Summary Under the proposed Cloud and AI Development Act (CADA), the audit report and the audit opinion are distinct but inseparable components of the independent third-party assessment required for cloud computing services seeking Union assurance levels 2, 3, or 4. The audit report is the comprehensive, substantiated document detailing the methodology, scope, evidence, and findings of the audit. The audit opinion is the definitive, binary conclusionβeither "positive" or "negative"βstating whether the provider complies with the specific assurance level criteria. While the opinion is the trigger for recognition, the report provides the necessary evidentiary basis for national competent authorities to validate that conclusion. Both are mandatory deliverables under Article 20 of the proposal.
Detail
The distinction between an audit report and an audit opinion is central to the sovereignty framework established by the proposed CADA. For cloud providers aiming to serve public sector bodies with Union assurance levels 2, 3, or 4, self-declaration is insufficient. Article 20 mandates an independent third-party audit to verify compliance with the rigorous criteria set out in Annex II. This process yields two specific outputs that serve different legal functions within the recognition procedure.
The Audit Report: The Substantiated Record
The audit report serves as the factual and methodological backbone of the assessment. It is not merely a summary; it is a detailed, written record that must be "substantiated" to ensure transparency and verifiability. Article 20(5) explicitly enumerates the mandatory contents of this report, ensuring that the conclusion is traceable to specific evidence.
According to Article 20(5), the audit report must include:
- Identification: The name, address, and point of contact of the provider subject to the audit, and the specific period covered by the audit.
- Auditor Details: The name and address of the auditing organisation performing the audit.
- Independence: A declaration of interests to confirm the auditor's independence from the provider.
- Scope and Method: A description of the specific aspects audited and the methodology applied to assess compliance.
- Findings: A description and summary of the main findings drawn from the audit evidence.
- Consultation: A list of third parties consulted as part of the audit process.
- The Opinion: The audit opinion itself (either positive or negative) must be included within the report.
- Remediation (if negative): If the opinion is negative, the report must include operational recommendations on specific measures to achieve compliance and a recommended timeframe to achieve it.
- Recognition Level (if positive): If the opinion is positive, the report must specify the Union assurance level that needs to be recognised under Article 17.
Furthermore, Article 20(6) addresses scenarios where the audit cannot be fully completed. If the auditing organisation was unable to audit certain aspects or express an opinion based on its investigations, the report must include an explanation of the circumstances and the reasons why those aspects could not be audited. This provision ensures that the report remains a transparent record of the audit's limitations, preventing "silent" gaps in compliance verification.
The Audit Opinion: The Binary Verdict
The audit opinion is the formal, binary conclusion derived from the findings in the report. It is the "verdict" on whether the cloud service meets the statutory requirements. Under Article 20(5)(g), the opinion must explicitly state whether the audited service complies with the applicable audit criteria for Union assurance levels 2, 3, or 4.
There are only two possible outcomes for the opinion, as defined in the proposal:
- Positive Opinion: This is issued when "all evidence shows that the provider complies with the audit criteria and obligations set out by this Regulation." A positive opinion is the prerequisite for a cloud service to be recognised as offering a specific Union assurance level. Without it, the service cannot be registered in the central repository or procured by public authorities under the higher assurance tiers.
- Negative Opinion: This is issued when "the auditing organisation considers that the provider does not comply with the criteria set out in this Regulation." A negative opinion precludes recognition. Crucially, Article 20(5)(h) mandates that a negative opinion be accompanied by operational recommendations and a timeframe for compliance, providing a roadmap for the provider to rectify deficiencies.
The opinion is the decisive element for the national competent authority. However, it is not a standalone document; it is legally tethered to the report. The authority cannot grant recognition based on an opinion alone; it must verify that the opinion is supported by the substantiated evidence and methodology detailed in the report.
The Interplay and Lifecycle
The relationship between the report and the opinion is dynamic and subject to ongoing oversight. Article 20(8) establishes an annual review cycle. The audited provider must annually submit the audit report and the associated positive opinion to the auditing organisation. The auditor then assesses whether the service continues to comply with the criteria. Based on this review, the organisation may "confirm, update, or revoke the initial audit report and audit opinion."
This lifecycle underscores that the opinion is not permanent. If a provider intentionally or negligently supplies incorrect or misleading audit evidence, Article 20(7) empowers the auditing organisation to revoke both the audit report and the audit opinion. This revocation mechanism ensures that the integrity of the opinion remains dependent on the accuracy of the report's contents.
What this means for you
For legal counsel, compliance officers, and cloud service providers, understanding the distinction between the report and the opinion is critical for navigating the CADA recognition process.
1. Strategic Preparation for the Audit Providers must prepare for the creation of the audit report, not just the final opinion. Since Article 20(5) requires a detailed description of methodology and findings, your internal teams must document all controls, data flows, and subcontractor arrangements meticulously. The auditor cannot issue a positive opinion without the underlying evidence to substantiate the report. A weak or incomplete report will likely lead to a negative opinion or a request for further information, delaying market access.
2. The Recognition Process To be recognised as offering Union assurance levels 2, 3, or 4, you must submit both the audit report and the positive audit opinion to the national competent authority of your establishment, as required by Article 17(4). The authority will scrutinize the report to verify that the opinion is justified. If the report lacks sufficient detail or fails to address the criteria in Annex II, the authority may reject the application or request clarification, potentially stalling your ability to serve public sector clients.
3. Annual Compliance and Maintenance Compliance is an ongoing obligation. Article 20(8) mandates an annual review. Your compliance program must ensure that any changes to infrastructure, personnel, or subcontractors are documented and available for this review. If the annual review results in a revoked opinion, you lose your recognised status. This could constitute a breach of contract with public sector bodies that are legally required under Article 30 to procure only from recognised providers.
4. Risk of Revocation and Penalties The validity of the opinion rests on the integrity of the report. If a provider supplies misleading information, Article 20(7) allows for the revocation of both documents. Furthermore, Article 24 outlines penalties for infringements, including fines that must be "effective, proportionate and dissuasive." Providing false audit evidence is a serious infringement that can lead to significant financial penalties and reputational damage, as well as the loss of the right to seek compensation for damages caused by the infringement.
Common misconceptions
"The opinion is the only document that matters." Many providers focus solely on achieving a "positive" opinion. However, without a robust, detailed audit report that substantiates the opinion, the national competent authority may reject the application. The report is the evidence; the opinion is merely the conclusion. If the evidence is flawed, the conclusion is invalid.
"A negative opinion is a permanent ban." A negative opinion does not mean you are permanently barred from the market. Article 20(5)(h) requires the report to include operational recommendations and a timeframe for compliance. Providers can rectify the identified issues, undergo a new audit, and obtain a positive opinion. The key is to address the specific findings documented in the report.
"The audit report is confidential and never seen by regulators." While the report contains sensitive commercial information, it is submitted to the national competent authority as part of the recognition process under Article 17(4). The authority reviews it to verify the opinion. Additionally, Article 22 establishes a central repository of recognised services. While the full report may not be public, the fact of recognition (based on the opinion) is public. Transparency obligations under Article 23 also require providers to notify authorities of material changes that may affect the report or opinion, triggering a reassessment.
Official sources
Related
- Can a CADA auditor revoke its audit opinion? Article 20 explained
- Who pays for the CADA audit? Provider costs explained
- CADA Audit Report Requirements: What Must Be Included?
- What methodology must a CADA audit report describe?
- CADA Recognition vs EUCS: Key Differences for Cloud Providers
This is general information about a draft EU regulation, not legal advice.