CADA Auditing Independence

Summary Under the proposed Cloud and AI Development Act (CADA), an auditing organisation is only considered independent if it strictly adheres to the conflict-of-interest and financial neutrality rules set out in Article 20(4). Specifically, Article 20(4)(a) prohibits an auditor from having provided non-audit services related to the audited matters to the cloud provider (or any connected legal person) in the 12 months prior to the audit, and requires a commitment to refrain from such services for 12 months after the audit. Furthermore, independence is compromised if the auditor has performed CADA audits for the same provider within the 10-year period preceding the audit, or if the audit fees are contingent on the result of the audit. These rules are mandatory for any cloud service seeking recognition at Union assurance levels 2, 3, or 4.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. While Level 1 relies on self-assessment, Union assurance levels 2, 3, and 4 require independent third-party audits to obtain a "positive" audit opinion, which is a prerequisite for recognition by national competent authorities. The integrity of this entire sovereignty framework hinges on the absolute independence of the auditing organisations performing these assessments.

Article 20 of the proposal, titled "Independent audit," explicitly defines the conditions under which an auditing organisation may be considered independent. The regulation mandates that audits be performed by organisations that are "independent from, and do not have any conflicts of interest with, the cloud computing service provider concerned, and any legal person connected to that provider."

To operationalise this principle, Article 20(4)(a) establishes three specific, cumulative prohibitions designed to eliminate both actual and perceived conflicts of interest. These rules create a rigorous "firewall" between the auditor and the auditee.

1. The 12-Month Non-Audit Service Ban (Look-Back and Look-Forward)

The first pillar of independence under Article 20(4)(a)(i) addresses the risk of self-review and the "revolving door" between consulting and auditing. The regulation states that an auditing organisation must not have provided "non-audit services related to the matters audited" to the cloud computing service provider (or any connected legal person) in the 12-month period before the beginning of the audit.

Crucially, this prohibition is bidirectional. The same clause requires the auditing organisation to have "committed to not providing them with such services in the 12-month period after the completion of the audit." This creates a strict 24-month "clean zone" surrounding the audit engagement:

• Pre-Audit (Look-Back): The auditor cannot have acted as a consultant, implementer, or technical advisor on the specific matters being audited in the year leading up to the audit. For example, if an auditor helped design the cloud provider's security architecture or implemented the software bill of materials (SBOM) processes in the last 12 months, they are disqualified from auditing those same processes.
• Post-Audit (Look-Forward): The auditor must commit to not taking on non-audit roles related to the audited matters for the year following the audit. This prevents the auditor from being influenced by the prospect of securing lucrative future consulting contracts based on the outcome of the current audit.

This rule ensures that the auditor is reviewing a system they did not build and are not incentivised to build in the future, thereby preserving professional scepticism.

2. The 10-Year Audit Rotation Rule

The second pillar, found in Article 20(4)(a)(ii), addresses the risk of familiarity threats. Long-term relationships between auditors and auditees can erode objectivity, leading to a loss of critical distance. To mitigate this, CADA mandates a significant cooling-off period.

The regulation prohibits an auditing organisation from having "provided auditing services pursuant to this Article to the cloud computing service provider concerned or any legal person connected to that provider in the 10-year period before the beginning of the audit."

This is a strict ten-year rotation requirement. It means that once an auditing organisation has performed a CADA sovereignty audit for a specific provider (or its connected entities), that same organisation cannot be engaged to perform another CADA audit for that provider for a full decade. This rule is significantly more stringent than typical financial audit rotation requirements in other sectors, reflecting the high-stakes nature of cloud sovereignty and the need for fresh, independent perspectives on critical infrastructure.

3. The Prohibition on Contingent Fees

The third pillar, outlined in Article 20(4)(a)(iii), addresses financial incentives that could compromise the audit opinion. The regulation explicitly states that the auditing organisation must not be "performing the audit in return for fees that are contingent on the result of the audit."

This prohibition ensures that the auditor's remuneration is decoupled from the outcome of the assessment. An auditor cannot be paid a bonus for issuing a "positive" audit opinion, nor can their fee be reduced if they issue a "negative" opinion. Fees must be based on the time, effort, and complexity of the audit work, not on whether the cloud provider achieves the desired Union assurance level. This financial neutrality is essential to guarantee that the audit opinion reflects the true compliance status of the service, rather than the financial interests of the auditor.

Broader Independence and Competence Requirements

While Article 20(4)(a) sets the specific conflict-of-interest boundaries, the broader context of Article 20(4) reinforces the necessity of objectivity. The regulation requires that auditing organisations have "proven objectivity and professional ethics, based in particular on adherence to codes of practice or appropriate standards."

Furthermore, Article 20(4) implicitly establishes a duty of self-regulation. If an auditing organisation's independence or technical competence is "not beyond doubt," the regulation states that the organisation "should abstain or resign from the audit engagement." This places the onus on the auditor to proactively identify and withdraw from situations where independence might be perceived as compromised, even if a specific prohibition in Article 20(4)(a) is not technically triggered.

Additionally, Article 20(3) mandates that auditing organisations ensure an adequate level of confidentiality and professional secrecy regarding information obtained during the audit. While primarily a data protection measure, breaches of confidentiality can also undermine the trust required for an independent audit relationship.

Scope of "Connected Legal Persons"

A critical aspect of these independence rules is their scope. Article 20(4)(a) applies not only to the cloud computing service provider itself but also to "any legal person connected to that provider." This broad definition prevents providers from circumventing independence rules by outsourcing audit-sensitive activities to affiliates, subsidiaries, or parent companies.

If an auditing organisation has provided non-audit services to a subsidiary of the cloud provider in the last 12 months, or has audited a connected entity in the last 10 years, it is deemed to have a conflict of interest with the provider itself. This ensures that the independence check covers the entire corporate group, closing potential loopholes where a provider might use a related entity to "warm up" a relationship with an auditor before the formal audit engagement.

Consequences of Non-Independence

Failure to adhere to these independence requirements has severe consequences for the validity of the audit and the recognition of the cloud service.

• Invalid Audit Opinion: If an auditing organisation fails to meet the independence criteria, the audit report and the resulting "positive" or "negative" opinion are invalid for the purposes of CADA recognition. Without a valid opinion, a cloud provider cannot be recognised at Union assurance levels 2, 3, or 4.
• Revocation of Recognition: Article 20(7) empowers the auditing organisation to revoke its audit report and opinion if the audited provider supplied incorrect or misleading audit evidence. While this clause specifically addresses provider misconduct, the broader implication is that if the independence of the auditor is later found to be compromised, the entire audit process is tainted.
• Enforcement and Penalties: National competent authorities, designated under Article 25, have the power to enforce these rules. Under Article 26, authorities can impose fines or request judicial authorities to do so for failure to comply with the Regulation, including breaches of audit obligations. Article 24 further provides that recipients of cloud services may seek compensation for damages caused by a provider's infringement, which could include reliance on an invalid audit conducted by a non-independent firm.

What this means for you

For legal counsel, compliance officers, and procurement teams at cloud computing service providers, verifying auditor independence is not a formality; it is a critical gatekeeper for market access. Public sector bodies and Union entities are required to procure only services recognised at specific assurance levels. If your auditor fails the independence test, your service cannot be recognised, and you lose access to the public sector market.

Actionable Steps for Compliance:

1. Conduct a Comprehensive Conflict Check: Before engaging an auditing organisation, perform a rigorous due diligence check. You must verify that the organisation has not provided any non-audit services related to the matters to be audited (e.g., security architecture design, SBOM implementation, or technical support) to your company or any connected legal person in the 12 months prior to the audit start date.
2. Secure a 12-Month Post-Audit Commitment: Ensure your engagement letter explicitly includes a contractual commitment from the auditor that they will not provide non-audit services related to the audited matters for 12 months after the audit completion. This is a regulatory requirement, not just a best practice.
3. Verify the 10-Year History: Check the audit history of your potential auditor. Confirm that they have not performed a CADA Article 20 audit for your organisation or any connected entity in the 10 years preceding the current engagement. If they have, you must select a different firm.
4. Audit Fee Structure Review: Scrutinise your fee agreements. Ensure that the fees are fixed, hourly, or based on deliverables, and explicitly exclude any contingency clauses. The fee must not depend on the audit result (e.g., no "success fees" for a positive opinion).
5. Map Connected Legal Persons: Do not limit your check to your immediate corporate entity. Map out all "connected legal persons" (subsidiaries, parent companies, affiliates) and ensure the auditor has no conflicts with any of them.
6. Document Everything: Maintain detailed records of all services provided by the auditor and its affiliates to your organisation over the past 12 months and your audit history over the past 10 years. National competent authorities will review this evidence under Article 17 during the recognition process.

Common misconceptions

• "Independence only means no shareholding." Many assume that as long as the auditor does not own shares in the cloud provider, they are independent. CADA goes much further. Even without financial ownership, a recent consulting relationship (non-audit services) or a long-term audit history (10-year rule) disqualifies an auditor. Professional relationships are treated with the same severity as financial ones.

• "We can rotate auditors every year to stay compliant." While rotation is good practice, CADA imposes a specific minimum cooling-off period. You cannot simply rotate auditors annually to avoid the 10-year rule; rather, you must ensure that any given auditor you hire has not audited you in the last decade. If you hire Firm A, you cannot hire Firm A again for 10 years.

• "Non-audit services are fine if they are unrelated to the audit scope." The regulation specifically prohibits non-audit services "related to the matters audited." If the audit covers your software supply chain, and the auditor previously helped you select your software vendors, they are disqualified. The prohibition is tied to the subject matter of the audit, not just the general relationship.

• "Contingent fees are allowed if the audit is successful." Absolutely not. Article 20(4)(a)(iii) is an absolute ban. Any arrangement where the auditor's payment is linked to the outcome (e.g., a bonus for a "positive" opinion) is strictly prohibited and renders the auditor non-independent.

• "The 10-year rule applies to all audits, not just CADA." The 10-year cooling-off period in Article 20(4)(a)(ii) specifically applies to "auditing services pursuant to this Article." It is a CADA-specific requirement for sovereignty audits. However, given the strictness of the rule, providers should treat it as a hard constraint for any CADA-related engagement.

Related

• What conflict-of-interest rules apply to CADA auditors?
• Does CADA recognition expire? Annual audit rules explained
• Can a CADA recognition application be rejected? Article 17 explained
• Can a CADA auditor revoke its audit opinion? Article 20 explained
• Who pays for the CADA audit? Provider costs explained

This is general information about a draft EU regulation, not legal advice.