What goes into a CADA audit report and audit opinion?

Summary Under the proposed Cloud and AI Development Act (CADA), the audit report and the accompanying audit opinion are the definitive evidentiary outputs for cloud services seeking Union assurance levels 2, 3, or 4. Article 20(5) mandates that the report must be substantiated in writing and include a comprehensive set of elements: the provider's details, the auditor's identification, a declaration of interests, a description of the methodology applied, a summary of findings, and a definitive 'positive' or 'negative' audit opinion. Crucially, if the opinion is 'negative', Article 20(5)(h) requires the auditing organisation to provide operational recommendations on specific measures to achieve compliance and a recommended timeframe to achieve it. These documents are submitted to the national competent authority to secure Union-wide recognition.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a rigorous sovereignty framework for cloud computing services, categorising them into four distinct 'Union assurance levels'. While Union assurance level 1 relies on a self-assessment mechanism, levels 2, 3, and 4 require independent third-party audits. The audit report and the associated audit opinion are the central evidentiary documents that demonstrate a cloud computing service provider's compliance with the strict cumulative criteria set out in Annex II of the proposal.

The Legal Basis for Independent Audits

Article 20 of the CADA proposal establishes the framework for these independent audits. It mandates that cloud computing service providers seeking recognition for Union assurance levels 2, 3, or 4 must undergo independent third-party audits at their own expense (Article 20(1)). The auditing organisation, which must be independent from the provider and free from conflicts of interest, conducts the assessment and produces two key deliverables: the audit report and the audit opinion.

The audit opinion serves as the binary conclusion of the process: it is either 'positive', indicating that the provider complies with the applicable audit criteria, or 'negative', indicating non-compliance. The audit report is the comprehensive, written substantiation of that opinion, detailing the activities undertaken, the evidence gathered, and the conclusions reached. This report is not merely an internal record; it is the primary document reviewed by the national competent authority of establishment to determine whether to recognise the service across the Union.

Mandatory Contents of the Audit Report

Article 20(5) provides an exhaustive list of what must be included in the audit report. This ensures transparency, traceability, and a consistent standard of assessment across the Union. The auditing organisation must prepare a report for each audit that includes the following specific elements:

1. Provider and Period Details: The name, address, and point of contact of the cloud computing service provider subject to the audit, along with the specific period covered by the audit (Article 20(5)(a)).
2. Auditor Identification: The name and address of the auditing organisation or organisations performing the audit (Article 20(5)(b)).
3. Declaration of Interests: A formal declaration of interests to confirm the auditor's independence and lack of conflict (Article 20(5)(c)). This is critical given the strict independence requirements in Article 20(4), which prohibit auditors from providing non-audit services to the provider in the 12 months before or after the audit.
4. Scope and Methodology: A description of the specific aspects audited and the methodology applied during the assessment (Article 20(5)(d)). This section is crucial for understanding the depth and breadth of the review and how the auditor approached the criteria in Annex II.
5. Summary of Findings: A description and a summary of the main findings drawn from the audit (Article 20(5)(e)). This section details the evidence collected and how it aligns (or fails to align) with the specific criteria for the requested assurance level.
6. Third Parties Consulted: A list of the third parties consulted as part of the audit (Article 20(5)(f)). This may include subcontractors, data processors, or other entities involved in the service provision whose activities were reviewed.
7. The Audit Opinion: A clear statement of whether the opinion is 'positive' or 'negative', and information on whether the audited service complies with the applicable audit criteria for Union assurance level 2, 3, or 4 (Article 20(5)(g)).
8. Remediation for Negative Opinions: If the audit opinion is 'negative', the report must include operational recommendations on specific measures to achieve compliance and a recommended timeframe to achieve compliance (Article 20(5)(h)). This transforms the negative opinion from a simple rejection into a roadmap for remediation.
9. Recognition Level for Positive Opinions: If the audit opinion is 'positive', the report must specify the Union assurance level that needs to be recognised under Article 17 (Article 20(5)(i)).

Handling Limitations in the Audit

Audits are not always straightforward. There may be instances where the auditing organisation is unable to audit certain aspects or cannot express a definitive audit opinion based on its investigations. In such cases, Article 20(6) requires that the audit report include an explanation of the circumstances and the reasons why those aspects could not be audited. This transparency is vital for the national competent authority to assess whether the lack of evidence is due to provider obstruction, technical impossibility, or other factors. Without this explanation, the authority cannot properly evaluate the validity of the audit.

The Nature of the Audit Opinion

The audit opinion is the decisive factor for recognition. A 'positive' opinion confirms that all evidence shows the provider complies with the audit criteria and obligations set out by the Regulation. This allows the national competent authority to proceed with recognising the service at the appropriate Union assurance level, which is then registered in the central repository.

A 'negative' opinion is issued when the auditing organisation considers that the provider does not comply with the criteria. Crucially, the CADA does not leave the provider in a vacuum. As noted in Article 20(5)(h), the report must provide a path forward. The operational recommendations and recommended timeframe serve as a structured roadmap for the provider to address deficiencies. This allows the provider to implement the necessary changes and potentially reapply for recognition after remediation, rather than facing an indefinite ban.

Revocation, Updates, and Annual Review

The audit report and opinion are not static documents. Article 20(8) requires the audited provider to submit the audit report and the associated 'positive' audit opinion for annual review by the same or a different auditing organisation. This annual review assesses continued compliance with the applicable criteria. Based on this review, the auditing organisation may confirm, update, or revoke the initial audit report and opinion.

Furthermore, Article 20(7) states that the auditing organisation may revoke its audit report and opinion if the audited provider intentionally or negligently supplied incorrect or misleading audit evidence. This underscores the importance of honesty and accuracy during the evidence-gathering phase. If a provider is found to have manipulated data or hidden non-compliance, the audit opinion can be withdrawn, and the recognition granted by the competent authority would subsequently be at risk.

What this means for you

For cloud service providers and data centre operators aiming to serve the EU public sector or entities requiring high levels of sovereignty, understanding the structure and requirements of the CADA audit report is essential for successful certification.

Prepare for Rigorous Documentation The requirement for a 'declaration of interests' and a detailed 'methodology' means that your relationship with the auditor must be transparent from the outset. Ensure that your internal records are meticulously organised. The 'summary of findings' will be scrutinised by national competent authorities, so any gaps in your documentation could lead to a negative opinion or an inability to audit certain aspects. You must be prepared to provide evidence for every criterion in Annex II, from data localisation to personnel citizenship.

Plan for Remediation If you receive a negative opinion, the CADA provides a structured way to recover. The report will include operational recommendations and a timeframe. Use this as a strict project plan. Engage with your auditing organisation to ensure you understand the specific measures required. Failure to adhere to the recommended timeframe or measures could jeopardise future audit attempts and your ability to secure Union assurance level recognition. Do not treat a negative opinion as a final failure; treat it as a diagnostic tool.

Annual Compliance is Key Do not view the audit as a one-time event. The annual review requirement means you must maintain continuous compliance. Establish internal monitoring systems to ensure that your service continues to meet the criteria for your specific assurance level. Any material changes in circumstances must be reported promptly, as they may trigger a reassessment or revocation of your audit opinion. The audit is a living process, not a static certificate.

Choose Your Auditor Wisely The credibility of your audit report depends on the competence and independence of the auditing organisation. Ensure your chosen auditor has the necessary expertise in cloud computing and risk management, and that they can demonstrate their independence through a clear declaration of interests. The auditor must be free from conflicts of interest, including not having provided non-audit services to you in the 12 months prior to the audit.

Common misconceptions

Misconception 1: The audit report is just a pass/fail certificate. Reality: The audit report is a detailed, substantiated document that includes methodology, findings, third-party consultations, and specific recommendations. It is not a simple certificate but a comprehensive record of the assessment process that must be submitted to the competent authority.

Misconception 2: A negative opinion means the end of the road. Reality: A negative opinion includes operational recommendations and a timeframe for remediation. It is a diagnostic tool that identifies specific areas of non-compliance and provides a path to achieve compliance. Providers can address these issues and undergo further audits to seek a positive opinion.

Misconception 3: The audit covers only technical cybersecurity. Reality: The audit criteria for Union assurance levels 2, 3, and 4 extend far beyond technical cybersecurity. They include sovereignty, data localisation, personnel citizenship, supply chain transparency, and the absence of third-country control. The audit report must reflect compliance with all these cumulative criteria.

Misconception 4: Auditors can omit parts of the report if they are unsure. Reality: If an auditor cannot audit certain aspects, they must explicitly state this in the report and explain why under Article 20(6). Omitting information without explanation is not permitted. Transparency about limitations is a mandatory part of the report structure.

Related

• What happens after a negative CADA audit opinion?
• Who pays for the independent audit under CADA? Costs for Levels 1–4
• CADA Entry into Force and Application: Key Dates Explained
• How do I report CADA cloud and AI procurement-of-innovation data to the Commission?
• How to prepare for the annual CADA audit review: Article 20(8) explained

This is general information about a draft EU regulation, not legal advice.