Summary Annex III of the proposed Cloud and AI Development Act (CADA) defines the specific audit evidence that independent auditing organisations must request from cloud computing service providers to verify compliance with the Union assurance levels. As established in Article 21(1), auditors must assess whether a provider meets the sovereignty criteria in Annex II by examining the evidence listed in Annex III. This evidence covers critical areas such as Union establishment, data localisation, personnel citizenship, and the absence of third-country control. The Commission holds the power to amend Annex III via delegated acts to ensure the evidence requirements remain current with technological developments.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised framework for cloud computing sovereignty in the European Union. This framework is built upon four "Union assurance levels" (Level 1 to Level 4). While Level 1 relies on a conformity self-assessment by the provider, Levels 2, 3, and 4 require a rigorous independent third-party audit. To ensure these audits are consistent, legally robust, and technically sound, CADA deliberately separates the criteria for sovereignty (detailed in Annex II) from the evidence required to prove compliance (detailed in Annex III).

The Legal Link: Article 21 and the Audit Procedure

The operational heart of the audit process is Article 21, titled "Content and quality of audit evidence." This article creates the mandatory bridge between the abstract requirements of Annex II and the concrete proof required in Annex III.

Article 21(1) explicitly states: "To prepare the audit report and audit opinion, the auditing organisation shall assess the compliance of the audited service with the criteria set out in Annex II on the basis of the audit evidence listed in Annex III."

This provision imposes a strict evidentiary burden on auditors. They cannot rely solely on a provider's assertions or general documentation. Instead, they must systematically gather and verify the specific types of evidence enumerated in Annex III to form a valid audit opinion. If the evidence listed in Annex III is insufficient to demonstrate compliance with a specific criterion in Annex II, the auditor cannot issue a "positive" opinion.

Furthermore, Article 21(1) grants the European Commission the power to adopt delegated acts to amend Annex III. The text empowers the Commission "to amend Annex III by laying down the necessary evidence needed to assess the audit criteria under Annex II." This mechanism ensures that the evidentiary requirements can evolve alongside new cloud architectures, emerging security threats, and technological advancements without requiring a full legislative revision of the Regulation.

Structure and Content of Annex III

Annex III, titled "Audit Evidence for the Audit Procedure," is structured around specific "Audit Criteria" that map directly to the criteria in Annex II. The Annex is described as "indicative," meaning it does not limit the evidence that may be requested; auditors may seek any additional information necessary to ensure a comprehensive assessment.

The primary categories of evidence auditors must assess include:

1. Union Establishment (Audit Criterion A)

To verify that a provider is genuinely established in the Union and not merely using a shell entity, auditors must request:

  • Legal Incorporation: Evidence such as national company extracts, tax residency documentation, business licences, and VAT registration.
  • Verification of Presence: Checks against the Business Registers Interconnected System (BRIS) and the VAT Information Exchange System (VIES).
  • Physical and Operational Presence: Lease contracts, utility bills, or property documents proving EU physical offices; employment contracts and payroll records confirming permanent staff located in the Union.
  • Financial Autonomy: Evidence that banking and accounting functions are exclusively exercised within the Union.

2. Location of Infrastructure, Assets, and Personnel (Audit Criterion B)

For assurance Levels 2, 3, and 4, infrastructure, assets, and personnel must be located in the Union. Auditors require:

  • Infrastructure Mapping: A detailed list with precise locations (street, city, postal code, country) of all infrastructure, including primary, backup, disaster recovery, and log storage sites.
  • Network Architecture: Diagrams illustrating the exclusive use of Union-based infrastructure for data storage and processing.
  • Asset Registers: Purchase invoices, delivery notes, and licence agreements proving that servers and operational assets are physically located in the Union.
  • Personnel Location: Organisational charts and payroll records confirming that personnel involved in the provision of the service are located in the Union.

3. Data Localisation (Audit Criterion C)

Auditors must confirm that customer data remains exclusively within the Union. Evidence includes:

  • Access Controls: Access logs, support access policies, and privileged access records demonstrating that third parties cannot access data without prior authorisation.
  • Data Flow Diagrams: Visual representations clearly identifying the source and destination of data, proving that data does not leave the Union.
  • Contractual Safeguards: Data processing agreements and contracts with subcontractors demonstrating compliance with the GDPR and other Union data protection laws.
  • Monitoring Records: Logs demonstrating that all data is stored and processed exclusively within the Union.

4. Union Citizenship and Security Clearance (Audit Criterion D)

For higher assurance levels, personnel must be Union citizens, and where appropriate, hold national security clearances. Auditors check:

  • Identity Verification: Valid government-issued documents (e.g., passports, national identity cards) for key personnel.
  • Access Control Policies: Audit trails showing that only authorised Union citizens can access the service's systems and data.
  • Procedural Documentation: Procedures describing how citizenship is verified before assignment and how compliance is maintained throughout employment.

5. Cybersecurity Certification (Audit Criterion E)

Providers must hold relevant cybersecurity certifications. Auditors review:

  • Valid Certificates: A valid European cybersecurity certificate issued by a competent conformity assessment body demonstrating compliance with 'basic', 'substantial', or 'high' assurance levels under Regulation (EU) 2019/881.
  • Interim Measures: Until a Union scheme is established, evidence of valid national cybersecurity certifications or adherence to the highest market standards.

6. Absence of Third-Country Control (Audit Criterion G)

This is a critical sovereignty check. Auditors must analyse the provider's ownership and control structure to ensure no third country exerts control. Evidence includes:

  • Ownership Structure: Cap tables, shareholder registers, and graphs describing ownership layers up to the ultimate owners.
  • Governance Rules: Articles of association, bylaws, and minutes showing decision-making procedures, voting rights, and veto powers.
  • Commercial and Financial Links: Evidence of long-term supply agreements or financial dependencies that could confer control to a third-country entity.
  • Derogation for Level 3: If a provider is subject to third-country control, they may still qualify for Level 3 if the Commission has adopted an implementing act under Article 18 (Associated third countries). Note: While the main text of Article 18 establishes this mechanism, Annex II, Section 3.1(g) explicitly references an implementing act under Article 19 for the specific derogation condition. This appears to be a drafting inconsistency in the proposal text itself, but the mechanism for third-country recognition is established under Article 18.

7. Software Supply Chain Transparency (Audit Criterion I)

Auditors assess the provider's control over its software stack. Evidence includes:

  • SBOM: A complete and up-to-date Software Bill of Materials for all software components, including open-source software.
  • Dependency Lists: Documentation of the origin of software, degree of reliance on non-EU vendors, and visibility into the manufacturer chain.
  • Migration Plans: Evidence of alternative solutions and switchover plans in the event of vendor failure or third-country restrictions.
  • Source Code Auditability: Proof that the auditor has the right to access and audit source code, and that remote features capable of tampering are blocked.

8. Open-Source Software (Audit Criterion J)

For open-source components, auditors verify:

  • Tampering Controls: Evidence that remote features or mechanisms capable of materially tampering with systems are prevented.
  • Risk Management: Processes to identify weak ecosystem support, deprecated software, or lack of maintenance.
  • Control Monitoring: Mechanisms to detect if open-source software comes under the control of a third-country entity.

9. Global Services and Subsidiaries (Audit Criterion K)

If a provider has subsidiaries in third countries, auditors must verify:

  • Operational Independence: Evidence that the subsidiary is legally and operationally independent from the EU provider.
  • Data Isolation: Proof that the subsidiary has no access to EU customer data or privileged accounts.
  • Request Handling: Evidence that foreign government requests received by the subsidiary are formally redirected to the competent Union entity for legal assessment.

Quality Standards for Evidence

Article 21(2) establishes the qualitative standards for all audit evidence. It mandates that evidence must be:

  1. Relevant and sufficient to enable the auditing organisation to prepare an audit report and provide an audit opinion.
  2. Reliable, according to the auditing organisation's professional judgment and scepticism.

This means that while Annex III provides a baseline list, the auditor retains the professional discretion to request additional evidence if the standard list is insufficient to form a clear, reliable conclusion. The Annex explicitly states it "does not limit the evidence that may be requested or considered by the auditing organisations."

What this means for you

For in-house counsel, compliance officers, and cloud service providers, Annex III represents the tangible, operational burden of CADA's sovereignty framework. Compliance is not merely a matter of policy; it requires maintaining a rigorous, auditable trail of evidence.

1. Documentation is the Primary Compliance Tool You cannot simply sign a self-declaration for Levels 2–4. You must maintain up-to-date records for every category in Annex III. This includes:

  • SBOMs: Keep your Software Bill of Materials current, detailed, and accessible to auditors.
  • Data Flow Maps: Regularly update diagrams showing exactly where data is stored, processed, and replicated.
  • Governance Records: Document shareholder structures, voting rights, and corporate governance decisions to prove the absence of third-country control.
  • Personnel Records: Maintain clear records of staff locations, citizenship status, and security clearances.

2. Prepare for Intrusive Audits Audits for Levels 2, 3, and 4 will be detailed and intrusive. Auditors will request access to premises, data, and personnel. Ensure your IT and legal teams are prepared to provide:

  • Access logs and monitoring records.
  • Contractual agreements with all subcontractors.
  • Proof of cybersecurity certifications and source code access rights.

3. Monitor for Delegated Acts Since the Commission can amend Annex III via delegated acts under Article 21(1), stay alert for updates to the evidence requirements. What is considered sufficient evidence today may be updated tomorrow to reflect new technologies or threats.

4. Penalties for Non-Compliance Failure to comply with audit obligations or the provision of incorrect evidence can lead to significant penalties under Article 24. Member States must impose effective, proportionate, and dissuasive penalties. These can include fines based on the nature, gravity, and duration of the infringement, as well as the financial benefits gained. Additionally, providers who intentionally or negligently supply incorrect or misleading evidence can have their audit reports and recognition revoked.

Common misconceptions

Misconception 1: Annex III is a static checklist. Reality: Annex III is indicative. Article 21(2) requires evidence to be "reliable" and "sufficient." Auditors have the professional discretion to request additional evidence if the standard list does not provide a clear picture of compliance.

Misconception 2: Self-assessment is enough for all levels. Reality: Only Level 1 allows for a self-assessment under Article 19. Levels 2, 3, and 4 require independent third-party audits against the specific evidence in Annex III.

Misconception 3: Third-country control is only about ownership. Reality: Annex III (Audit Criterion G) looks at much more than shareholding. It examines voting rights, veto powers, commercial links, financial dependence, and corporate governance structures to determine if a third country effectively controls the provider.

Misconception 4: Open-source software is exempt from scrutiny. Reality: Audit Criterion J specifically addresses open-source software. Providers must demonstrate controls to prevent remote tampering and manage risks associated with the open-source ecosystem.

Misconception 5: The third-country derogation is under Article 19. Reality: While Annex II, Section 3.1(g) contains a drafting reference to "Article 19" for the implementing act regarding third-country control, the mechanism for identifying associated third countries is established under Article 18. This appears to be a drafting inconsistency in the proposal text, but the substantive power to recognise third countries lies with Article 18.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.