Summary Under the proposed Cloud and AI Development Act (CADA), recognition as a sovereign cloud service is not a static certificate but a dynamic status contingent on continuous transparency. Cloud computing service providers must report any material change in circumstances that could affect their audit report or recognition status to both their auditing organisation and their national competent authority "as soon as possible." Failure to disclose such changes, or the provision of incorrect or misleading information, exposes the provider to the immediate revocation of their recognition across the entire Union. This mechanism ensures that the Union assurance levels (1–4) remain a reliable indicator of sovereignty and security for public sector procurement.

Detail

The CADA proposal establishes a rigorous, multi-layered framework for the recognition of cloud computing services as offering specific levels of Union assurance. While Article 17 sets out the initial application and recognition procedures, the validity of this recognition is not guaranteed indefinitely. Instead, it is maintained through a strict regime of ongoing transparency and accuracy, codified primarily in Article 23 and reinforced by the specific revocation powers found in Article 17(11).

The relationship between these two articles creates a "living compliance" model. Recognition is granted based on the state of the provider at a specific point in time, but the legal framework assumes that the operational, legal, and technical environment of a cloud provider is fluid. Consequently, the Act mandates that providers act as the primary sensors for their own compliance status, triggering a reassessment loop whenever their reality diverges from their certified status.

The Obligation to Report Material Changes

Article 23, titled "Transparency obligations," imposes a proactive and urgent duty on recognised cloud computing service providers. The core requirement is explicitly set out in Article 23(1):

"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

This provision dismantles the concept of a "set and forget" certification. The term "material change in circumstances" is intentionally broad, designed to capture any event, shift, or development that could undermine the cumulative criteria against which the service was originally assessed. In the context of the sovereignty framework, such changes could include:

  • Structural shifts: Changes in ownership, control, or the legal structure of the provider or its subcontractors.
  • Operational shifts: Alterations in the location of infrastructure, assets, or personnel, or changes in data flow patterns.
  • Legal shifts: The emergence of new laws or practices in a third country that might compel data access or disrupt service continuity.
  • Supply chain shifts: The introduction of new software components or subcontractors that were not part of the original audit scope.

The directive to notify "as soon as possible" implies a duty of urgency. It prevents providers from delaying disclosure until the next scheduled annual review or audit. The notification must be sent to two distinct entities to ensure both technical and regulatory oversight are maintained:

  1. The auditing organisation: The independent body that issued the original audit report and the 'positive' opinion.
  2. The national competent authority of establishment: The regulatory body in the Member State where the provider has its main establishment, which holds the power to grant or revoke recognition.

The Consequences of Non-Reporting or Misleading Information

The transparency obligation is a condition precedent to the continued validity of the recognition. The mechanism for handling breaches of this obligation is detailed in Article 23(2) and Article 23(3), which trigger a cascading reassessment process:

  • Auditing Organisation's Role: Upon receiving a notification, the auditing organisation is required to assess whether the audit report or the 'positive' opinion needs to be amended or revoked (Article 23(2)). If the auditor determines that the change invalidates the previous findings, they must amend or revoke the report and subsequently notify the national competent authority.
  • Competent Authority's Role: Based on the notification from the provider or the auditor, the national competent authority must assess whether its recognition of the service needs to be amended or revoked (Article 23(3)). If the recognition is amended or revoked, the authority is obligated to notify the competent authorities of other Member States and the Commission, ensuring the change is reflected across the Union.

Crucially, Article 17(11) provides a direct and independent ground for revocation that does not necessarily require a new audit trigger. It states:

"The evaluating national competent authority may revoke its recognition where it finds that a cloud computing service provider, whose service was recognised across the Union as providing a specific Union assurance level, intentionally or negligently, supplied incorrect or misleading information."

This clause underscores the high standard of integrity required under the proposed framework. It establishes that the act of providing information—whether during the initial application or subsequent reporting—is a legal commitment. Even if a material change occurs, if the provider fails to report it, or worse, provides false information to maintain their status, the competent authority has the power to strip the recognition. The phrase "intentionally or negligently" is significant; it broadens the scope of liability to include administrative oversights, lack of due diligence, or failure to verify facts, meaning that unintentional errors can be as damaging as deliberate deception.

Integration with the Central Repository

The transparency and reporting mechanisms feed directly into the central repository established under Article 22. This repository serves as the single source of truth for public sector bodies and Union entities procuring cloud services.

Once a recognition is revoked or amended following a notification under Article 23, this change must be published in the central repository (Article 22(3)). This ensures that market participants have immediate visibility into the current status of a provider's assurance level. The regulation mandates that the revocation remains available in the repository for five years, creating a lasting record of compliance history. This transparency serves as a deterrent against non-compliance and ensures that public procurement decisions are based on up-to-date, accurate data regarding the sovereignty of the cloud services being considered.

What this means for you

For cloud service providers seeking or holding Union assurance recognition under the proposed CADA, the relationship between transparency and recognition demands a robust, proactive internal governance framework. You cannot rely on the initial audit to secure your status for the long term.

  1. Establish Real-Time Monitoring Systems: You must implement internal mechanisms to detect material changes in your operations, legal structure, or supply chain immediately. This includes monitoring changes in third-country laws that might affect your subcontractors, data flows, or the control exercised over your entity.
  2. Define "Material Change" Internally: Develop clear internal criteria for what constitutes a "material change" under Article 23(1). Given the breadth of the term, it is advisable to consult with your auditing organisation early to align on expectations. Ambiguity here can lead to accidental non-compliance and subsequent revocation.
  3. Create Rapid Reporting Protocols: When a material change is identified, you must have a predefined, tested process to notify both your auditor and the national competent authority "as soon as possible." Delay in reporting can be interpreted as negligence, triggering the revocation powers in Article 17(11).
  4. Maintain Audit Readiness: Be prepared for the auditing organisation to reassess your compliance immediately upon notification. Ensure your documentation, evidence, and operational controls are continuously up-to-date to support the continuity of your 'positive' opinion.
  5. Avoid Misleading Information: Ensure all data provided during the initial application and all subsequent reporting is accurate and verified. Article 17(11) makes clear that both intentional falsehoods and negligent errors can lead to the immediate revocation of your recognition. This would not only damage your market position but also disqualify you from serving public sector bodies that require Union assurance levels.

Common misconceptions

  • Misconception 1: Recognition is permanent until the next annual review.
    • Reality: Recognition is dynamic. Article 23 requires immediate reporting of material changes, which can trigger an amendment or revocation at any time, not just during scheduled annual reviews.
  • Misconception 2: Only the auditor needs to be informed of changes.
    • Reality: Article 23(1) explicitly requires notification to both the auditing organisation and the national competent authority of establishment. Failing to notify one is a breach.
  • Misconception 3: Only intentional fraud leads to revocation.
    • Reality: Article 17(11) states that recognition may be revoked if the provider "intentionally or negligently" supplied incorrect or misleading information. Negligence is sufficient grounds for revocation.
  • Misconception 4: Minor operational tweaks do not need to be reported.
    • Reality: The term "material change" is significant. If a change may affect the audit report or recognition, it must be reported. Providers should err on the side of caution and consult their auditor when in doubt about the materiality of a change.

Related

This is general information about a draft EU regulation, not legal advice.