Summary Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider (CSP) must immediately self-report any material change that affects its compliance with Union assurance level criteria. This triggers a mandatory two-step reassessment: first by the auditing organisation, which may amend or revoke its audit opinion, and second by the national competent authority (NCA) of establishment, which may amend or revoke the official recognition. If the recognition is downgraded or withdrawn, this outcome is published in the central repository, immediately affecting the service's eligibility for public procurement and its market standing.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a dynamic sovereignty framework where Union assurance levels are not static certifications but continuous statuses contingent on ongoing compliance. The integrity of this framework relies heavily on the transparency obligations set out in Article 23. This article ensures that the central repository of recognised services reflects the real-time status of cloud providers, preventing public sector bodies from procuring services that no longer meet the required sovereignty criteria.

The Obligation to Self-Report

Article 23(1) imposes a strict duty on recognised cloud computing service providers. As soon as a provider becomes aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17," it must notify both the auditing organisation and the national competent authority of establishment.

The term "material change" is broad and critical. It encompasses any shift that could undermine the cumulative criteria for a specific Union assurance level (1 through 4) as defined in Annex II. Examples include:

  • A change in corporate control where a third-country entity acquires a majority stake, potentially violating the "no third-country control" criteria for Levels 3 and 4.
  • The relocation of data storage or operational support outside the Union, breaching data localisation or support location requirements.
  • The degradation of cybersecurity measures below the required "substantial" or "high" assurance levels.
  • Changes in personnel composition that fail to meet Union citizenship requirements for higher tiers.

Failure to report such changes is not merely an administrative oversight; it is a breach of the transparency obligations that underpin the entire sovereignty framework.

The Two-Step Reassessment Process

Once a self-report is submitted, Article 23(2) and Article 23(3) outline a rigorous, sequential reassessment mechanism designed to ensure that recognition status remains accurate.

1. Auditor Reassessment (Article 23(2))

The first line of defence is the independent auditing organisation. Upon receiving the notification, the auditor must assess whether the existing audit report or the "positive" audit opinion remains valid.

  • The Assessment: The auditor evaluates the material change against the specific criteria of the current Union assurance level. If the change means the provider no longer meets the cumulative criteria (e.g., losing the "substantial" cybersecurity certification required for Level 3), the auditor must act.
  • The Outcome: The auditor may amend the audit report and opinion to reflect a lower assurance level, or revoke the opinion entirely if the service no longer qualifies for any level.
  • Notification: Crucially, if the auditor amends or revokes the opinion, it must notify the national competent authority of establishment "as soon as possible." This notification is the trigger for the second step.

2. NCA Reassessment (Article 23(3))

The national competent authority (NCA) of establishment holds the final authority on recognition. Upon receiving the notification from the CSP (under Article 23(1)) and/or the updated opinion from the auditor (under Article 23(2)), the NCA must assess whether its recognition of the cloud computing service needs to be amended or revoked.

  • The Assessment: The NCA reviews the evidence provided by the CSP and the auditor's findings. It determines if the service still satisfies the criteria for the recognised Union assurance level.
  • The Outcome: If the NCA concludes that the service no longer qualifies, it must amend its recognition decision (e.g., downgrading from Level 3 to Level 2) or revoke the recognition entirely.
  • Notification: Under Article 23(3), if the NCA amends or revokes the recognition, it is obligated to notify the national competent authorities of all other Member States and the Commission "as soon as possible." This ensures that the change is known across the Union, preventing a provider from being recognised in one Member State while downgraded in another.

Publication in the Central Repository

The transparency of the CADA framework is cemented by the central repository established under Article 22. This public database lists all cloud computing services recognised as offering Union assurance levels 1 to 4.

When an NCA amends or revokes a recognition under Article 23(3), this change is immediately reflected in the central repository. Article 22(3) explicitly states that the revocation of a recognition "shall be published in the central repository and shall remain available there for five years." While Article 22(3) specifically mentions revocation, the logic of the framework and the requirement for the repository to be "regularly updated" implies that amendments (downgrades) are also published to ensure the public record is accurate.

This publication has immediate commercial consequences. Contracting authorities and public sector bodies rely on the repository to verify that a provider meets the minimum assurance level required for their specific risk assessment (as mandated by Article 30). A downgrade in the repository effectively removes the service's eligibility for contracts requiring the higher tier, forcing public bodies to migrate to compliant alternatives.

Distinction Between Self-Reporting and Non-Reporting

It is vital to distinguish between a provider that self-reports a material change and one that fails to do so.

  • Self-Reporting: Initiates a controlled, procedural reassessment. While the outcome may be a lower tier, the provider demonstrates compliance with transparency obligations. This allows for a managed transition and preserves the provider's reputation as a compliant entity.
  • Non-Reporting: Constitutes a separate infringement of the Regulation. Under Article 24, Member States must lay down penalties for infringements that are "effective, proportionate and dissuasive." A failure to report a material change could lead to significant fines and a forced revocation of recognition by the NCA, often accompanied by more severe reputational damage and potential liability for damages under Article 24(3).

Interaction with Assurance Level Criteria

The reassessment is strictly tied to the criteria in Annex II. For example:

  • Level 3 vs. Level 4: If a Level 4 provider loses its "high" cybersecurity certification, it may be downgraded to Level 3 (if it still holds "substantial" certification) or lower.
  • Third-Country Control: If a Level 3 provider is subject to third-country control without a Commission implementing act under Article 18, it fails the criteria for Level 3 and must be downgraded.
  • Data Localisation: If a provider moves data outside the Union without explicit public sector body approval, it violates the criteria for Levels 1, 2, 3, and 4, potentially leading to a complete loss of recognition.

The process ensures that the "sovereignty" label is not just a marketing term but a legally binding status that reflects the actual operational reality of the provider.

What this means for you

For cloud service providers (CSPs) operating in the EU, the self-reporting obligation under Article 23 is a critical component of your compliance and risk management strategy. It is not merely a bureaucratic hurdle but a mechanism to maintain market access and trust.

1. Immediate Operational Response

When a material change occurs, speed is essential. Delay in notification can be interpreted as a failure to comply with transparency obligations, potentially aggravating penalties.

  • Identify the Change: Conduct an internal assessment to determine if the change is "material" under Article 23(1). If in doubt, report it.
  • Notify Immediately: Submit the notification to both your auditing organisation and your NCA of establishment.
  • Document Everything: Prepare a comprehensive dossier explaining the nature of the change, its impact on your infrastructure, and your assessment of how it affects your alignment with Annex II criteria.

2. Managing Public Sector Contracts

A downgrade in your sovereignty tier has direct commercial implications. Under Article 30, contracting authorities are legally bound to procure services that meet the assurance level determined by their risk assessment.

  • Eligibility Loss: If you are downgraded from Level 3 to Level 2, you immediately lose eligibility for contracts requiring Level 3 (e.g., national security, justice, law enforcement).
  • Client Communication: Proactively inform existing public sector clients of the change. This allows them to initiate migration plans or contract renegotiations, ensuring business continuity for them while you manage the transition.
  • Repository Monitoring: Be aware that your status change will be visible to all potential clients via the central repository.

3. Strategic Mitigation and Remediation

Self-reporting does not necessarily mean the end of your sovereign status; it may simply mean a tier adjustment.

  • Remediation Plans: If the change is temporary or remediable, include a remediation plan in your notification. For instance, if a third-country acquisition triggered a control issue, demonstrate immediate legal and technical separation measures (as required by Annex II) to show that you are actively addressing the non-compliance.
  • Re-application: If you are downgraded, you retain the right to re-apply for a higher tier once the issue is resolved. This requires a new audit and recognition process, but the previous downgrade does not permanently bar you from achieving a higher assurance level.

4. Audit Preparedness

Your relationship with your auditing organisation is pivotal. The NCA's decision to amend or revoke recognition is heavily dependent on the auditor's opinion.

  • Collaboration: Maintain open lines of communication with your auditor. Ensure they understand the materiality of the change and are prepared to conduct the reassessment efficiently.
  • Evidence: Provide the auditor with all necessary evidence to support your assessment. If the auditor revokes the "positive" opinion, the NCA's hand is effectively forced to revoke or amend the recognition.

Common misconceptions

Misconception 1: Self-reporting guarantees you will keep your current tier. Self-reporting triggers a reassessment, not an automatic renewal. If the material change fundamentally alters your compliance with the criteria for your current Union assurance level, the tier will be lowered or revoked. The process is objective and based on the criteria in Annex II, not on the act of reporting itself. Reporting is a duty; the outcome is determined by compliance.

Misconception 2: Only catastrophic failures require reporting. Article 23(1) requires reporting of any "material change in circumstances." This is broader than just security breaches or total service outages. Changes in corporate structure, shifts in data residency, updates to software supply chains that introduce third-country dependencies, or changes in personnel with access to critical systems can all be material. Providers often underestimate the breadth of this obligation.

Misconception 3: The NCA can downgrade a tier without auditor involvement. The process is interlinked. For Levels 2, 3, and 4, the NCA's recognition is based on the audit opinion. While the NCA has the final authority on recognition, it relies on the auditor's assessment of compliance with the technical and operational criteria. The auditor must first assess the impact on the audit opinion. The NCA then assesses the impact on the recognition. They are parallel but dependent processes.

Misconception 4: A downgrade is permanent. A downgrade is not necessarily irreversible. If the material change is remediated—for instance, if data is moved back to the Union or if control structures are adjusted to meet sovereignty criteria—the CSP can re-apply for recognition at a higher tier. This would require a new audit and recognition process, but the previous downgrade does not permanently bar the service from achieving a higher assurance level in the future.

Misconception 5: The change is only visible to the NCA. The outcome is public. Under Article 22 and Article 23(3), any amendment or revocation of recognition is published in the central repository. This means your downgrade is visible to all contracting authorities, competitors, and the public, affecting your market reputation and eligibility for public procurement.

Related

This is general information about a draft EU regulation, not legal advice.