CADA Audit Report Requirements

Summary Under the proposed Cloud and AI Development Act (CADA), an independent audit report for Union assurance levels 2, 3, or 4 must be a "substantiated, in writing" document that serves as the primary evidence for recognition. As mandated by Article 20(5), the report must explicitly include: (a) the provider's identity and audit period; (b) the auditor's details; (c) a declaration of interests; (d) the methodology and scope; (e) a summary of main findings; (f) a list of third parties consulted; (g) a definitive "positive" or "negative" audit opinion; (h) operational recommendations for remediation if the opinion is negative; and (i) the specific Union assurance level to be recognised if the opinion is positive. This report is the critical bridge between technical compliance and legal recognition by national competent authorities.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous sovereignty framework for cloud computing services. While Union assurance level 1 relies on a self-assessment and an EU statement of conformity, Union assurance levels 2, 3, and 4 require independent third-party audits. The audit report is the central evidentiary document that allows a national competent authority to recognise a cloud service as compliant with the strict sovereignty criteria set out in Annex II.

Article 20 of the CADA proposal sets out the mandatory contents of this report. The regulation stipulates that auditing organisations must prepare a report for each audit that is "substantiated, in writing." This report serves not only as a compliance certificate but also as a tool for transparency, continuous improvement, and regulatory oversight. It ensures that the "positive" or "negative" opinion is not a mere assertion but is grounded in a documented, auditable process.

Mandatory Elements of the Audit Report (Article 20(5))

According to Article 20(5), the audit report must include, at a minimum, the following nine specific elements. These requirements ensure that the report is comprehensive, transparent, and actionable for both the provider and the competent authority.

1. Provider Identification (Article 20(5)(a)) The report must clearly state the "name, address and point of contact of the provider subject to the audit, and the period covered." This ensures traceability and clarifies the temporal scope of the compliance assessment. It prevents ambiguity regarding which legal entity and which specific timeframe of operations are being certified.

2. Auditor Identification (Article 20(5)(b)) The "name and address of the auditing organisation or organisations performing the audit" must be listed. This reinforces accountability, as auditing organisations are subject to strict independence and competence requirements under Article 20(4). It allows competent authorities to verify the auditor's qualifications and jurisdiction.

3. Declaration of Interests (Article 20(5)(c)) A formal "declaration of interests" is required. This is critical given the strict conflict-of-interest rules in Article 20(4)(a), which prohibit auditors from having provided non-audit services to the provider in the 12 months prior to or after the audit, or auditing services in the preceding 10 years. The declaration confirms that the auditor has no financial or operational ties that could compromise their objectivity.

4. Methodology and Scope (Article 20(5)(d)) The report must include "a description of the specific aspects audited, and the methodology applied." This provides transparency into how the auditor assessed compliance against the criteria set out in Annex II. It allows competent authorities and providers to understand the depth and breadth of the investigation, ensuring that the audit was not superficial.

5. Summary of Findings (Article 20(5)(e)) A "description and a summary of the main findings drawn from the audit" must be included. This section bridges the gap between raw audit evidence and the final opinion. It highlights key areas of compliance or non-compliance, providing a narrative context for the technical data.

6. Third Parties Consulted (Article 20(5)(f)) The report must list "a list of the third parties consulted as part of the audit." This may include subcontractors, other service providers, or entities involved in the supply chain. Given the holistic nature of the sovereignty assessment—which covers infrastructure, personnel, and software supply chains—this ensures that the audit considered all relevant actors.

7. Audit Opinion (Article 20(5)(g)) Crucially, the report must contain a "positive" or "negative" audit opinion.

   • A "positive" opinion is issued "where all evidence shows that the provider complies with the audit criteria and obligations set out by this Regulation."
   • A "negative" opinion is issued "where the auditing organisation considers that the provider does not comply with the criteria set out in this Regulation."
   • Partial Conclusions: If the auditor "was unable to audit certain aspects or to express an audit opinion based on its investigations," the report must include "an explanation of the circumstances and the reasons why those aspects could not be audited." This prevents the report from being misleadingly silent on critical gaps.

8. Operational Recommendations for Non-Compliance (Article 20(5)(h)) If the audit opinion is "negative," the report "shall include operational recommendations on specific measures to achieve compliance and the recommended timeframe to achieve compliance." This transforms the audit from a purely punitive exercise into a remedial process, guiding the provider toward future conformity. It ensures that a negative opinion is not a dead end but a roadmap for improvement.

9. Assurance Level Recognition (Article 20(5)(i)) If the audit opinion is "positive," the report must specify "the Union assurance level that needs to be recognised under Article 17, issued to the audited service of the audited provider pursuant to the applicable criteria set out in Annex II." This directly links the technical audit outcome to the legal recognition status of the service (Level 2, 3, or 4).

The Role of the Audit Report in Recognition

The audit report is not merely an internal document; it is a pivotal input for the recognition procedure under Article 17. For Union assurance levels 2, 3, and 4, a cloud computing service provider must submit the audit report, the "positive" audit opinion, and all evidence provided to the auditing organisation to the national competent authority of establishment (Article 17(4)).

The national competent authority then assesses this evidence to prepare a draft recognition decision. The report's clarity and completeness are therefore essential; insufficient evidence or an unclear methodology can lead to requests for further information or even rejection of the recognition application (Article 17(5)(b) and (c)). The report effectively acts as the "passport" for the service to be recognised across the Union.

Quality and Reliability of Evidence

While Article 20 defines the report's structure, the quality of the content depends on the audit evidence gathered, as outlined in Article 21 and Annex III of the CADA proposal. The auditing organisation must assess compliance based on evidence that is "relevant and sufficient" and "reliable." The report must reflect this rigorous evidence-gathering process, ensuring that the opinion is not speculative but grounded in documented facts, such as software bills of materials, data flow diagrams, and ownership structures.

Furthermore, Article 20(8) requires that the audited provider "annually submit for review the audit report and the associated 'positive' audit opinion" to ensure continued compliance. This means the report is not a one-time certificate but a living document subject to annual verification.

What this means for you

For cloud service providers and data centre operators aiming to achieve Union assurance levels 2, 3, or 4, understanding the contents of the audit report is crucial for preparation and strategy.

1. Prepare for Comprehensive Transparency You must be ready to disclose detailed information about your operations, subcontractors, and supply chain. The requirement to list third parties consulted and describe the methodology means that your audit will be comprehensive. Ensure your internal documentation aligns with the criteria in Annex II, as the auditor will need to reference this in the "findings" section of the report. Missing documentation could lead to a "negative" opinion or an inability to express an opinion on specific aspects.

2. Manage the Opinion Outcome Proactively A "positive" opinion is the goal, as it triggers the recognition of your assurance level. However, if you receive a "negative" opinion, the report will include a remediation plan. Use this proactively: treat the audit as a diagnostic tool. If you anticipate non-compliance, work with your auditor to understand the specific gaps early, so the operational recommendations in the report are actionable and the timeframe for remediation is realistic.

3. Ensure Auditor Independence The declaration of interests is a mandatory part of the report. Verify that your chosen auditing organisation meets the strict independence criteria in Article 20(4), including the 10-year rotation rule and the prohibition on contingent fees. Failure to adhere to these rules could invalidate the audit and the resulting report, rendering it useless for recognition purposes.

4. Plan for Recognition Submission Once you have a positive audit report, you must submit it to your national competent authority. Ensure the report clearly states the assurance level (2, 3, or 4) as required by Article 20(5)(i). Any ambiguity here could delay your recognition across the EU. Remember that the report must be submitted alongside the "positive" audit opinion and all evidence provided to the auditor.

5. Prepare for Annual Reviews Do not treat the audit as a one-off event. Article 20(8) mandates an annual review. Ensure your processes are sustainable and that you can demonstrate continued compliance year after year. The audit report is the baseline for this ongoing compliance.

Common misconceptions

Misconception 1: The audit report is just a pass/fail certificate. In reality, the report is a detailed, substantiated document that includes methodology, findings, and third-party consultations. Even a positive report provides valuable insights into your compliance posture, while a negative report serves as a roadmap for improvement with specific operational recommendations.

Misconception 2: Only the final opinion matters. While the "positive" or "negative" opinion is the headline, the supporting details are critical for the national competent authority's review. The declaration of interests, the list of third parties, and the methodology description are all legally required elements that ensure the integrity and reliability of the opinion. Without these, the report is incomplete and cannot be used for recognition.

Misconception 3: Self-assessment is enough for high assurance levels. Self-assessment is only permitted for Union assurance level 1. For levels 2, 3, and 4, an independent third-party audit is mandatory, and the resulting report must follow the strict structure outlined in Article 20. There is no shortcut to independent verification for higher assurance levels.

Misconception 4: A "negative" opinion is the end of the road. A negative opinion is not a permanent ban. Article 20(5)(h) requires the report to include operational recommendations and a timeframe for achieving compliance. Providers can use this to remediate issues and undergo a new audit to achieve a positive opinion.

Related

• What methodology must a CADA audit report describe?
• What requirements must a CADA auditing organisation meet?
• CADA Audit Report vs. Audit Opinion: Key Differences Explained
• Can the Commission change CADA audit evidence requirements?
• Who pays for the CADA audit? Provider costs explained

This is general information about a draft EU regulation, not legal advice.