Summary Under the proposed Cloud and AI Development Act (CADA), if an independent auditor is unable to assess specific aspects of a cloud computing service, they are not permitted to issue a vague or "qualified" opinion. Instead, Article 20(6) explicitly mandates that the audit report must include a detailed explanation of the circumstances and reasons why those aspects could not be audited. This transparency requirement ensures that competent authorities and public sector buyers can accurately evaluate the service's compliance with Union assurance levels, preventing gaps in verification from masking potential sovereignty or security risks.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous framework for assessing the sovereignty and trustworthiness of cloud computing services, particularly for public sector procurement. Central to this framework is the requirement for independent third-party audits for services seeking recognition at Union assurance levels 2, 3, and 4. These audits are critical because they validate that a provider meets strict cumulative criteria regarding data localization, personnel citizenship, infrastructure location, and freedom from third-country control.

However, audits are complex technical and legal exercises. There may be instances where an auditor is unable to verify certain elements due to technical limitations, lack of access, proprietary constraints, or operational barriers. CADA addresses this scenario explicitly to prevent auditors from issuing ambiguous reports that could mislead public authorities.

The Mandatory Explanation Under Article 20(6)

Article 20 of the CADA proposal outlines the procedural requirements for independent audits. Paragraph 6 specifically addresses scenarios where the auditing organization encounters obstacles that prevent a complete assessment of the service against the criteria in Annex II.

As stated in Article 20(6):

"Where the auditing organisation was unable to audit certain aspects or to express an audit opinion based on its investigations, the audit report shall include an explanation of the circumstances and the reasons why those aspects could not be audited."

This provision serves several key purposes within the sovereignty framework:

  1. Transparency and Truthfulness: It prevents the "black box" problem where a compliance status is granted without full visibility into the underlying systems. If an auditor cannot verify a specific criterion (e.g., the physical location of backup servers, the independence of a subcontractor, or the source code of a critical component), they must disclose this gap explicitly. The report cannot simply omit the issue or issue a generic positive opinion.
  2. Informed Decision-Making: Public sector contracting authorities and national competent authorities rely on these reports to make procurement decisions under Article 30. An explanation of why an aspect could not be audited allows these authorities to assess whether the gap poses an unacceptable risk to public order or data sovereignty. For instance, if a provider cannot demonstrate that data remains exclusively within the Union because of a technical limitation in their logging system, the authority can determine if this is a dealbreaker for their specific risk assessment.
  3. Accountability and Cooperation: It holds the cloud computing service provider accountable for providing necessary access and cooperation. Under Article 20(2), providers are required to cooperate with auditing organizations and provide assistance, including access to all relevant data and premises, and to answer oral or written questions. If aspects remain unaudited, the report must clarify whether this was due to the provider's failure to cooperate, the auditor's inability to access specific data, or other external factors.

Impact on the Audit Opinion

The audit opinion is the definitive conclusion of the process. Article 20(5) requires the report to include a "positive" or "negative" audit opinion. A "positive" opinion confirms that the audited service complies with the applicable criteria for the specific Union assurance level. A "negative" opinion indicates that the provider does not comply.

If aspects cannot be audited, the auditor cannot simply issue a positive opinion with a footnote or a "qualified" statement. The requirement to explain the unaudited aspects in the report ensures that the final opinion is grounded in verifiable evidence.

  • If the unaudited aspects are critical: If the aspects that could not be audited are essential to meeting the criteria for the requested assurance level (e.g., data localization for Level 2), the inability to audit them will logically lead to a negative opinion or a determination that the provider does not yet meet the requirements for recognition.
  • If the unaudited aspects are non-critical: While the report must still explain the circumstances, the auditor may still issue a positive opinion if the remaining verified evidence is sufficient to conclude compliance. However, the explanation remains a permanent part of the record for the competent authority's review.

Relationship with Provider Obligations and Enforcement

This requirement for auditors aligns directly with the obligations placed on cloud computing service providers. Article 20(2) mandates that audited providers must:

  • Cooperate with auditing organizations.
  • Provide necessary assistance to enable effective, efficient, and timely audits.
  • Grant access to all relevant data and premises.
  • Answer oral or written questions.
  • Refrain from hampering, unduly influencing, or undermining the performance of the audit.

If an auditor cites a lack of cooperation or access as the reason for being unable to audit certain aspects, this may trigger further scrutiny by national competent authorities. Under Article 26, competent authorities have investigative powers, including the power to require information, carry out inspections, and impose fines or periodic penalty payments for failure to comply with the Regulation. A report citing non-cooperation could be the trigger for such enforcement actions.

Furthermore, under Article 23, if a provider becomes aware of material changes or circumstances that affect the audit report, they must notify the auditor and the competent authority. If an unaudited aspect later becomes auditable or if the circumstances change, the provider must ensure the audit report is updated or revoked.

What this means for you

For in-house counsel, compliance officers, and procurement teams, Article 20(6) has significant operational implications. You must prepare your organization for the possibility that certain technical or organizational aspects may be difficult to verify during an audit.

1. Proactive Access Management for Providers If you are a cloud computing service provider, ensure that your technical teams and subcontractors are prepared to provide immediate access to data, premises, and documentation. If an auditor cannot access a specific data center, a subcontractor's logs, or a specific code repository, they will be required to explain this in the report. This explanation could negatively impact your recognition status under Article 17. Do not assume that a "best effort" approach is sufficient; the Regulation requires full cooperation.

2. Documentation of Limitations If there are legitimate reasons why certain aspects cannot be audited (e.g., proprietary trade secrets that are not relevant to sovereignty criteria, or technical architectures that require specialized expertise), document these clearly. Engage with the auditor early to agree on alternative verification methods if possible. However, remember that under Article 20(3), auditors must guarantee confidentiality, but this cannot be a means to circumvent audit obligations.

3. Risk Assessment for Public Sector Buyers For public sector buyers, an audit report containing explanations under Article 20(6) requires careful evaluation. You must assess whether the unaudited aspects are material to the specific Union assurance level required for your use case. If critical sovereignty criteria (such as data localization, personnel citizenship, or absence of third-country control) could not be verified, the service may not be suitable for procurement under Article 30. The explanation in the report is a key risk indicator.

4. Preparation for Competent Authority Review National competent authorities will review audit reports as part of the recognition process under Article 17. If an audit report includes significant unaudited aspects, the competent authority may request further information, delay the recognition, or reject the application. Be prepared to address these gaps promptly if you are the provider, or to interpret them carefully if you are the buyer.

Common misconceptions

Misconception 1: Auditors can issue a "qualified" opinion. Unlike traditional financial audits, CADA does not provide for a "qualified" opinion where the auditor states that "except for specific issues, the service is compliant." Article 20(5) specifies only "positive" or "negative" opinions. If aspects cannot be audited, the auditor must explain why in the report, and this explanation will inform whether the final opinion is positive or negative. There is no middle ground of "compliant with reservations."

Misconception 2: The provider can refuse access to protect trade secrets. While trade secrets are protected, Article 20(2) requires providers to give auditors access to all relevant data and premises. Refusing access to information necessary to verify sovereignty criteria (such as data flow diagrams, personnel contracts, or source code for critical components) will likely result in those aspects being unaudited. This must then be explained in the report under Article 20(6), potentially leading to a negative opinion or rejection of recognition.

Misconception 3: Unaudited aspects are automatically acceptable. The presence of unaudited aspects does not automatically disqualify a service, but it introduces significant risk. The competent authority and the contracting authority will evaluate whether the unaudited aspects are critical to the assurance level. If they are, the service will likely not be recognized at the required level. The explanation is not a "get out of jail free" card; it is a transparency mechanism that allows authorities to make an informed risk decision.

Related

This is general information about a draft EU regulation, not legal advice.