Summary Article 23 of the proposed Cloud and AI Development Act (CADA) sets out the transparency obligations on recognised cloud computing service providers. A provider must, as soon as possible, notify its auditing organisation and the national competent authority of establishment of any information or material change in circumstances that may affect its audit report, its positive audit opinion (Article 20) or its recognition (Article 17). The article then sets up a sequential review: the auditing organisation reassesses the report/opinion, the competent authority reassesses the recognition, and any amendment or revocation is notified to the other Member States and the Commission. CADA is a draft proposal, so Article 23 is not yet in force.

Detail

Article 23, titled "Transparency obligations," sits within CADA's Union cloud computing sovereignty framework. Its function is to keep a service's "Union assured" status accurate over time: recognition is not a one-off certificate but a status that must be maintained, and Article 23 is the loop that surfaces changes which might undermine it.

The core obligation (Article 23(1))

Article 23(1) provides:

"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

This applies to providers recognised under Article 17 at Union assurance levels 1 to 4. The trigger is "becoming aware," and the standard is a change that may affect the report, opinion or recognition — a deliberately broad threshold. Notification runs to two recipients: the auditing organisation that issued the report and opinion (relevant for the audited levels 2-4) and the national competent authority of establishment that granted the recognition.

The review chain (Article 23(2) and (3))

Step 1 — auditing organisation (Article 23(2)). On the basis of the provider's notification, the auditing organisation must "assess whether the audit report or the audit opinion need to be amended or revoked. Where the auditing organisation amends or revokes the audit report or the audit opinion, it shall, as soon as possible, notify the national competent authority of establishment." It assesses the change against the Annex II criteria and the audit evidence in Annex III, and may amend the report or revoke the positive opinion.

Step 2 — competent authority (Article 23(3)). On the basis of the notification under paragraph 1 or 2, the national competent authority of establishment must "assess whether its recognition needs to be amended or revoked. Where the national competent authority of establishment amends or revokes it recognition of the cloud computing service, it shall, as soon as possible, notify the national competent authorities of the other Member States and the Commission." The authority makes the recognition decision even where an auditor has acted on the report.

Cross-border notification. The final element of Article 23(3) — notice to the other Member States and the Commission — preserves the single-market effect of recognition. If a service loses, say, its level 3 status, authorities across the Union are informed, and the change feeds the central repository under Article 22.

So the "three-step" structure is: (1) the provider notifies; (2) the auditing organisation reassesses and, if it acts, notifies the authority; (3) the authority reassesses and, if it acts, notifies the other Member States and the Commission.

Link to revocation and publication

Where the chain ends in revocation, Article 22(3) requires the revocation of the audit report and opinion, or of the recognition, to be published in the central repository and to remain there for five years. Article 23 is thus the procedural front end to the publicly visible loss of status recorded under Article 22.

Why the obligation is structured this way

Recital 58 explains the design. To keep the status of services as offering Union assurance levels accurate and reliable, providers should report relevant information or material changes promptly to the auditing organisation and the competent authorities of establishment; that information should enable the auditing organisation to reassess, amend or withdraw the report and opinion, and the competent authority to review its recognition. The three roles are therefore deliberately separated: the provider is closest to the facts and must surface them; the auditing organisation has the technical mandate to judge the audit report and opinion; and the competent authority holds the legal power over recognition. Each link in the chain notifies the next, and the authority's final notification to the other Member States and the Commission preserves the Union-wide effect of recognition.

Article 23 alongside the annual review and revocation powers

Article 23 is not the only route to reassessment. For audited levels, Article 20(8) provides for an annual review in which the auditing organisation may confirm, update or revoke the report and opinion. Separately, Article 20(7) lets an auditing organisation revoke its report and opinion where the provider supplied incorrect or misleading evidence, and Article 17(11) lets a competent authority revoke a recognition on the same basis. Article 23 fills the gap between these fixed and misconduct-based mechanisms: it captures interim material changes — whenever they arise — and routes them into the same reassessment and, where warranted, revocation, with publication following under Article 22(3).

What this means for you

For in-house counsel and compliance officers, Article 23 makes transparency a continuous operational requirement rather than a periodic one.

1. Build internal detection. Implement governance that surfaces "material changes" promptly — shifts in corporate control, changes in the location of infrastructure, assets, data or personnel, and incidents or changes affecting the cybersecurity criteria in Annex II.

2. Set a clear materiality threshold. Article 23 does not define "material change," but the Annex II cumulative criteria for your level give the reference point: a change that could cause the service to fail a criterion for its current level is material. Where in doubt, notify.

3. Notify quickly. "As soon as possible" implies urgency; delay risks being treated as negligence and can attract penalties under Article 24. Have a pre-agreed protocol for escalating to, and notifying, both the auditor and the authority.

4. Understand the downstream effect. If the authority revokes recognition, the service is, in effect, no longer recognised for procurement under Article 30, and the revocation is published in the repository for five years (Article 22(3)).

Common misconceptions

"Notification is only needed if the auditor asks for it." No. Article 23(1) puts the burden on the provider to notify proactively; waiting for the annual review (Article 20(8)) to surface a problem does not satisfy it.

"Only major structural changes need reporting." The standard is "may affect." It can extend to subcontractor arrangements, personnel or supply-chain dependencies — any change that could bear on the Annex II criteria for the level held.

"The auditor's decision is final." The auditor assesses the report and opinion, but the national competent authority makes the recognition decision (Article 23(3)). The authority can act on its own assessment.

"This applies only to level 4." Article 23 applies to all recognised providers, levels 1 to 4. The duty to notify an auditing organisation arises for the audited levels (2-4); a level 1 provider, recognised on a self-assessment under Article 19, still must notify the competent authority of material changes.

Related

This is general information about a draft EU regulation, not legal advice.