What happens after a negative CADA audit opinion?

Summary If an auditing organisation issues a 'negative' audit opinion under the proposed Cloud and AI Development Act (CADA), your cloud computing service is not recognised at the targeted Union assurance level (2, 3, or 4). Consequently, you cannot be procured by public sector bodies requiring that specific level of sovereignty. However, the process is not terminal. As proposed, the auditor must provide specific operational recommendations and a recommended timeframe to achieve compliance. You must address these deficiencies and undergo a review to obtain a 'positive' opinion before recognition can be granted.

Detail

Under the proposed CADA, cloud computing service providers seeking recognition for Union assurance levels 2, 3, or 4 must undergo independent third-party audits (Article 20). The audit culminates in an audit report containing an audit opinion. As proposed, if the auditing organisation concludes that the provider does not comply with the criteria set out in Annex II, it must issue a 'negative' audit opinion.

The immediate consequence of a negative opinion is that the provider cannot be recognised as offering that specific Union assurance level. According to Article 17, recognition is contingent upon submitting a 'positive' audit opinion along with all evidence provided during the audit. Without a positive opinion, the national competent authority of establishment cannot proceed with the recognition decision. Consequently, the service will not appear in the central repository of recognised services (Article 22) for that tier, rendering it ineligible for procurement by contracting authorities whose risk assessments mandate that specific assurance level (Article 30).

However, a negative opinion is not a permanent ban. The CADA framework is designed to be corrective. Article 20(5)(h) explicitly requires that where the audit opinion is 'negative', the audit report must include:

"operational recommendations on specific measures to achieve compliance and the recommended timeframe to achieve compliance."

This provision ensures that a negative outcome provides a clear roadmap for remediation. The provider is expected to implement the recommended measures within the suggested timeframe. Once these measures are implemented, the provider must submit the audit report and the associated opinion for review. Under Article 20(8), the audited provider must annually submit the audit report and opinion for review by the same or a different auditing organisation. The auditing organisation then assesses continued compliance and may confirm, update, or revoke the initial report and opinion. In the context of a negative opinion, this review mechanism serves as the pathway to reassess compliance after remediation efforts have been undertaken. If the subsequent assessment confirms that the provider now meets the criteria, the auditor can issue a 'positive' opinion, enabling the provider to apply for recognition under Article 17.

It is crucial to distinguish between a negative opinion and a revoked opinion. A negative opinion is issued at the end of an audit when compliance is not met. A revocation occurs later if a provider, whose service was already recognised, intentionally or negligently supplied incorrect or misleading audit evidence (Article 20(7)). Both scenarios result in the loss or denial of the assurance level status, but the negative opinion is the initial finding of non-compliance during the certification process.

Furthermore, if the national competent authority has already accepted an application for recognition but the evidence (including the audit opinion) is insufficient, Article 17(5)(b) allows the authority to request further information. If the provider fails to provide this information within a specified time limit, the application may be rejected. A negative audit opinion inherently constitutes insufficient evidence for recognition, triggering the need for remediation and re-audit rather than immediate administrative rejection of the provider's right to apply in the future.

What this means for you

For cloud service providers and data centre operators, a negative audit opinion represents a significant operational hurdle but not a dead end. Your immediate priorities should be:

1. Analyse the Recommendations: Treat the operational recommendations and the recommended timeframe in the audit report as a binding remediation plan. These are not suggestions; they are the specific gaps preventing your recognition.
2. Implement and Document: Execute the recommended measures meticulously. Document every change, update, or policy adjustment made to address the non-compliance issues. This documentation will be critical for the subsequent review.
3. Engage the Auditor: Maintain open communication with the auditing organisation. While the audit is independent, their guidance on whether your remediation efforts are likely to result in a positive outcome can help you avoid costly missteps.
4. Prepare for Re-assessment: Once you believe you have met the criteria, prepare for the annual review or an earlier reassessment if permitted by the auditing organisation's procedures. You must demonstrate that the service now complies with all cumulative criteria for the targeted Union assurance level.

Remember, until you obtain a 'positive' opinion, your service cannot be marketed as offering that specific Union assurance level. Misrepresenting your status could lead to penalties under Article 24, which allows Member States to impose effective, proportionate, and dissuasive penalties for infringements, including supplying incorrect or misleading information.

Common misconceptions

• Misconception 1: A negative opinion means I am banned from the EU market.

  • Reality: A negative opinion only means you are not recognised at that specific Union assurance level (2, 3, or 4). You may still operate in the market, but you cannot claim that sovereign status. You might still be eligible for Union assurance level 1 (via self-assessment) or serve private sector clients not bound by the public procurement sovereignty requirements, provided you do not misrepresent your compliance status.

• Misconception 2: I can appeal the negative opinion to the national competent authority immediately.

  • Reality: The audit opinion is issued by an independent auditing organisation, not the national competent authority. The authority relies on this opinion for recognition. While you have rights to be heard in recognition proceedings (Article 17(5)(c)), you cannot directly appeal the auditor's technical finding to the authority. You must address the non-compliance issues identified by the auditor and seek a new, positive opinion.

• Misconception 3: I can switch to a different auditor to get a positive opinion.

  • Reality: While you are free to select an auditing organisation of your choice (Article 20(1)), the criteria for Union assurance levels are cumulative and strict. Switching auditors without addressing the underlying non-compliance issues will likely result in another negative opinion. Auditing organisations must adhere to high professional ethics and objectivity (Article 20(4)).

• Misconception 4: A negative opinion is final and cannot be overturned.

  • Reality: As outlined above, Article 20(5)(h) requires recommendations for compliance. The framework is designed for providers to remediate and re-apply. The annual review process (Article 20(8)) also allows for the confirmation or update of opinions based on continued compliance.

Related

• What goes into a CADA audit report and audit opinion?
• Who pays for the independent audit under CADA? Costs for Levels 1–4
• What happens if another Member State objects to my CADA recognition?
• What happens if a CADA strategic project designation is withdrawn?
• How to prepare for the annual CADA audit review: Article 20(8) explained

This is general information about a draft EU regulation, not legal advice.