Summary Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider must notify its auditing organisation and national competent authority of any material change that could affect its Union assurance level recognition. This notification is not a passive administrative update; it triggers a rigorous, evidence-based reassessment. The auditing organisation must use specific audit evidence defined in Article 21 and detailed in Annex III to decide whether to amend or revoke its audit opinion. This mechanism ensures that the "positive opinion" granted under Article 20 remains valid only as long as the provider can substantiate compliance with the evolving criteria in Annex II.

Detail

The CADA proposal establishes a dynamic transparency regime for cloud computing services recognised at Union assurance levels 2, 3, or 4. Unlike static certifications, this regime acknowledges that the sovereignty and security posture of a cloud provider can shift due to changes in infrastructure, personnel, legal environments, or subcontractor arrangements. The core mechanism ensuring the ongoing accuracy of these recognitions is the transparency obligation in Article 23, which is inextricably linked to the evidence framework in Article 21 and Annex III.

The Transparency Trigger: Article 23(1)

Article 23(1) imposes a strict, proactive duty on recognised cloud computing service providers. The text mandates that providers must notify the relevant parties "as soon as possible" upon becoming aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17."

The scope of "material change" is broad and critical to the integrity of the sovereignty framework. It encompasses any alteration that could impact the cumulative criteria for a specific assurance level. Examples include:

  • Infrastructure shifts: Moving data processing or storage outside the Union.
  • Personnel changes: Appointing non-Union citizens to roles requiring Union citizenship under Assurance Levels 3 and 4.
  • Subcontractor updates: Engaging new third-party providers outside the Union for technical support.
  • Legal environment changes: New laws in a third country that might compel data access or service disruption.

Failure to notify such changes breaks the chain of trust required for public sector procurement under Article 30 and exposes the provider to penalties under Article 24.

The Auditor's Assessment: Article 23(2) and the Evidence Mandate

Once a notification is received, the responsibility shifts to the auditing organisation. Article 23(2) explicitly states that the auditor must "assess whether the audit report or the audit opinion need to be amended or revoked." This is a substantive legal determination, not a clerical one.

Crucially, this assessment cannot be based on the provider's self-declaration alone. It is governed by Article 21, which defines the evidentiary standard for all compliance assessments. Article 21(1) mandates that auditing organisations assess compliance with the criteria in Annex II "on the basis of the audit evidence listed in Annex III."

Therefore, when a transparency notification arrives, the auditor is legally required to:

  1. Identify which assurance level criteria are potentially affected by the change.
  2. Request and verify the specific audit evidence listed in Annex III corresponding to those criteria.
  3. Determine if the existing evidence remains valid or if new evidence proves non-compliance.

If the evidence gathered does not support the continued validity of the "positive opinion," the auditor is compelled to amend or revoke the report.

The Role of Annex III: The Evidence Regime in Action

Annex III provides the granular checklist of evidence auditors must examine. When a material change is notified, the auditor maps the change to specific criteria in Annex II and then demands the corresponding proof from Annex III.

Example 1: Personnel Changes (Assurance Levels 3 & 4) If a provider notifies a change in key personnel, the auditor must refer to Audit Criterion D in Annex III. For Assurance Levels 3 and 4, personnel involved in the service must be Union citizens. The auditor cannot accept a simple statement; they must request "valid official government issued documents (e.g. valid passport and national identity card)" and "organisational charts and job descriptions" to confirm that only Union citizens have access to operations. If the new personnel lack these documents, the evidence fails, and the opinion must be revoked.

Example 2: Data Localisation (All Levels) If a provider notifies a change in data routing or storage, the auditor must refer to Audit Criterion C in Annex III. The auditor must examine "data flows diagram," "access logs," and "contractual agreements" to verify that customer data remains "exclusively within the Union." If the evidence shows data is now being transferred outside the Union without explicit public sector body approval, the auditor must revoke the opinion.

Example 3: Software Supply Chain (All Levels) If a provider notifies a change in software components or vendors, the auditor must refer to Audit Criterion I in Annex III. The auditor requires a "complete and up-to-date software bill of materials (SBOM)" and evidence of "source code audits" for third-country components. If the provider cannot demonstrate that third-country vendors do not hold effective control or that migration plans exist, the evidence is insufficient.

The Notification Chain and Consequences

The process does not end with the auditor's decision. Article 23(2) requires the auditing organisation to notify the national competent authority of establishment "as soon as possible" if the report or opinion is amended or revoked.

Subsequently, Article 23(3) triggers a second layer of assessment. The national competent authority must "assess whether its recognition needs to be amended or revoked." If the authority decides to amend or revoke the recognition, it must "notify the national competent authorities of the other Member States and the Commission."

This chain ensures that a loss of assurance status is communicated across the EU immediately. The outcome is recorded in the central repository established under Article 22, which must be updated to reflect the revocation. This update is critical for contracting authorities under Article 30, who rely on the repository to verify that a provider still holds the required Union assurance level before awarding public contracts.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the interaction between Article 23, Article 21, and Annex III creates a continuous, evidence-heavy compliance obligation.

  1. Implement Real-Time Monitoring: You must establish internal systems to detect "material changes" the moment they occur. This includes monitoring changes in third-country laws, subcontractor status, and personnel citizenship. Waiting for an annual audit is insufficient; the obligation is triggered "as soon as possible" upon awareness.
  2. Pre-Prepare Evidence Packages: Do not wait for the auditor to ask for proof. If you anticipate a change (e.g., hiring a new CTO or migrating a database), prepare the specific evidence required by Annex III in advance. Have passports ready for citizenship checks, updated SBOMs for software changes, and fresh data flow diagrams for infrastructure shifts.
  3. Understand the "Evidence" Standard: Recognise that the auditor's decision is binary and evidence-driven. If the evidence in Annex III is missing or contradicts the provider's claim, the "positive opinion" will be revoked. There is no room for "good faith" arguments without documentary proof.
  4. Prepare for Procurement Impact: A revocation of the audit opinion under Article 23(2) leads to the loss of recognition under Article 17. This immediately disqualifies the provider from public sector contracts requiring Assurance Levels 2, 3, or 4 under Article 30. The financial impact can be severe.
  5. Manage the Notification Chain: Ensure your legal team understands that a notification to the auditor is just the first step. Be prepared for the subsequent notifications to the competent authority and the Commission, and the potential publication of the revocation in the central repository.

Common misconceptions

"Transparency notifications are just administrative updates." Incorrect. Under CADA, a transparency notification is a trigger for a full evidentiary reassessment. The auditor must apply the strict evidence requirements of Article 21 and Annex III. If the evidence does not support compliance, the audit opinion is revoked, not just "updated."

"Only major infrastructure changes require notification." Incorrect. The obligation covers "any material change in circumstances." This includes changes in personnel citizenship, subcontractor arrangements, software supply chains, and even changes in the legal environment of a third country that might affect the provider's ability to comply with sovereignty criteria.

"The auditor can rely on the provider's self-declaration." Incorrect. Article 21 and Annex III explicitly require verifiable evidence. Auditors must examine documents, logs, contracts, and certificates. A provider's statement that a change is "immaterial" is insufficient without the supporting evidence listed in Annex III.

"Revocation of the audit opinion is automatic upon notification." Incorrect. The auditor must first assess the evidence. If the provider can demonstrate through Annex III evidence that the change does not affect compliance (e.g., a new employee is a Union citizen and has the required clearance), the opinion may remain valid. Revocation only occurs if the evidence demonstrates non-compliance.

Related

This is general information about a draft EU regulation, not legal advice.