What is an audited service under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), an "audited service" would be, per Article 2(18), "a cloud computing service being audited for the purpose of receiving an audit report and an audit opinion." As proposed, it pinpoints the exact service offering under review against the Union's sovereignty criteria — distinct from the provider's wider portfolio and from the provider entity itself. It is the specific service that, on a positive audit opinion, would qualify for recognition at Union assurance levels 2, 3 or 4.

Detail

CADA, COM(2026) 502 final, is a proposal — not yet in force. It would establish a Union cloud computing sovereignty framework consisting of four assurance levels (Article 16). For the higher levels, recognition would depend on an independent third-party audit, and the precise subject of that audit is the "audited service."

The legal definition (Article 2(18))

As proposed, Article 2(18) provides that an "audited service" means:

"a cloud computing service being audited for the purpose of receiving an audit report and an audit opinion."

This is an original definition created for the CADA framework. Its function is to distinguish the specific service offering under review from the provider's broader portfolio and from the provider entity itself.

Why the definition matters

As proposed, the audited service is the anchor for the sovereignty assessment at Union assurance levels 2, 3 and 4. Union assurance level 1 would rest on a conformity self-assessment and an EU statement of conformity (Article 19); levels 2, 3 and 4 would require an independent third-party audit (Article 20).

A provider seeking a higher level would submit an application for recognition to the national competent authority of establishment (Article 17). That application would draw on the audit report and the "positive" audit opinion issued by an auditing organisation. The audited service is the subject of that report — the service whose compliance with the cumulative criteria in Annex II is being verified.

The scope of the audit

The definition implies a concrete examination of an operational service, not just a review of policies. Using the audit evidence listed in Annex III, the auditing organisation assesses whether the audited service meets the cumulative criteria for the assurance level claimed (Article 21(1)). Those criteria, set out in Annex II, span sovereignty and security factors such as:

• Establishment and location: that the provider (and relevant subcontractors) is established in the Union and that infrastructure, assets and personnel are located in the Union.
• Data localisation: that customer data, including metadata and telemetry, remains within the Union unless otherwise required by the public sector body.
• Absence of third-country control: whether the provider is subject to the control of a third country and, if so, what safeguards apply.
• Software supply chain: transparency of the software supply chain, including a software bill of materials (SBOM) and controls against remote tampering.

(The depth of analysis would vary by assurance level.) The audited service is the entity against which these criteria are measured.

The role of the auditing organisation

The audit is performed by an "auditing organisation," defined in Article 2(17) as an individual organisation, a consortium or other combination of organisations (including any subcontractors) that the audited provider has contracted to perform an independent audit. As proposed, under Article 20 the organisation must be independent and free of conflicts of interest, have proven expertise and adhere to professional ethics (Article 20(4)). It prepares the audit report (Article 20(5)) and issues a "positive" or "negative" audit opinion on the audited service.

Recognition and the central repository

Once an audited service receives a positive opinion, the provider submits the application to the national competent authority of establishment (Article 17). If recognition is granted, the authority registers the service in a central repository that the Commission establishes and maintains (Article 22), which is publicly available. The entry refers to the specific audited service that passed scrutiny, allowing public sector bodies to procure it with confidence in its assurance level.

Transparency and material changes

The status of an audited service would not be static. Under the transparency obligations in Article 23, on becoming aware of any material change in circumstances that may affect the audit report, the positive opinion or the recognition, the provider must notify the auditing organisation and the national competent authority of establishment as soon as possible. The auditing organisation then assesses whether the report or opinion must be amended or revoked. In addition, under Article 20(8), the report and positive opinion would be submitted annually for review of continued compliance.

What this means for you

For cloud service providers, understanding the "audited service" concept would be central to compliance and market access under the proposed CADA:

1. Define your audit scope precisely. You would not audit "your company"; you would define specific cloud computing services as the audited service. That requires clear documentation of what the service includes — infrastructure, personnel and data flows. The audit focuses strictly on that scope.
2. Prepare for rigorous scrutiny. The audit examines your service against the Annex II criteria. Ensure your processes for data localisation, personnel arrangements, software supply-chain transparency and third-country-control separation are robust and documented.
3. Engage a qualified auditing organisation. Choose one meeting the independence, expertise and ethics requirements of Article 20(4). Its report and opinion are the key to recognition.
4. Maintain ongoing compliance. The audit is not a one-off. Under Article 20(8) the positive opinion is reviewed annually, and under Article 23 you must notify material changes. Failing to do so could lead to amendment or revocation of the opinion and the recognition.
5. Leverage recognition for public-sector contracts. Once your audited service is recognised at level 2, 3 or 4, you could compete for public-sector contracts requiring those assurance levels — a meaningful advantage in the EU market.

Common misconceptions

• "Audited service" means the whole provider is audited.
  • Reality: as proposed, the term is specific to the cloud computing service being audited (Article 2(18)). A provider may offer several services, and only some may be audited for particular assurance levels.
• Self-assessment applies to all levels.
  • Reality: only Union assurance level 1 would use a conformity self-assessment and EU statement of conformity (Article 19). Levels 2, 3 and 4 would require an independent audit (Article 20).
• An audit opinion is permanent.
  • Reality: the positive opinion would be reviewed annually (Article 20(8)) and must be revisited if material changes occur (Article 23). Recognition can be revoked if compliance is no longer met.
• Any auditor can perform the audit.
  • Reality: the auditing organisation must meet the independence, expertise and ethics requirements of Article 20(4), including avoiding conflicts of interest.

Related

• What is the difference between a data centre service and a cloud computing service under CADA?
• Data centre operator vs data centre service under CADA
• What is a data centre service under CADA?
• What is a cloud computing service under CADA?
• What is a cloud computing service provider (CSP) under CADA?

This is general information about a draft EU regulation, not legal advice.