Summary Under the proposed Cloud and AI Development Act (CADA), an audit report for Union assurance levels 2, 3, and 4 must explicitly describe "a description of the specific aspects audited, and the methodology applied." This requirement, found in Article 20(5)(d), ensures the audit is substantiated and transparent. The report must also summarize the main findings and list the third parties consulted. As a proposal, these rules would apply once the regulation enters into force, mandating that auditing organisations provide a clear, verifiable account of how they assessed compliance against the strict sovereignty criteria in Annex II.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. While Level 1 relies on a conformity self-assessment, Union assurance levels 2, 3, and 4 require independent third-party audits to obtain a formal recognition. The integrity of this framework depends entirely on the quality, transparency, and rigor of the resulting audit report.

Article 20 of the proposal sets out the requirements for these independent audits. Crucially, Article 20(5) mandates the minimum content of the audit report. It states that the report must be "substantiated, in writing," and must include specific elements to ensure the audit is not a mere formality.

The Mandatory Methodology Description

The core of your question addresses Article 20(5)(d), which requires the audit report to include:

"a description of the specific aspects audited, and the methodology applied"

This provision serves as the backbone of audit transparency. It prevents "black box" assessments where a provider receives a positive opinion without the competent authority or the public understanding how that conclusion was reached. The description must cover:

  1. Specific Aspects Audited: The report must delineate exactly which parts of the cloud computing service were examined. Given the complexity of cloud stacks, this includes verifying compliance with the cumulative criteria in Annex II. For example, for Level 2 and above, the audit must cover the location of infrastructure, data localisation, personnel citizenship, and the absence of third-country control. The report must specify which of these criteria were tested and how.
  2. Methodology Applied: The report must explain the approach taken to gather and evaluate evidence. This includes the techniques used to verify data flows, the sampling methods for checking personnel records, or the procedures for analyzing corporate governance structures to rule out third-country control. The methodology must align with the audit evidence standards set out in Annex III, which details the specific proofs required (e.g., lease contracts for infrastructure, employment contracts for personnel, and cap tables for ownership).

Supporting Mandatory Content

Article 20(5) does not stop at methodology. To provide a "meaningful account of the activities undertaken," the report must also include:

  • Article 20(5)(e): "a description and a summary of the main findings drawn from the audit." This ensures the conclusions are directly linked to the evidence gathered.
  • Article 20(5)(f): "a list of the third parties consulted as part of the audit." This creates an audit trail, showing that the auditing organisation sought external validation or clarification where necessary (e.g., from subcontractors or legal experts).

The Role of Delegated Acts and Industry Standards

While Article 20(5)(d) sets the baseline, the specific technical details of the methodology are not fully static in the proposal. Article 20(9) empowers the Commission to adopt delegated acts to "supplement this Regulation by laying down rules on the performance of audits on the procedural steps, rules for auditing organisations and their technical competences, auditing methodologies and templates for the audit reports."

Until these delegated acts are adopted, Recital 55 clarifies that audits must be performed in accordance with "best industry practices and high professional ethics and objectivity, with due regard for auditing standards and codes of practice." However, the methodology must always be sufficient to gather the "audit evidence" listed in Annex III. For instance, if the methodology fails to verify the location of data storage through network diagrams (as required by Annex III, Criterion C), the report would be non-compliant with the spirit of Article 20(5)(d).

Handling Limitations

Transparency also extends to what cannot be audited. Article 20(6) states:

"Where the auditing organisation was unable to audit certain aspects or to express an audit opinion based on its investigations, the audit report shall include an explanation of the circumstances and the reasons why those aspects could not be audited."

This ensures that a "positive" opinion is not issued if critical aspects of the sovereignty framework were inaccessible to the auditor.

What this means for you

For legal counsel, compliance officers, and public procurement teams, the methodology description in the audit report is a critical due diligence tool.

  • Scrutinize the "How": Do not accept a report that simply states "compliance verified." Under Article 20(5)(d), you must see how it was verified. Did the auditor physically inspect the data centre? Did they review the actual shareholder agreements to rule out third-country control? Did they trace data flows to confirm localisation? A vague methodology suggests the audit may not have met the rigorous standards of Annex II.
  • Check the Scope: Ensure the "specific aspects audited" cover all criteria relevant to the claimed assurance level. For example, if a provider claims Level 3, the methodology must explicitly address the requirement for Union citizenship of personnel and the specific safeguards against third-country control. If the report omits these, the recognition is invalid.
  • Watch for Delegated Acts: As the proposal is not yet law, the specific templates and detailed methodologies will be refined by the Commission via delegated acts. Compliance teams should monitor these developments. A methodology that is acceptable today might need updating once the Commission issues the final rules under Article 20(9).
  • Risk of Revocation: If the methodology was flawed or the findings inaccurate, the auditing organisation can revoke the report under Article 20(7) if the provider supplied incorrect evidence. Furthermore, the national competent authority can revoke the recognition under Article 17(11). This could force a sudden migration of your cloud services, so ensure your contracts with providers include clauses addressing audit revocation and service continuity.

Common misconceptions

"The audit report is just a certificate." No. Under Article 20(5), the report is a substantiated, written document that must describe the methodology, findings, and third parties consulted. It is the primary evidence for the recognition decision, not just a final stamp.

"Any standard audit methodology works." Not necessarily. While current audits rely on "best industry practices" until delegated acts are adopted, the methodology must specifically address the sovereignty criteria in Annex II and the evidence in Annex III. A standard financial or IT security audit that ignores data localisation or third-country control would fail to meet CADA's specific requirements.

"If the report is positive, the service is fully compliant." A positive opinion is conditional. Article 20(6) requires the report to explain any aspects that could not be audited. If critical sovereignty aspects were excluded from the audit scope without justification, the "positive" opinion may be misleading. Additionally, the recognition can be revoked if the provider later supplies incorrect information (Article 17(11)).

Related

This is general information about a draft EU regulation, not legal advice.