Summary Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider's recognition as offering a Union assurance level would be revoked if the competent authority finds that the provider intentionally or negligently supplied incorrect or misleading information. Crucially, this applies to both the formal recognition decision and the underlying audit opinion. Article 17(11) empowers the evaluating national competent authority to revoke recognition for such misrepresentations, while Article 20(7) grants auditing organisations the independent power to revoke their audit reports and opinions under the same conditions. These dual mechanisms ensure the integrity of the Union's cloud sovereignty framework by removing services that do not genuinely meet the required criteria.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous sovereignty framework comprising four Union assurance levels. This framework relies on a "trust but verify" model where cloud computing service providers (CSPs) must demonstrate compliance with strict criteria regarding establishment, infrastructure location, personnel, and third-country control. The integrity of this system depends entirely on the accuracy of the evidence submitted by providers during the recognition process.

As proposed, CADA introduces strict, immediate consequences for providers who compromise this integrity by supplying false, incorrect, or misleading information. The regulation distinguishes between the administrative act of recognition (performed by the state) and the technical validation (performed by independent auditors), granting both actors the power to reverse their decisions upon discovering fraud or negligence.

Revocation by Competent Authorities: Article 17(11)

The primary administrative mechanism for addressing misinformation lies with the national competent authorities. Article 17 outlines the procedure for the recognition of cloud computing service providers. Once a provider is recognised, that status is not permanent; it is conditional upon ongoing compliance and the truthfulness of the initial application.

Specifically, Article 17(11) states:

"The evaluating national competent authority may revoke its recognition where it finds that a cloud computing service provider, whose service was recognised across the Union as providing a specific Union assurance level, intentionally or negligently supplied incorrect or misleading information."

This provision is broad in its scope and strict in its application:

  • Intent vs. Negligence: The revocation trigger is not limited to deliberate fraud. The phrase "intentionally or negligently" means that a provider can lose its recognition status even if the error was a result of carelessness, poor internal controls, or a failure to verify facts, provided the information supplied was incorrect or misleading.
  • Union-Wide Effect: The evaluating national competent authority is the authority in the Member State where the provider has its main establishment. Under the CADA framework, a recognition decision by this authority is valid across the entire Union. Therefore, a revocation under Article 17(11) effectively removes the provider's ability to offer services at that assurance level to any public sector body or Union entity across all Member States.
  • Procedural Context: This revocation power sits within a broader supervisory regime. Under Article 25 and Article 26, competent authorities are granted investigative powers, including the power to require information, carry out inspections, and seize data. If an investigation reveals that the foundation of the recognition decision was flawed due to inaccurate information, the authority is empowered to withdraw that recognition immediately.

Revocation by Auditing Organisations: Article 20(7)

For Union assurance levels 2, 3, and 4, recognition is impossible without a "positive" audit opinion from an independent auditing organisation. These audits verify compliance with complex technical and organisational criteria set out in Annex II. CADA places significant responsibility on these auditors to maintain the integrity of the process, granting them the power to retract their validation if the evidence provided is found to be false.

Article 20(7) explicitly states:

"The auditing organisation may revoke its audit report and audit opinion where the audited provider, intentionally or negligently, supplied incorrect or misleading audit evidence."

This provision acts as a critical parallel safeguard:

  • Independence of Action: The auditor can revoke its opinion independently of the competent authority. If an auditor discovers that a provider falsified documentation, concealed conflicts of interest, or misrepresented the location of infrastructure, the auditor is not bound to wait for a state investigation. They can immediately withdraw the "positive" opinion.
  • The Trigger: The standard mirrors that of the competent authority: "intentionally or negligently supplied incorrect or misleading audit evidence." This covers a wide range of scenarios, from forged certificates to the failure to disclose material subcontractors or the misrepresentation of data flows.
  • The Consequence: An audit opinion is the prerequisite for recognition at levels 2, 3, and 4. If the auditor revokes the opinion, the legal basis for the competent authority's recognition decision collapses. Upon revocation, the auditing organisation must notify the national competent authority of establishment. This notification typically triggers a reassessment by the authority, leading to the formal revocation of the service's recognition under Article 17.

The Interplay of Revocation and Transparency

The CADA framework ensures that revocation is not an isolated event but part of a transparent, cascading notification system designed to protect public sector buyers.

Article 23 imposes ongoing transparency obligations on recognised providers. They must notify the auditing organisation and the national competent authority of any material change in circumstances that may affect the audit report or recognition. If a provider fails to report a change, or reports it inaccurately, this omission or misrepresentation can itself be construed as supplying misleading information, thereby triggering the revocation mechanisms in Articles 17(11) and 20(7).

The flow of information upon revocation is strict:

  1. Auditor Action: If an auditing organisation revokes an audit report under Article 20(7), it must notify the national competent authority of establishment.
  2. Authority Action: If a competent authority revokes a recognition under Article 17(11), it must notify the national competent authorities of other Member States and the Commission.
  3. Public Record: Under Article 22, the Commission maintains a central repository of recognised services. Any revocation of a recognition or an audit report must be published in this repository and remain available for five years. This ensures that public sector bodies and Union entities can immediately verify that a provider no longer holds the required assurance level.

Penalties and Compensation

Beyond the loss of recognition status, providers face significant legal and financial consequences. Article 24 outlines the penalties and compensation rules applicable to infringements of the sovereignty framework.

  • National Penalties: Member States must lay down rules on penalties for infringements. These penalties must be "effective, proportionate and dissuasive." When determining the penalty, authorities must consider non-exhaustive criteria including the nature, gravity, scale, and duration of the infringement; any financial benefits gained; and the provider's annual turnover in the Union.
  • Right to Compensation: Crucially, Article 24(3) grants recipients of the cloud computing services the right to seek compensation from the provider for any damage or loss suffered due to an infringement. For public sector bodies, this could include substantial costs associated with emergency migration to a new provider, service disruption, or the administrative burden of re-tendering.

What this means for you

For in-house counsel, compliance officers, and legal teams within cloud service providers, the consequences of supplying incorrect or misleading information under the proposed CADA are severe and multifaceted. The regulation treats the recognition process not as a bureaucratic formality, but as a high-stakes regulatory activity where accuracy is paramount.

1. Implement Robust Internal Verification Protocols You cannot rely solely on automated systems or unverified third-party data when preparing applications for Union assurance levels. Establish a rigorous internal review process for all evidence submitted to auditing organisations and competent authorities. This includes verifying the legal status of the entity, the physical location of all infrastructure (including backups and disaster recovery sites), the citizenship and clearance status of personnel, and the full chain of subcontractors. Document every verification step taken to ensure the accuracy of information.

2. Treat "Negligence" as a Critical Risk The inclusion of "negligently" in Article 17(11) and Article 20(7) is a major risk factor. A provider cannot claim ignorance as a defence if the information supplied was incorrect due to a lack of due diligence. Compliance teams must ensure that staff responsible for gathering evidence understand the legal implications of negligence. Regular training on data accuracy and the specific criteria of Annex II is essential.

3. Maintain Continuous Monitoring and Reporting Recognition is not a one-time event. Article 23 requires prompt notification of material changes. Implement continuous monitoring systems to detect changes in your operational environment (e.g., changes in ownership, new subcontractors, infrastructure relocation) that might affect your assurance level status. If a change occurs, assess its impact immediately and report it accurately. Failure to report, or inaccurate reporting, can be treated as supplying misleading information, triggering revocation.

4. Prepare for Auditor Scrutiny Auditing organisations have the power to revoke opinions under Article 20(7). Prepare your organisation for rigorous audits by maintaining clean, accessible, and accurate records. Ensure that your staff understands that the auditor has the right to access all relevant data and premises. Any attempt to hamper, unduly influence, or undermine the audit performance is a separate infringement that could lead to immediate revocation.

5. Assess Contractual and Financial Exposure Understand that revocation of recognition can lead to significant financial liabilities. Article 24 allows service recipients to seek compensation. Review your contracts with public sector clients to understand the clauses related to service continuity, liability, and termination in the event of regulatory non-compliance. Ensure you have adequate insurance coverage for potential claims arising from regulatory infringements, as the loss of recognition could render existing contracts unperformable.

6. Proactive Disclosure Strategy If you discover an error in previously submitted information, proactively notify the competent authority and the auditing organisation immediately. While this does not guarantee immunity from revocation if the information was materially misleading, demonstrating good faith and taking immediate corrective action may mitigate the severity of penalties under Article 24.

Common misconceptions

Misconception 1: Only intentional fraud leads to revocation. Many providers assume that as long as they did not deliberately lie, they are safe. However, Article 17(11) and Article 20(7) explicitly include "negligently" supplied incorrect or misleading information. A careless error, a failure to update records, or a lack of due diligence that materially affects the assessment can lead to revocation.

Misconception 2: Recognition is permanent once granted. Providers often view recognition as a static certification similar to a lifetime achievement award. In reality, it is dynamic and conditional. The competent authority and auditing organisations have ongoing powers to revoke recognition if new information reveals that the initial evidence was flawed or if the provider's status changes.

Misconception 3: Only the competent authority can revoke recognition. While the competent authority makes the final administrative decision on recognition, the auditing organisation plays a critical, independent role. Under Article 20(7), the auditor can revoke its opinion independently. This revocation effectively undermines the basis for the recognition, forcing the competent authority to reassess and likely revoke the status. The auditor acts as a gatekeeper that can close the door before the authority even acts.

Misconception 4: Minor errors are irrelevant. Not all errors are material, but the definition of "misleading" is broad. If an error affects the assessment of compliance with any criterion in Annex II (e.g., the location of a single server or the citizenship of a key administrator), it is likely to be considered material. Compliance officers should err on the side of caution and correct any inaccuracies promptly to avoid the "negligence" trap.

Related

This is general information about a draft EU regulation, not legal advice.