CADA Audit Opinions

Summary Under the proposed Cloud and AI Development Act (CADA), an independent auditing organisation issues a "positive" opinion only if all evidence confirms that a cloud computing service fully complies with the criteria for Union assurance levels 2, 3, or 4. This opinion must explicitly state the specific assurance level to be recognised. Conversely, a "negative" opinion is issued if the auditor concludes that the provider does not meet these criteria. Crucially, a negative opinion is not merely a rejection; as required by Article 20(5)(h), it must include specific operational recommendations on measures to achieve compliance and a recommended timeframe to implement them. These opinions serve as the mandatory foundation for a service's formal recognition across the EU.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous sovereignty framework for cloud computing services intended for use by Union entities and public sector bodies. To access the higher tiers of this framework—specifically Union assurance levels 2, 3, and 4—providers cannot rely on self-declaration. Instead, they must undergo independent third-party audits. The outcome of this process is formalised in an audit report, which culminates in a legally binding audit opinion.

As detailed in Article 20, this opinion is the critical gatekeeper for market access to sovereign cloud contracts. It transforms technical and legal compliance into a binary, yet actionable, status that determines whether a service can be entered into the central repository of recognised services.

The Audit Opinion Mechanism

Article 20(1) mandates that cloud computing service providers seeking recognition for assurance levels 2, 3, or 4 must undergo independent audits at their own expense. The auditing organisation, which must be independent of the provider and possess specific technical competencies, prepares a substantiated audit report. This report serves as the factual basis for the final opinion.

The audit opinion is not a generic pass/fail statement; it is a precise regulatory declaration. Article 20(5) outlines the mandatory content of the audit report, ensuring that the opinion is transparent, actionable, and directly tied to the cumulative criteria set out in Annex II. The regulation distinguishes sharply between a positive outcome, which enables market access, and a negative outcome, which triggers a structured remediation path.

Positive Audit Opinion: The Gateway to Recognition

A "positive" audit opinion is the prerequisite for any provider seeking to sell sovereign cloud services to the EU public sector at levels 2, 3, or 4. According to Article 20(5)(g), the opinion must explicitly state whether the audited service complies with the applicable audit criteria for the specific Union assurance level (2, 3, or 4).

When an auditor issues a positive opinion, it signifies that all evidence collected during the audit demonstrates full compliance with the stringent criteria. These criteria, detailed in Annex II, cover critical areas such as:

• Establishment and Location: Ensuring the provider, infrastructure, assets, and personnel are established and located within the Union.
• Data Localisation: Confirming that customer data, including metadata and telemetry, remains exclusively within the Union.
• Cybersecurity Certification: Obtaining a European cybersecurity certificate of at least 'substantial' assurance (for levels 2 and 3) or 'high' assurance (for level 4).
• Third-Country Control: Demonstrating that the provider is not subject to the control of a third country or legal entity established in a third country, or that specific derogations under Article 18 apply.

Crucially, Article 20(5)(i) specifies that a positive opinion must identify the specific Union assurance level that needs to be recognised. This means the opinion is not generic; it certifies the service for a precise tier of sovereignty. For example, a provider might receive a positive opinion for Union assurance level 2, which allows them to serve a broader range of public sector clients than a level 1 provider, but restricts them from handling the most sensitive data reserved for level 4 services.

Upon receiving a positive opinion, the provider submits the audit report and opinion to the national competent authority of their establishment. If the authority accepts the evidence, the service is recognised across the entire Union, granting the provider access to the central repository established under Article 22 and eligibility for public procurement mandates under Article 30.

Negative Audit Opinion: A Roadmap for Remediation

A "negative" audit opinion is issued when the auditing organisation concludes that the provider does not comply with the criteria set out in the regulation. This is a significant finding, as it blocks the provider from achieving recognition for the targeted assurance level.

However, CADA does not leave providers in a dead end. Article 20(5)(h) mandates that a negative opinion must include more than just a rejection. It must provide:

1. Operational Recommendations: Specific measures the provider must take to achieve compliance.
2. Recommended Timeframe: A defined period within which these measures should be implemented to achieve compliance.

This requirement transforms the negative opinion from a mere penalty into a remediation roadmap. It ensures that providers understand exactly where their gaps lie—whether in data localisation, software supply chain transparency, or personnel citizenship requirements—and what steps are necessary to close those gaps. The auditor's expertise is thus leveraged to guide the provider toward future compliance.

If a provider fails to meet the requirements, they cannot obtain the recognition required by Article 17. Without this recognition, they cannot legally offer their services to public sector bodies that are required by Article 30 to procure only from recognised providers.

Partial Opinions and Explanations

The regulation also accounts for scenarios where an auditor cannot reach a definitive conclusion on specific aspects of the audit. Article 20(6) clarifies that where the audit opinion cannot reach a conclusion on specific aspects that fall within the scope of the audit, the report must include an explanation of the reasons why this was not possible.

This might occur if a provider denies access to certain premises or data, or if technical limitations prevent a full assessment. In such cases, the lack of a conclusive opinion effectively prevents a positive recognition, as the burden of proof remains on the provider to demonstrate full compliance. The regulation ensures that ambiguity is documented and explained, preventing "silent" failures.

Annual Reviews and Revocation

The audit process is not a one-time event. Article 20(8) requires audited providers to annually submit the audit report and the associated positive opinion to an auditing organisation for review. Based on this annual review, the auditing organisation may confirm, update, or revoke the initial audit report and opinion.

Furthermore, Article 20(7) empowers the auditing organisation to revoke its audit report and opinion where the audited provider, intentionally or negligently, supplied incorrect or misleading audit evidence. This ensures that the integrity of the sovereignty framework is maintained over time.

What this means for you

For cloud service providers and data centre operators, understanding the distinction between positive and negative opinions is vital for business strategy and compliance planning.

For Providers Targeting Assurance Levels 2–4:

• Pre-Audit Readiness: Do not wait for the audit to discover gaps. Use the criteria in Annex II as a checklist. If you anticipate a negative opinion, you will be stuck without a market until you remediate and re-audit.
• Remediation Planning: If you receive a negative opinion, leverage the mandatory operational recommendations and timeframe provided by the auditor under Article 20(5)(h). This is your official roadmap to compliance. Document your progress against these recommendations meticulously, as this evidence will be crucial for your next audit cycle.
• Cost Management: Audits are performed at the provider's expense (Article 20(1)). A negative opinion represents a sunk cost. Investing in internal compliance checks before engaging the external auditor can save significant resources.

For Public Sector Buyers:

• Due Diligence: You are legally required to procure only from services with a positive opinion and subsequent recognition (Article 30). Always verify the status of a provider in the central repository established under Article 22.
• Risk Mitigation: A positive opinion is not a one-time event. Providers must undergo annual reviews (Article 20(8)). Ensure your contracts with cloud providers include clauses that allow for termination if their positive opinion is revoked or if they receive a negative opinion in a subsequent review.

Common misconceptions

Misconception 1: A negative opinion is permanent.

• Reality: A negative opinion is specific to the audit instance. Providers can implement the recommended measures and undergo a new audit. The regulation encourages remediation by requiring specific recommendations and timeframes in negative reports.

Misconception 2: You can choose which parts of the audit to fail.

• Reality: The criteria are cumulative. As stated in Article 20(1), a provider seeking a higher assurance level must satisfy all applicable cumulative criteria under Annex II for the lower levels as well. Failure to meet any requirement of a lower assurance level precludes conformity with higher levels. You cannot have a positive opinion for level 3 if you fail level 2 criteria.

Misconception 3: The auditor gives legal advice.

• Reality: The auditor provides an opinion based on evidence against technical and legal criteria. They do not interpret the law for you. If there is ambiguity in how a criterion applies to your specific architecture, you should seek legal counsel. The auditor's role is to verify compliance, not to design your compliance strategy.

Misconception 4: A positive opinion guarantees no future issues.

• Reality: A positive opinion is a snapshot in time. Article 20(8) requires annual reviews. If your infrastructure changes, or if new third-country laws emerge, your status can change. Providers must notify authorities of material changes (Article 23), which can trigger a reassessment and potentially a new negative opinion.

Related

• Who pays for the CADA audit? Provider costs explained
• CADA Audit Report vs. Audit Opinion: Key Differences Explained
• What does a 'negative' CADA audit opinion mean for recognition?
• How does the CADA independent audit work? Levels 2–4 explained
• Does CADA recognition expire? Annual audit rules explained

This is general information about a draft EU regulation, not legal advice.