Summary As proposed, the Cloud and AI Development Act (CADA) mandates that audit evidence used to verify a cloud service's sovereignty assurance level must be relevant, sufficient, and reliable. Under Article 21(2), this evidence is assessed by auditing organisations using professional judgment and scepticism to ensure it accurately reflects the provider's compliance with Union assurance levels 2, 3, or 4. Without meeting these strict quality thresholds, a provider cannot obtain the "positive" audit opinion required for public procurement.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous framework for assessing the sovereignty and trustworthiness of cloud computing services within the EU. A critical component of this framework is the independent audit process required for services seeking recognition at Union assurance levels 2, 3, and 4. Unlike Level 1, which relies on self-assessment, these higher levels demand third-party verification. Consequently, the quality and integrity of the evidence submitted during these audits are paramount, as they form the sole basis for the audit opinion that determines whether a service can be procured by public sector bodies for activities contributing to public order.

The Legal Standard for Audit Evidence

The specific requirements for the quality of audit evidence are codified in Article 21 of the CADA proposal, titled "Content and quality of audit evidence." This article serves as the gatekeeper for the entire sovereignty framework. It mandates that auditing organisations must assess a provider's compliance with the cumulative criteria set out in Annex II based on the audit evidence listed in Annex III.

Crucially, Article 21(2) explicitly defines the three non-negotiable pillars of acceptable audit evidence:

  1. Relevance: The evidence must be pertinent to the specific audit criteria being assessed. It must directly address the requirements of the Union assurance level in question, whether that relates to data localisation, personnel citizenship, or supply chain transparency. Evidence that is tangential or does not map directly to a criterion in Annex II is considered irrelevant.
  2. Sufficiency: The volume and depth of the evidence must be adequate to enable the auditing organisation to prepare a substantiated audit report and provide a clear audit opinion. Insufficient evidence prevents the auditor from reaching a definitive conclusion on compliance. Sufficiency is a matter of quantity and quality combined; a large volume of irrelevant data does not constitute sufficiency.
  3. Reliability: The evidence must be trustworthy. Article 21(2)(b) states that reliability is determined "according to the auditing organisation's professional judgment and scepticism." This means auditors cannot accept evidence at face value; they must actively evaluate its source, accuracy, and potential for manipulation.

The Role of Professional Judgment and Scepticism

The requirement for "professional judgment and scepticism" is a deliberate alignment with established international auditing standards, ensuring that the CADA framework is robust against gaming or superficial compliance. It places the onus on the auditing organisation to critically evaluate the information provided by the cloud computing service provider.

  • Professional Judgment: Auditors must apply their expertise to determine if the evidence is appropriate for the specific context. For example, a simple screenshot of a server location may not be sufficient evidence of data residency if it can be easily forged; a more reliable form of evidence might include lease agreements, utility bills, or network architecture diagrams verified through technical testing. The auditor must decide if the evidence provided is the best available proof of the claim.
  • Scepticism: Auditors must maintain a questioning mind. They should not assume the provider is dishonest, but they must also not assume the provider is entirely honest without verification. This involves corroborating evidence from different sources (e.g., comparing contractual documents with actual system logs) and remaining alert to conditions that may indicate possible misstatement due to error or fraud. Under CADA, scepticism is not optional; it is a statutory requirement for assessing reliability.

Connection to Annex III: The Indicative List of Evidence

While Article 21 sets the quality standard, Annex III of the CADA proposal provides an indicative list of the types of evidence that auditing organisations should request. It is crucial to note that Annex III is "indicative and does not limit the evidence that may be requested or considered by the auditing organisations."

Auditors are empowered to seek "any additional information necessary to ensure a comprehensive and accurate assessment of compliance." This flexibility allows auditors to tailor their evidence requests to the specific risks and complexities of the cloud service being audited. For instance, if a provider uses a complex network of subcontractors, the auditor may request additional evidence regarding those subcontractors' own compliance measures, even if not explicitly listed in the standard criteria for a specific assurance level. The list in Annex III serves as a baseline, not a ceiling, for the evidence required to satisfy the "sufficiency" and "reliability" tests of Article 21(2).

Consequences of Insufficient or Unreliable Evidence

If the audit evidence fails to meet the standards of relevance, sufficiency, or reliability, the auditing organisation cannot issue a "positive" audit opinion. The consequences are severe for providers aiming for the public sector market:

  • Negative Opinion: If the evidence demonstrates non-compliance with the criteria in Annex II, the auditor issues a negative opinion.
  • Inability to Conclude: If the auditor is unable to obtain sufficient appropriate audit evidence (e.g., the provider refuses access to certain logs, data, or premises), the auditor must explain in the report why those aspects could not be audited. This typically results in the provider failing to achieve the desired Union assurance level.

Without a positive audit opinion and a subsequent recognition decision by the national competent authority, the cloud service cannot be listed in the central repository as offering Union assurance levels 2, 3, or 4. This effectively bars the service from being procured by public sector bodies for activities identified as contributing to the preservation of public order under Article 29.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, understanding the quality requirements for audit evidence is essential for preparing for CADA compliance. The shift from self-declaration to independent audit represents a significant operational change.

  1. Prepare Robust Documentation: Do not rely on high-level summaries or marketing materials. Auditors will require granular, verifiable evidence. Ensure your data governance policies, personnel records (including citizenship verification), and supply chain documentation are meticulously maintained and easily accessible. Evidence must be "relevant" to the specific criterion; generic compliance manuals are often insufficient.
  2. Anticipate Auditor Scepticism: Assume that auditors will challenge the reliability of your self-reported data. Be prepared to provide corroborating evidence from independent sources (e.g., third-party certificates, bank statements, or technical logs) to support your claims. If you claim data never leaves the Union, you must provide network flow diagrams and access logs that prove it, not just a contractual clause.
  3. Cooperate Fully: Article 20 requires providers to cooperate with auditing organisations and provide assistance necessary to enable them to conduct audits effectively. Withholding evidence or providing incomplete information can lead to a failure to obtain a positive audit opinion. This results in significant commercial loss, particularly in the public sector market where procurement is restricted to recognised services.
  4. Review Subcontractor Agreements: Since evidence must cover subcontractors involved in service provision (as per Annex II criteria), ensure your contracts with subcontractors include clauses that allow you to gather the necessary evidence to demonstrate their compliance with CADA criteria. You cannot claim compliance if your subcontractor refuses to provide the auditor with the required evidence.

Common misconceptions

"Annex III is a checklist I just need to fill out." Incorrect. Annex III is indicative. Auditors have the discretion to request additional evidence if they deem the provided evidence insufficient or unreliable under Article 21(2). The "sufficiency" requirement means the auditor decides if the evidence is enough, not the provider.

"Self-certification is enough for all levels." Incorrect. Only Union assurance level 1 allows for conformity self-assessment. Levels 2, 3, and 4 require independent audits with strict evidence quality standards. The "reliability" test under Article 21(2) specifically requires the auditor's professional judgment, which cannot be self-applied.

"Professional judgment is subjective and arbitrary." Incorrect. Professional judgment is based on established auditing standards and the specific context of the cloud service. Scepticism is a required professional attitude, not a personal bias against the provider. It is a safeguard to ensure the integrity of the Union assurance framework.

"CADA replaces the AI Act's requirements." Incorrect. CADA addresses the sovereignty of the cloud infrastructure, while the AI Act regulates the AI systems themselves. A provider may need to comply with both, and the evidence required for CADA sovereignty levels is distinct from the technical documentation required for AI Act conformity.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.