Article 21, titled "Content and quality of audit evidence," sets the definitive legal standard for what constitutes acceptable proof of compliance.
The Legal Standard: Relevance, Sufficiency, and Reliability
Article 21(1) establishes that auditing organisations must assess compliance with the criteria set out in Annex II based on the audit evidence listed in Annex III. However, the proposal goes beyond a simple checklist of required documents. Article 21(2) establishes two cumulative conditions that all audit evidence must satisfy:
- Relevance and Sufficiency: The evidence must be "relevant and sufficient to enable the auditing organisation to prepare an audit report and provide an audit opinion" (Article 21(2)(a)).
- Reliability: The evidence must be "reliable, according to the auditing organisation's professional judgment and scepticism" (Article 21(2)(b)).
This second condition is the cornerstone of the CADA audit regime. By explicitly tying reliability to "professional judgment and scepticism," the CADA proposal elevates the auditor's role from a passive reviewer of submitted documents to an active verifier of facts. It codifies the principle that auditors cannot simply accept data at face value; they must apply a sceptical mindset to assess whether the evidence is trustworthy, accurate, and free from manipulation or omission. This aligns with international auditing standards but embeds them directly into the EU's cloud sovereignty legal framework.
The Role of Professional Scepticism in CADA
"Professional scepticism" is a well-established concept in auditing, but its inclusion in Article 21(2)(b) carries specific legal weight under CADA. It implies that the auditing organisation must question the validity of the evidence, particularly when that evidence is generated or provided by the cloud computing service provider itself.
For example, under Annex II, cloud providers seeking Level 2, 3, or 4 recognition must demonstrate that customer data remains exclusively within the Union. If a provider submits a signed declaration stating this is the case, the auditor cannot rely on that declaration alone. Guided by the requirement in Article 21(2)(b), the auditor must scrutinise the underlying technical logs, access control records, data flow diagrams, and contractual agreements to verify the claim independently.
If the auditor's professional scepticism leads them to believe the evidence is flawed, incomplete, or potentially misleading, they are legally barred from issuing a "positive" audit opinion. Article 20(5)(g) requires the audit report to include a "positive" or "negative" audit opinion based on the conclusions drawn from the audit evidence. Consequently, the reliability standard in Article 21 acts as a gatekeeper: only services with verifiable, robust, and sceptically validated compliance can receive recognition.
Annex III: An Indicative, Not Exhaustive, List
While Article 21 sets the qualitative standard for evidence, Annex III provides an indicative list of the types of evidence auditing organisations should request. This includes technical documentation, access logs, contractual agreements, architectural diagrams, and proof of personnel location.
Crucially, the proposal clarifies that Annex III is indicative and "does not limit the evidence that may be requested or considered by the auditing organisations." Auditing organisations may seek any additional information necessary to ensure a comprehensive and accurate assessment. This flexibility is essential because the nature of cloud services varies widely. The reliability standard in Article 21(2)(b) empowers auditors to adapt their evidence requirements to the specific risks and complexities of a provider's infrastructure, ensuring that the "relevance and sufficiency" test is met in every unique case.
What this means for you
For in-house counsel, compliance officers, and cloud service providers, the emphasis on "reliable" evidence under Article 21(2)(b) signals a shift towards a more rigorous, evidence-based compliance culture. Here is how you should prepare:
1. Prepare for Active Scrutiny, Not Passive Review Your cloud provider must anticipate that auditors will not simply tick boxes against Annex III. They will apply professional scepticism to every claim. Ensure that your technical teams can not only produce documents but also explain and defend the underlying data. For instance, if you claim that third-country personnel have no access to EU data, you must have granular access logs, identity management records, and network diagrams that prove this without ambiguity.
2. Ensure Data Integrity and Traceability Reliable evidence must be traceable and tamper-proof. Implement robust logging and monitoring systems that can withstand an auditor's sceptical review. If an auditor questions whether a log entry was altered, your provider must be able to demonstrate the integrity of the logging system itself, potentially through cryptographic verification or immutable storage solutions. Evidence that cannot be verified is not "reliable" under Article 21(2)(b).
3. Document the Audit Trail Maintain a clear, comprehensive audit trail for all processes related to Union assurance levels 2, 3, and 4. This includes not just the final state of compliance, but the historical data that supports it. Auditors may need to look back to verify that controls were consistently applied over time. Gaps in the timeline can undermine the reliability of the entire evidence set.
4. Engage Early with Auditing Organisations Given the high stakes of a "negative" audit opinion, engage with potential auditing organisations early in the process. Discuss their interpretation of "reliable evidence" and how they plan to apply professional scepticism to your specific architecture. This can help identify gaps in your evidence collection processes before the formal audit begins, preventing costly delays.
5. Beware of Penalties for Misleading Evidence Article 20(7) states that an auditing organisation may revoke its audit report if the provider intentionally or negligently supplied incorrect or misleading audit evidence. Furthermore, Article 24 outlines penalties for infringements, which can include significant fines and compensation claims. Ensuring the reliability and accuracy of your evidence is not just a best practice; it is a legal necessity to avoid severe regulatory consequences.
Common misconceptions
Misconception 1: "If we provide all the documents in Annex III, we are compliant." Annex III is indicative, not exhaustive. Article 21(2)(b) requires evidence to be reliable. Providing documents that are incomplete, outdated, or internally contradictory will fail the reliability test, even if they technically match the list in Annex III. Auditors have the discretion to request additional evidence if the provided material is insufficient to form a reliable opinion.
Misconception 2: "Professional scepticism means the auditor distrusts us." Professional scepticism is a standard auditing mindset, not a personal accusation. It means the auditor must maintain an objective, questioning mind and critically assess audit evidence. It does not assume dishonesty, but it does require verification. Providers should view this as a rigorous quality check rather than an adversarial investigation.
Misconception 3: "Reliability is only about technical data." While technical logs are crucial, reliability also applies to organisational and contractual evidence. For example, contracts with subcontractors must clearly reflect the sovereignty requirements. If a contract allows for data transfer outside the EU, but technical logs show no such transfer, the evidence is still unreliable because the contractual framework contradicts the assurance level claims. The auditor's judgment must reconcile all forms of evidence.
Related
- What does CADA mean by 'relevant and sufficient' audit evidence?
- What is the required quality of CADA audit evidence?
- CADA Audit Evidence: What is Annex III and how is it assessed?
- What does a 'negative' CADA audit opinion mean for recognition?
- CADA Self-Assessment vs Independent Audit: Rigour, Evidence & Revocation
This is general information about a draft EU regulation, not legal advice.