Summary Under the proposed Cloud and AI Development Act (CADA), "audit evidence" would be defined as any information an auditing organisation uses to support its audit findings and conclusions and to issue an audit opinion, including data collected from documents, databases or IT systems, interviews or testing performed (Article 2(20) as proposed). It is the raw material on which independent third-party audits rest for cloud computing services seeking recognition at Union assurance levels 2, 3 or 4. As proposed, that evidence must be both relevant and sufficient and reliable (Article 21(2)), and it must be assessed against the criteria in Annex II using the evidence listed in Annex III.

Detail

CADA, COM(2026) 502 final, is a proposal — not yet in force. It would establish a Union cloud computing sovereignty framework with four "Union assurance levels". For levels 2, 3 and 4, recognition would depend on an independent third-party audit, and the credibility of that audit turns on what counts as valid proof. CADA therefore defines audit evidence precisely.

The definition (Article 2(20))

As proposed, Article 2(20) provides that "audit evidence" means:

"any information used by an auditing organisation to support the audit findings and conclusions and to issue an audit opinion, including data collected from documents, databases or IT systems, interviews or testing performed."

This is an original definition in the CADA text. It is deliberately broad: it reaches beyond paper documentation to "data collected from ... IT systems" and "testing performed", reflecting that compliance in a cloud environment is often demonstrated technically — through configuration files, logs, code review or live testing — rather than through policy documents alone.

How the evidence is used (Article 21)

While Article 2(20) defines what audit evidence is, Article 21 — titled "Content and quality of audit evidence" — sets the standard it must meet. As proposed, Article 21(1) requires the auditing organisation, in order to prepare the audit report and audit opinion, to assess the compliance of the audited service with the criteria set out in Annex II on the basis of the audit evidence listed in Annex III. (The Commission would be empowered to adopt delegated acts to amend Annex III to lay down the evidence needed to assess each criterion.)

Article 21(2) then sets two cumulative quality requirements. The audit evidence must be:

  1. relevant and sufficient to enable the auditing organisation to prepare an audit report and provide an audit opinion; and
  2. reliable, according to the auditing organisation's professional judgment and scepticism.

So the "information" captured by Article 2(20) is not accepted at face value: it must be filtered through Article 21(2)'s quality lens before it can support an opinion.

What Annex III evidence looks like in practice

Annex III is described in the proposal as indicative — it does not limit the evidence auditors may request or consider, and auditors may seek any additional information needed for a comprehensive assessment. It organises evidence by audit criterion. For example, for Union establishment (criterion A) auditors may examine company-register extracts, tax-residency documents, lease contracts, payroll records and financial statements; for absence of third-country control (criterion G) they may examine all direct and indirect shareholders up to the ultimate owners, the cap table, and the rules governing strategic decision-making. The same piece of evidence may serve different criteria, with the depth of analysis varying by assurance level.

Who decides what is sufficient

As proposed, Article 2(17) defines an "auditing organisation" as an individual organisation, a consortium or other combination of organisations (including any subcontractors) that the audited provider has contracted to perform an independent audit. Under Article 20, that organisation prepares the audit report and issues either a "positive" or "negative" audit opinion. Because Article 21(2) makes reliability a matter of the auditor's own professional judgment and scepticism, it is the auditing organisation — not the provider — that determines whether the evidence is adequate to support a positive opinion.

Scope: which levels require it

  • Union assurance level 1 would rest on a conformity self-assessment and an EU statement of conformity (Article 19), not on an independent audit. The Article 21 audit-evidence requirements would not apply.
  • Union assurance levels 2, 3 and 4 would require an independent third-party audit (Article 20), and it is here that audit evidence under Article 2(20), assessed under Article 21, is the foundation of the audit opinion.

What this means for you

If you are a cloud computing service provider seeking recognition at Union assurance level 2, 3 or 4, the audit-evidence regime would shape how you prepare:

  1. Maintain comprehensive, auditable records. The definition expressly includes "data collected from ... IT systems" and "testing performed", so your technical infrastructure — logs, configurations, the software bill of materials (SBOM) required under Annex II — must be capable of being inspected and tested, not just described in policy.
  2. Cooperate fully. Article 20(2) as proposed requires audited providers to assist the auditing organisation, including by giving access to all relevant data and premises and answering questions, and to refrain from hampering or unduly influencing the audit. Obstruction can prevent a positive opinion.
  3. Aim for relevance, not volume. Under Article 21(2), evidence must be relevant and sufficient to the specific Annex II criteria — data localisation, software supply-chain transparency, absence of third-country control, and so on. Work with your auditor early to map evidence to each criterion.
  4. Prepare for testing. Because "testing performed" is part of the definition, expect technical verification (for example, that data does not leave the Union, or that remote tampering features are blocked), not merely documentary review.
  5. Note ongoing review. Under Article 20(8), the audit report and positive opinion would be submitted annually for review of continued compliance, so your evidence base must be kept current.

Common misconceptions

  • "Audit evidence is just paper policies." No. Article 2(20) expressly includes data from documents, databases or IT systems, interviews and testing. Technical verification is central.
  • "Anything the provider hands over counts." No. Under Article 21(2), evidence must be reliable in the auditor's professional judgment and scepticism — it is verified, not simply accepted.
  • "Audit-evidence rules apply at level 1." No. Level 1 relies on a self-assessment and EU statement of conformity (Article 19). The Article 21 requirements apply to levels 2, 3 and 4.
  • "The provider decides what is sufficient." No. The auditing organisation determines sufficiency and reliability, assessing the Annex II criteria on the Annex III evidence (Article 21(1)).

Related

This is general information about a draft EU regulation, not legal advice.