Summary Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider's Union assurance recognition is dynamic, not static. If a provider becomes aware of any material change in circumstances that could affect their compliance, Article 23(1) mandates immediate notification to both the auditing organisation and the national competent authority (NCA) of establishment. This triggers a two-step assessment: the auditor reviews the audit report, and the NCA assesses the recognition itself. If the NCA amends or revokes the recognition under Article 23(3), it must immediately notify the NCAs of all other Member States and the European Commission. Crucially, under Article 22(3), any revocation of a recognition or audit opinion must be published in the central repository and remain publicly available for five years, ensuring long-term market transparency.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous framework for the Union cloud computing sovereignty framework, designed to ensure that the "trust" granted to cloud providers is continuously validated. A core pillar of this framework is the obligation of transparency and the mechanism for handling changes in a provider's status. Article 23 serves as the procedural engine for this dynamic maintenance, ensuring that the central repository maintained by the Commission reflects the current reality of a provider's compliance.

The Trigger: Material Changes in Circumstances

The process is initiated not by a scheduled audit, but by the provider's own awareness of a shift in their operational or legal reality. Article 23(1) imposes a strict duty on recognised cloud computing service providers. Upon becoming aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17," the provider must act immediately.

The regulation requires the provider to notify two distinct entities "as soon as possible":

  1. The auditing organisation that issued the original audit report and opinion.
  2. The national competent authority (NCA) of establishment.

The term "material change" is broad and encompasses any factual alteration that could undermine the criteria for the specific Union assurance level (Levels 1 through 4) under which the service was recognised. This could include, but is not limited to:

  • A change in the legal control of the provider (e.g., acquisition by a third-country entity).
  • The relocation of infrastructure, assets, or personnel outside the Union.
  • The loss or expiration of a required cybersecurity certification (such as the European cybersecurity certificate referenced in Annex II).
  • Changes in subcontractor arrangements that affect the provision of the service.
  • The discovery of a vulnerability or security incident that impacts the service's compliance with state-of-the-art standards.

Failure to identify and report such changes promptly constitutes a breach of the transparency obligations set out in Title IV, Chapter I of the proposal.

The Assessment Chain: A Two-Step Process

Once the notification is lodged, CADA establishes a cascading assessment process to determine the regulatory outcome. This ensures that both the technical audit findings and the administrative recognition are reviewed independently but in coordination.

Step 1: The Auditing Organisation's Review Pursuant to Article 23(2), the auditing organisation receives the notification from the provider and must assess whether the existing audit report or the associated 'positive' audit opinion requires amendment or revocation. The auditor is tasked with determining if the material change impacts the provider's compliance with the audit criteria set out in Annex II.

If the auditing organisation concludes that the change is material and affects compliance, it must amend or revoke the audit report and/or the audit opinion. Crucially, the regulation mandates that the auditing organisation must then notify the NCA of establishment "as soon as possible" of this decision. This ensures the regulator is immediately informed of the auditor's technical conclusion.

Step 2: The National Competent Authority's Decision The NCA of establishment then conducts its own independent assessment. This assessment is triggered either by the provider's direct notification or by the subsequent notification from the auditing organisation.

Under Article 23(3), the NCA assesses whether its recognition of the cloud computing service needs to be amended or revoked. The NCA evaluates the facts against the criteria for Union assurance levels and the specific conditions of the recognition granted under Article 17.

If the NCA determines that the recognition must be amended (e.g., downgrading from Level 4 to Level 3) or revoked entirely, Article 23(3) imposes a strict notification chain to ensure Union-wide consistency. The NCA of establishment must notify:

  • The national competent authorities of all other Member States.
  • The European Commission.

This notification must also occur "as soon as possible." The purpose of this rapid dissemination is to prevent public sector bodies and Union entities in other Member States from continuing to procure or use a service that no longer meets the required assurance level, thereby safeguarding public order and data sovereignty across the single market.

Public Transparency and the Central Repository

CADA places a high premium on market transparency to prevent information asymmetry between providers and public procurers. Article 22 establishes a central repository maintained by the Commission, which serves as the single source of truth for all recognised cloud computing services.

The visibility of a revocation is a critical component of this transparency. Article 22(3) explicitly stipulates that "the revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This five-year retention period is a deliberate policy choice. It ensures that:

  1. Historical Accountability: Past non-compliance or revocations cannot be easily obscured by a provider after a short period.
  2. Informed Procurement: Contracting authorities, when evaluating tenders or reviewing existing contracts, have access to the full history of a provider's compliance status.
  3. Market Deterrence: The long-term visibility of a revocation acts as a deterrent against negligence or intentional concealment of material changes.

The repository is publicly available and regularly updated by the Commission and the NCAs, ensuring that any stakeholder can verify the current and historical status of a service.

Interaction with Penalties and Compensation

While Article 23 outlines the procedural obligations for notification and assessment, the consequences of non-compliance are severe. Article 24 establishes the penalty framework for infringements of Chapter IV (Autonomy), which includes the transparency obligations of Article 23.

Member States are required to lay down rules on penalties that are "effective, proportionate and dissuasive." These penalties apply to infringements by cloud computing service providers. Furthermore, Article 24(3) grants recipients of cloud computing services the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under this Chapter.

This creates a dual risk for providers who fail to notify material changes:

  1. Administrative Penalties: Fines imposed by the NCA under national law implementing Article 24.
  2. Civil Liability: Compensation claims from public sector bodies or other recipients if the failure to notify leads to service disruption, data breaches, or the procurement of non-compliant services.

What this means for you

For in-house counsel, compliance officers, and risk managers at cloud computing service providers, Article 23 imposes a continuous duty of vigilance that extends far beyond the periodic audit cycle. Obtaining a Union assurance recognition is not a one-time event; it is a dynamic status that requires active maintenance.

1. Establish Robust Internal Monitoring Protocols Your organisation must implement mechanisms to detect "material changes in circumstances" in real-time. This requires cross-functional monitoring involving legal, IT, and corporate governance teams. You must be able to identify immediately if:

  • There is a change in the ultimate beneficial ownership or control of the entity.
  • Infrastructure or key personnel are relocated outside the Union.
  • A critical subcontractor changes its status or location.
  • A cybersecurity certification is at risk of expiration or has been withdrawn.

2. Define "As Soon As Possible" in Your SLAs The regulation uses the phrase "as soon as possible" for notifications. In the context of CADA, where the preservation of public order and strategic autonomy is paramount, this should be interpreted strictly. Delays in notification could be construed as negligence or an attempt to conceal non-compliance. Establish internal Service Level Agreements (SLAs) that mandate the immediate escalation of any potential material change to the legal and compliance teams, with a target for external notification within 24 to 48 hours of discovery.

3. Prepare for the Notification Cascade Understand that your notification is the trigger for a Union-wide cascade. If you notify your auditor, they notify the NCA. If the NCA revokes your status, they notify every other Member State and the Commission. Your crisis communication plan must account for this rapid dissemination. A revocation will be instantly visible to potential clients across the EU, potentially triggering immediate contract termination clauses with public sector bodies that are mandated to procure only from recognised providers under specific assurance levels (as per Article 30).

4. Manage the Five-Year Visibility Risk Be acutely aware that any revocation will remain in the public central repository for five years. This is not a temporary blemish; it is a long-term record. This impacts future business development, tender eligibility, and reputation. If a revocation occurs, you must have a clear remediation strategy and a timeline for re-application to mitigate the long-term reputational damage.

5. Meticulous Record Keeping Maintain detailed records of all notifications sent, auditor responses, and NCA communications. These documents are your primary evidence of good faith and prompt action. In the event of a penalty assessment under Article 24, demonstrating that you acted immediately upon discovering a change could serve as a mitigating factor.

Common misconceptions

Misconception 1: Only the NCA decides on revocation. Correction: The process is collaborative and sequential. The auditing organisation must first assess whether the audit report or opinion needs amendment or revocation based on the provider's notification (Article 23(2)). The NCA then assesses the recognition itself (Article 23(3)). Both entities play a critical role, and the provider is obligated to notify both.

Misconception 2: Revocations are removed from the public record after a short time. Correction: No. Article 22(3) explicitly states that revocations remain published in the central repository for five years. This is a deliberate design choice to ensure long-term market transparency and to prevent providers from "resetting" their reputation quickly after a compliance failure.

Misconception 3: "Material change" only refers to technical infrastructure. Correction: The term "material change in circumstances" is broad. It encompasses any change that may affect the audit report, audit opinion, or recognition. This includes legal, corporate, and organisational changes, such as changes in control by a third-country entity, changes in subcontractor arrangements, or the loss of certifications, not just the physical relocation of servers.

Misconception 4: The provider can wait for the next annual review to report changes. Correction: Article 23(1) requires notification "as soon as possible" upon becoming aware of the change. Waiting for the next annual review or audit cycle is a direct violation of this transparency obligation and exposes the provider to significant penalties and civil liability.

Related

This is general information about a draft EU regulation, not legal advice.