What examples of material changes must a CSP report under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers (CSPs) face a continuous, proactive obligation to report "material changes in circumstances" that could affect their recognised Union assurance level. Article 23(1) mandates that CSPs notify their auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of such changes. These changes are not limited to technical updates; they encompass any alteration to the legal, technical, or organisational conditions underpinning the criteria in Annex II for Union assurance levels 1 through 4. Critical triggers include shifts in third-country control, relocation of infrastructure or data outside the Union, changes in personnel citizenship or location, and the loss of required cybersecurity certifications. Failure to report promptly can lead to the amendment or revocation of recognition, with consequences published in the central repository.

Detail

The CADA proposal establishes a "Union cloud computing sovereignty framework" comprising four Union assurance levels (Article 16). To obtain and maintain recognition at any of these levels, a CSP must meet cumulative criteria detailed in Annex II of the proposal. Because these criteria are strict, multifaceted, and often tied to dynamic factors like ownership structures and personnel location, any change that impacts compliance constitutes a "material change" triggering transparency obligations under Article 23.

The reporting obligation under Article 23(1) is distinct from the periodic audit cycle. It is an immediate duty. If a CSP becomes aware of a change that may affect the audit report, the "positive" audit opinion under Article 20, or the recognition under Article 17, it must report it immediately. The purpose is to allow the auditing organisation to reassess, amend, or revoke the audit report, and to enable the competent authority to review the recognition status before the provider continues to operate under a potentially invalid assurance level.

Categories of Material Changes

Based on the criteria in Annex II and the definitions of control and establishment in the proposal, material changes generally fall into four primary categories: ownership and control, infrastructure and data localisation, personnel and governance, and cybersecurity and supply chain integrity.

1. Ownership and Control Changes

For Union assurance levels 2, 3, and 4, the criteria heavily restrict the extent to which a CSP can be subject to the control of a third country or a legal entity established in a third country. Article 18 provides a mechanism for associated third countries for Level 3, but strict conditions apply.

• Change in Shareholding: A significant acquisition of shares by a third-country entity or individual that could confer "control" as defined in Article 2(21) (referencing Regulation (EU) 2021/697) is a material change. Even if the new shareholder holds less than 50%, if they possess veto rights, board nomination rights, or other strategic decision-making powers, this may constitute a change in control. For Level 3 and 4, where the provider must not be subject to third-country control, any such shift is critical.
• Corporate Governance Shifts: Changes in the composition of the board of directors, especially if third-country nationals or entities gain a majority or veto power, are material. The criteria in Annex II (e.g., Level 2, paragraph 2.1(g)) require demonstrating that third-country control does not restrain the provider's ability to perform the service or undermine capabilities. A change in governance that introduces such risk triggers reporting.
• Subsidiary Separation: If a CSP maintains subsidiaries in third countries, Annex II requires effective legal, technical, and organisational separation between the Union parent and the third-country subsidiary. Any change in the subsidiary's access to Union customer data, privileged accounts, or operational staff in the Union is a material change. For instance, if a third-country subsidiary gains privileged access to Union production environments, this breaches Level 2, 3, and 4 criteria.

2. Infrastructure and Data Localisation

Data sovereignty is a core pillar of the CADA framework. Annex II mandates that for Levels 1, 2, and 3, customer data (including metadata and telemetry) must remain exclusively within the Union, unless the public sector body explicitly requires otherwise.

• Change in Data Storage Locations: Moving primary, backup, or disaster recovery data storage from a Union data centre to a third-country facility is a material change. Even if the data is encrypted, the criteria require that no customer data is transferred outside the Union without explicit approval. A change in the physical or logical location of servers hosting customer data triggers Article 23.
• Changes in Subcontractors: CSPs often rely on subcontractors for service delivery. Annex II requires that subcontractors involved in the provision of the service meet specific criteria (e.g., being established in the Union for Level 2). Onboarding a new subcontractor located outside the Union, or an existing subcontractor moving its operations outside the Union, is a material change. The CSP must demonstrate that necessary legal, technical, and organisational measures are implemented to ensure traceability and security, and that operational autonomy is not compromised.
• Technical Support Locations: For Levels 2, 3, and 4, technical and operational support must be initiated and performed exclusively within the Union. If a CSP outsources its help desk, security operations centre (SOC), or network operations centre (NOC) to a third country, or if existing Union-based support teams are relocated abroad, this is a material change. The criteria explicitly forbid remote access for technical support from outside the Union for these higher levels.

3. Personnel and Citizenship Requirements

For higher assurance levels, the identity and location of personnel are critical.

• Personnel Location: Annex II requires that personnel involved in the provision of the service are located in the Union for Levels 2, 3, and 4. A significant shift in workforce location, such as moving key operational staff to a third country, is a material change.
• Citizenship and Security Clearance: For Level 3 and Level 4, personnel must be Union citizens. Additionally, when handling classified information, they must have necessary national security clearance. A change in the employment status of key personnel that results in non-Union citizens or uncleared individuals gaining access to sensitive systems or data is a material change. For Level 2, while citizenship is not strictly mandatory, the CSP must ensure that if a public sector body requests it, personnel meeting those requirements are available. A change in the provider's ability to meet such requests (e.g., loss of a pool of Union citizen staff) could be material.

4. Cybersecurity and Supply Chain Integrity

The proposal links sovereignty with robust cybersecurity. Annex II requires specific cybersecurity certifications and supply chain transparency.

• Cybersecurity Certification Status: For Levels 2 and 3, the service must obtain a European cybersecurity certificate of at least assurance level 'substantial'. For Level 4, it must be 'high'. If a CSP loses this certification, or if the certification is suspended or revoked, this is a material change. Even if the certification is still valid, a significant change in the security posture that might affect the validity of the certificate (e.g., a major security breach) should be reported.
• Software Supply Chain Changes: Annex II requires a complete and up-to-date Software Bill of Materials (SBOM) and controls over third-country software components. Introducing new software components from a third-country manufacturer that do not have documented migration plans or source code audits could be a material change. If a CSP changes its software stack in a way that increases reliance on third-country software without adequate controls, it must report this.
• Open-Source Software Risks: If a CSP uses open-source software, it must demonstrate controls to prevent remote features that could tamper with the system. If a key open-source component is acquired by a third-country entity or foundation, or if its maintenance status changes such that it no longer meets security standards, this is a material change.

The Reporting Process

Under Article 23(1), the CSP notifies the auditing organisation and the national competent authority of establishment. The notification should include all relevant information to allow the auditor to assess the impact.

• Auditor's Role: Upon notification, the auditing organisation assesses whether the audit report or opinion needs to be amended or revoked (Article 23(2)). If the auditor amends or revokes the report, it notifies the competent authority.
• Competent Authority's Role: The competent authority then assesses whether its recognition of the CSP needs to be amended or revoked (Article 23(3)). If the recognition is amended or revoked, the authority notifies other Member States and the Commission.
• Central Repository: Any revocation of an audit report or recognition is published in the central repository of cloud computing services (Article 22) and remains available for five years.

What this means for you

For cloud service providers and data centre operators, the material change reporting obligation under CADA is not a one-time compliance task but an ongoing governance requirement. You must integrate sovereignty and assurance level criteria into your change management processes.

1. Map Your Assurance Criteria: Clearly document which specific criteria in Annex II apply to your current assurance level(s). For example, if you are Level 2, map your subcontractors, data flows, and personnel locations against criteria 2.1(a)–(k).
2. Establish Internal Change Triggers: Define internal thresholds that trigger an Article 23 assessment. For instance, any change in shareholding above 5%, any new subcontractor outside the EU, or any change in data centre locations should automatically flag a review.
3. Conduct Pre-Implementation Assessments: Before implementing any significant change (e.g., acquiring a new software vendor, moving staff, or changing board composition), assess its impact on your Union assurance level. If there is any doubt, consult with your auditing organisation proactively.
4. Maintain Up-to-Date Documentation: Ensure your SBOM, subcontractor registers, and personnel records are current. Auditors will rely on this evidence to verify compliance. A lack of up-to-date documentation can itself be a material change if it hinders the audit process.
5. Prepare for Rapid Notification: Article 23 requires notification "as soon as possible." Have a clear internal protocol for identifying and escalating material changes to the compliance team, who can then notify the auditor and competent authority. Delays in notification can lead to loss of recognition and reputational damage.

Common misconceptions

Misconception 1: Only technical changes matter. Many providers focus solely on technical changes like server migrations or software updates. However, CADA places equal weight on legal and organisational factors. Changes in ownership, board composition, or subcontracting arrangements are just as critical as data centre moves. A change in who controls the company can be a material change even if the technology remains identical.

Misconception 2: Encrypted data transfers outside the EU are not material. For Union assurance levels 1, 2, and 3, customer data must remain exclusively within the Union. Encryption does not exempt a transfer from this requirement unless the public sector body explicitly requires otherwise. Moving encrypted data to a third country for processing or storage is a material change that likely breaches the criteria.

Misconception 3: Small changes in ownership are irrelevant. The definition of "control" in CADA is broad and includes strategic decision-making powers, not just majority shareholding. Even a minority stake that confers veto rights or board seats can constitute a change in control, especially if the shareholder is from a third country. Providers must assess the qualitative impact of ownership changes, not just the quantitative percentage.

Misconception 4: Reporting is only for audit cycles. Article 23 imposes a continuous obligation. Providers must report material changes as soon as they become aware of them, not wait for the annual review or next audit. Proactive reporting demonstrates good governance and can prevent the automatic revocation of recognition.

Misconception 5: Level 1 has no material change obligations. While Level 1 has fewer criteria (e.g., no mandatory third-country control restrictions unless specified), it still requires that the provider is established in the Union and that infrastructure and data remain in the Union unless otherwise required. A change in the provider's establishment location or a move of data outside the Union without customer consent is a material change for Level 1 as well.

Related

• CADA Transparency Checklist: How Cloud Providers Must Report Material Changes
• When must a cloud provider report changes under CADA?
• Why must NCAs notify other Member States of recognition changes under CADA?
• Who must cloud providers notify of changes under CADA?
• CADA Transparency & Audits: How Material Changes Trigger Reassessment

This is general information about a draft EU regulation, not legal advice.