Summary Under the proposed Cloud and AI Development Act (CADA), professional scepticism is a mandatory, non-negotiable component of the audit evidence assessment for cloud computing services seeking Union assurance levels 2, 3, or 4. Article 21(2)(b) explicitly requires that audit evidence be "reliable, according to the auditing organisation's professional judgment and scepticism." This provision legally obliges auditors to reject a "tick-box" approach; they must not accept provider-submitted evidence uncritically. Instead, they must independently verify its sufficiency and relevance to ensure the cloud service genuinely meets strict sovereignty criteria, such as data localisation and the absence of third-country control.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous sovereignty framework for cloud computing services, categorising them into four Union assurance levels. While Level 1 relies on a provider's self-assessment, Levels 2, 3, and 4 require independent third-party audits to verify compliance with the stringent cumulative criteria set out in Annex II. The integrity of these audits is paramount, as they determine whether a public sector body can legally procure a service for sensitive operations under Article 30. Central to this integrity is the concept of professional scepticism, which CADA embeds directly into the evidentiary standards for auditing organisations.

The Legal Basis: Article 21 and the Standard of Evidence

Article 21, titled "Content and quality of audit evidence," sets the definitive benchmark for what constitutes valid proof of compliance under the proposed regulation. The provision mandates that auditing organisations assess compliance against the criteria in Annex II based on the audit evidence listed in Annex III.

Crucially, Article 21(2) establishes a two-part test for the quality of this evidence. It states that the audit evidence shall be: (a) relevant and sufficient to enable the auditing organisation to prepare an audit report and provide an audit opinion; and (b) reliable, according to the auditing organisation's professional judgment and scepticism.

This phrasing is legally significant. It moves the standard beyond a simple checklist of documents. It requires the auditor to exercise critical assessment skills and independent judgment. Professional scepticism, in this context, implies a questioning mind and a critical evaluation of audit evidence. It requires the auditor to remain alert to conditions that may indicate possible misstatement due to error or fraud, and to not take the cloud computing service provider's assertions at face value without verification. The regulation explicitly places the burden of this judgment on the auditing organisation, ensuring that the "positive" audit opinion required for recognition under Article 17 is based on robust, verified facts rather than unchallenged claims.

What Professional Scepticism Entails in Practice

In the context of CADA, professional scepticism requires auditing organisations to actively challenge and verify provider assertions. The regulation's detailed evidence requirements in Annex III provide the framework for this sceptical approach:

  1. Challenge Provider Assertions on Control: Cloud providers have a strong incentive to secure high assurance levels to access lucrative public sector contracts. Auditors must resist the temptation to accept self-serving declarations. For example, if a provider claims that no third-country entity controls its operationsβ€”a strict requirement for Union assurance levels 3 and 4 under Annex II, paragraph 3.1(g) and 4.1(g)β€”the auditor cannot simply accept a signed declaration. They must independently verify ownership structures, board compositions, voting rights, and financial links as detailed in Annex III, Audit Criterion G. This includes analysing cap tables, shareholder agreements, and the actual composition of governing bodies to determine if any third country holds veto rights or strategic influence.
  2. Verify Technical Claims on Data Localisation: Providers may claim that data never leaves the Union. Scepticism requires the auditor to examine network diagrams, access logs, and subcontractor agreements to confirm that technical controls are genuinely in place and not merely theoretical. Under Annex III, Audit Criterion C, the auditor must verify that no customer data, including encrypted data, is transferred outside the Union without approval. If a provider states that open-source components have been audited for remote tampering features, the auditor must verify that these audits were actually performed and that the results are robust, rather than accepting a summary report.
  3. Assess Independence and Competence: While Article 20 sets out independence requirements for auditing organisations (e.g., no non-audit services in the 12 months prior), professional scepticism also applies to how auditors view their own work. They must ensure they have the necessary technical competence to audit complex cloud stacks and AI systems. If an auditor lacks the expertise to verify a specific cryptographic measure or a complex supply chain dependency, scepticism dictates they should not proceed without engaging external experts or declining the engagement.
  4. Investigate Inconsistencies: If audit evidence is contradictoryβ€”for instance, if a provider's technical documentation states one thing but their operational logs show anotherβ€”professional scepticism requires the auditor to investigate the discrepancy thoroughly rather than ignoring it or accepting the provider's explanation at face value. Annex III explicitly lists various forms of evidence (e.g., lease contracts, payroll records, activity logs) that must be cross-referenced to ensure consistency.

Consequences of Failing to Exercise Scepticism

The stakes for failing to exercise professional scepticism are high under the proposed framework. Article 20(7) states that an auditing organisation may revoke its audit report and audit opinion where the audited provider, intentionally or negligently, supplied incorrect or misleading audit evidence. However, if the auditor failed to detect this due to a lack of scepticism, they may face reputational damage and potential liability.

Furthermore, Article 24 allows recipients of cloud services to seek compensation from providers for any damage or loss suffered due to an infringement. If an auditor's negligent failure to exercise scepticism contributed to a non-compliant service being certified, the auditor could be exposed to legal claims for failing to meet the "reliable" standard mandated by Article 21(2)(b).

Moreover, the Commission will maintain a central repository of recognised services under Article 22. If a service is found to be non-compliant post-certification, the revocation will be published in this repository and remain visible for five years. This public record underscores the importance of rigorous, sceptical audits. The regulation ensures that the "positive" audit opinion is not a one-time stamp but a reflection of ongoing, critical verification.

What this means for you

For in-house counsel, compliance officers, and public procurement teams overseeing cloud procurement or audit engagements, the requirement for professional scepticism has several practical implications:

  • Selecting Auditing Organisations: When selecting an auditing organisation for your cloud service or assessing the quality of an audit performed by a provider, look beyond their certification status. Evaluate their methodology. Do they have a documented process for exercising professional scepticism? Do they verify evidence independently? Ask for examples of how they challenge provider assertions, particularly regarding third-country control and data localisation.
  • Preparing for Audits: If you are a cloud provider, prepare for a rigorous, sceptical audit. Do not assume that submitting documentation is sufficient. Anticipate that auditors will test your claims. Ensure your internal controls, logs, and documentation are robust and consistent. Be ready to provide underlying data (e.g., raw access logs, full cap tables), not just summaries. The auditor's scepticism means they will look for gaps between your policy and your practice.
  • Risk Assessments: When conducting risk assessments under Article 29 to determine the appropriate Union assurance level for your public sector activities, consider the quality of the audit evidence. A "positive" audit opinion is valuable, but understanding the rigour of the audit process adds another layer of assurance. A sceptical audit provides greater confidence that the service will remain compliant over time.
  • Contractual Safeguards: Include clauses in your cloud service contracts that require providers to maintain audit evidence that meets the reliability standards of Article 21. Specify that any changes to the service that affect compliance must be reported promptly, allowing for re-auditing if necessary. Ensure that the contract obliges the provider to cooperate fully with the auditor's sceptical inquiries.

Common misconceptions

  • "Professional scepticism means assuming the provider is lying." This is incorrect. Professional scepticism is not about cynicism or distrust. It is about maintaining a questioning mind and critically assessing evidence. It acknowledges that errors or misrepresentations can occur, whether intentional or not, and requires verification to ensure accuracy. It is a standard of care, not an accusation of fraud.
  • "Self-assessment for Level 1 requires no scepticism." While Level 1 is self-assessed under Article 19, providers still have a duty to ensure their compliance. However, the explicit requirement for auditing organisation scepticism applies to Levels 2-4. For Level 1, the provider assumes full responsibility for the accuracy of their EU statement of conformity. The shift to independent audit for higher levels is precisely because the risks require an external, sceptical eye.
  • "Auditors only check boxes." CADA explicitly rejects a tick-box approach. Article 21(2)(b) requires judgment and scepticism, meaning auditors must evaluate the quality and reliability of evidence, not just its presence. An auditor who simply collects documents without verifying their authenticity or consistency would fail to meet the standard set by the proposed regulation.

Related

This is general information about a draft EU regulation, not legal advice.