What is an auditing organisation under CADA? Definition and role

Summary Under the proposed Cloud and AI Development Act (CADA), an auditing organisation is defined in Article 2(17) as "an individual organisation, a consortium or other combination of organisations, including any subcontractors, that the audited cloud computing service provider has contracted to perform an independent audit." This role would be central to the CADA sovereignty framework: providers seeking Union assurance levels 2, 3, or 4 would have to undergo independent third-party audits, at their own expense, to demonstrate compliance with the criteria in Annex II.

Detail

The CADA proposal (COM(2026) 502 final) would introduce a sovereignty framework for cloud computing services used by the EU public sector. A cornerstone of that framework is the requirement for independent verification of higher-assurance services. To support this, CADA would create a defined role for the auditing organisation.

The legal definition

The definition is set out in Article 2(17) of the proposal. An "auditing organisation" would mean:

"an individual organisation, a consortium or other combination of organisations, including any subcontractors, that the audited cloud computing service provider has contracted to perform an independent audit"

The definition is deliberately broad. It would let a single firm, a joint venture, or a consortium act as the auditor, provided the cloud provider has contracted it to conduct the assessment. Crucially, it expressly includes subcontractors, so every entity involved in the audit would fall within the regulation's independence and competence requirements.

Role in the sovereignty framework

The auditing organisation would be pivotal to the recognition process for Union assurance levels 2, 3, and 4. Union assurance level 1 could be demonstrated through a conformity self-assessment by the provider, who issues an EU statement of conformity (Article 19). Levels 2 through 4 would require independent verification.

Under Article 20(1), providers seeking recognition for assurance levels 2, 3, or 4 would have to undergo independent third-party audits at their own expense, to obtain an audit report and an audit opinion from an auditing organisation. The auditing organisation would assess whether the provider and its service comply with the cumulative criteria in Annex II, on the basis of the audit evidence listed in Annex III (Article 21).

The audit would not be a one-time event. Article 20(8) would require the audited provider to submit the audit report and the associated 'positive' audit opinion annually for review, to the same or a different auditing organisation, which would assess continued compliance with the applicable Annex II criteria. On the basis of that annual review, the organisation may confirm, update, or revoke the initial report and opinion.

Independence and competence requirements

CADA would impose strict conditions on who can act as an auditing organisation. Article 20(4) sets out the core requirements. The audits would have to be performed by auditing organisations that:

1. Independence: are independent from, and have no conflict of interest with, the provider concerned and any legal person connected to it — in particular:
2. No recent or near-future non-audit services: have not provided non-audit services related to the matters audited to the provider or connected persons in the 12 months before the audit begins, and have committed not to provide such services in the 12 months after the audit completes;
3. Rotation: have not provided auditing services under this Article to the same provider or connected persons in the 10 years before the audit begins;
4. Fee structure: are not performing the audit in return for fees contingent on the result of the audit;
5. Expertise: have proven expertise, technical competence, and capabilities in auditing cloud computing services;
6. Ethics: have proven objectivity and professional ethics, based in particular on adherence to codes of practice or appropriate standards.

The proposal's recitals add that where the independence or technical competence of an auditing organisation is not beyond doubt, it should abstain or resign from the audit engagement.

The audit report and opinion

The primary output would be the audit report and the audit opinion. Article 20(5) would require the report to be substantiated in writing and to include at least: the name, address and point of contact of the audited provider and the period covered; the name and address of the auditing organisation; a declaration of interests; a description of the aspects audited and the methodology applied; a description and summary of the main findings; a list of third parties consulted; and a 'positive' or 'negative' audit opinion.

A 'positive' opinion would indicate compliance with the applicable audit criteria for the relevant level under Annex II, and would specify the Union assurance level to be recognised under Article 17. A 'negative' opinion would have to include operational recommendations on measures to achieve compliance and the recommended timeframe. Where the organisation could not audit certain aspects or express an opinion, the report would have to explain why (Article 20(6)).

The auditing organisation may revoke its report and opinion where the provider, intentionally or negligently, supplied incorrect or misleading audit evidence (Article 20(7)).

Confidentiality and cooperation

Cooperation would run both ways. Under Article 20(2), audited providers would have to provide all necessary assistance — including access to relevant data and premises and answers to oral or written questions — and refrain from hampering, unduly influencing, or undermining the audit. Under Article 20(3), auditing organisations would have to ensure an adequate level of confidentiality and professional secrecy regarding information obtained, including after the audit ends — though this would not override reporting obligations to competent authorities (Article 23).

What this means for you

For cloud service providers and data centre operators aiming to serve the EU public sector, the auditing organisation's role would be a practical gatekeeper.

• Selection is strategic: You would be responsible for contracting the auditing organisation, and for ensuring it meets the independence and competence tests in Article 20(4). An auditor with a conflict of interest, or one that recently provided you with non-audit services, could disqualify the engagement.
• Cost and time: Audits for levels 2-4 would be at your own expense, and the annual review would be a recurring cost. Expect significant preparation, since you would need to give auditors access to infrastructure, data flows, and personnel records.
• Documentation: Be audit-ready against the Annex II criteria and the Annex III evidence list — including data localisation, software supply chain transparency, and absence of third-country control.
• Annual compliance: Recognition would not be a one-off certification. You would need to maintain it through the annual review; a negative opinion or revocation could mean losing your Union assurance status.

Common misconceptions

• Misconception: Auditing organisations are appointed by the EU or national authorities.
  • Reality: Under CADA, the cloud computing service provider would contract the auditing organisation. The organisation would still have to meet the regulatory standards in Article 20(4), and the resulting report would be submitted to the national competent authority for the recognition decision under Article 17.
• Misconception: Any cybersecurity auditor can act as a CADA auditing organisation.
  • Reality: Cybersecurity expertise is relevant, but CADA would require proven expertise in auditing cloud computing services, plus the strict independence rules (the 10-year rotation and the 12-month non-audit-service ban) that would disqualify many existing consulting relationships.
• Misconception: Assurance level 1 requires an external audit.
  • Reality: Level 1 would rest on a conformity self-assessment by the provider (Article 19). Independent audits by an auditing organisation would be mandatory only for levels 2, 3, and 4 (Article 20).

Related

• How does CADA's auditing organisation definition allow consortia and subcontractors?
• Who can act as an auditing organisation under CADA?
• Why does CADA's frontier AI definition have no fixed compute threshold?
• What is software under CADA? Article 2 definition explained
• What is hardware under CADA? Definition and scope explained

This is general information about a draft EU regulation, not legal advice.