Summary Under the proposed Cloud and AI Development Act (CADA), achieving recognition as a Union-assured cloud provider is not a one-time event but the start of a continuous compliance lifecycle. For providers recognized at Union assurance levels 2, 3, or 4, Article 20(8) mandates an annual independent review of the audit report and opinion to verify continued compliance with Annex II criteria. Additionally, Article 23 imposes a strict duty to notify both the auditing organization and the national competent authority "as soon as possible" of any material changes in circumstances that could affect the recognition status. Failure to maintain these obligations, or the provision of incorrect or misleading information, creates a direct risk of revocation of the audit opinion and the recognition itself, potentially disqualifying the provider from public sector contracts.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a dynamic sovereignty framework where trust is contingent upon sustained adherence to rigorous criteria. Unlike static certifications, CADA recognition requires providers to actively demonstrate that their cloud services continue to meet the high standards of Union assurance levels 1 through 4. The regulatory architecture shifts the burden from a single point-in-time assessment to an ongoing regime of monitoring, verification, and transparency.

The Annual Audit Review Requirement (Article 20(8))

The most significant ongoing operational burden for providers seeking higher assurance levels lies in the requirement for continuous independent verification. While Union assurance level 1 relies on a conformity self-assessment and an EU statement of conformity (Article 19), providers targeting Union assurance levels 2, 3, and 4 must undergo independent third-party audits.

Article 20(8) explicitly establishes the annual review cycle. It states that the audited provider "shall annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation." This provision ensures that compliance is not merely a historical fact but a current reality.

The auditing organization's role in this annual cycle is active and decisive. Upon receiving the submission, the auditor must "assess the continued compliance of the audited service with the applicable criteria set out in Annex II." Based on this assessment, the auditing organization holds the authority to:

  • Confirm the initial audit report and opinion if compliance is maintained;
  • Update the report to reflect necessary changes or new evidence; or
  • Revoke the initial audit report and opinion if the service no longer meets the criteria.

This annual mechanism is critical for public sector bodies, as it ensures that the cloud services they rely on for public order and critical infrastructure remain resilient and sovereign over time. A provider that fails to secure a renewed positive opinion in any given year effectively loses its recognized status for that assurance level.

The Duty to Report Material Changes (Article 23)

Beyond the scheduled annual review, CADA imposes a proactive and immediate transparency obligation. Article 23 requires that a recognized cloud computing service provider must act swiftly upon discovering any shift in their operational or legal landscape.

The text of Article 23(1) mandates that "on becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

The term "material change" is broad and encompasses any event that could undermine the basis of the original recognition. Examples include:

  • Changes in the provider's corporate structure or ownership that might introduce third-country control risks.
  • Shifts in the location of infrastructure, assets, or personnel that violate the data localization or establishment criteria.
  • Modifications to subcontractor arrangements that affect the supply chain or operational autonomy.
  • Updates to cybersecurity measures or the discovery of vulnerabilities that impact the "state-of-the-art" compliance requirement.

The process triggered by Article 23 is designed to be rapid and cascading:

  1. Immediate Notification: The provider must alert both the auditor and the competent authority without delay.
  2. Auditor Re-assessment: The auditing organization must then assess whether the existing audit report or opinion needs to be amended or revoked. If the auditor amends or revokes the report, they must notify the competent authority "as soon as possible."
  3. Authority Re-assessment: The national competent authority of establishment must then assess whether its recognition of the service needs to be amended or revoked. If the authority decides to amend or revoke the recognition, it must notify the competent authorities of other Member States and the Commission.

This chain of notification ensures that the central repository of recognized services (maintained by the Commission under Article 22) is updated in real-time. This prevents public sector bodies from procuring services that have technically fallen out of compliance between annual audits.

Risks of Revocation for Misleading Information

The integrity of the CADA framework relies heavily on the accuracy of information provided by cloud providers. The proposal includes specific provisions for the revocation of recognition in cases of fraud, negligence, or misinformation.

Article 20(7) grants auditing organizations the power to revoke their audit report and opinion if "the audited provider, intentionally or negligently, supplied incorrect or misleading audit evidence." This applies to both the initial audit and the annual reviews. If a provider hides a critical vulnerability or misrepresents the location of their data centers, the auditor can withdraw the positive opinion, effectively stripping the provider of their recognized status.

Similarly, Article 17(11) empowers the evaluating national competent authority to revoke its recognition decision. It states that the authority "may revoke its recognition where it finds that a cloud computing service provider... intentionally or negligently, supplied incorrect or misleading information." This applies to information submitted during the initial application as well as during subsequent reviews or material change notifications.

The consequences of revocation are severe. Once a service is removed from the central repository, it can no longer be procured by Union entities or public sector bodies for activities requiring that specific assurance level. Furthermore, Article 24 establishes that Member States must lay down rules on penalties for infringements, which must be "effective, proportionate and dissuasive." Additionally, Article 24(3) grants recipients of cloud services the right to seek compensation for any damage or loss suffered due to a provider's infringement of these obligations.

The Central Repository as a Transparency Mechanism

All revocations and amendments feed into the central repository established under Article 22. This public-facing database serves as the single source of truth for public procurers. Article 22(3) explicitly states that "the revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This five-year retention period ensures that past non-compliance remains visible, acting as a long-term deterrent against providing misleading information. It also allows public sector bodies to conduct historical due diligence, ensuring that a provider's current status is not the result of a recent, unreported incident.

What this means for you

For cloud service providers aiming to serve the European public sector under the proposed CADA, the path to recognition is only the beginning. The ongoing obligations require a fundamental shift in operational governance.

  1. Institutionalize Annual Audits: If you are targeting Union assurance levels 2, 3, or 4, you must budget for and schedule an independent third-party audit every single year. This is not optional. Failure to submit the audit report and opinion for annual review under Article 20(8) will result in the loss of your recognized status.
  2. Implement Real-Time Monitoring: You cannot wait for the annual audit to discover non-compliance. You must establish internal governance mechanisms to detect "material changes" immediately. Your compliance team must be empowered to trigger the Article 23 notification process the moment a change occursβ€”whether it is a new subcontractor, a shift in data residency, or a change in corporate control.
  3. Audit Your Own Data: Before submitting annual reviews or material change notifications, conduct internal pre-audits. Ensure that the evidence you provide to the auditor is accurate and complete. The risk of revocation for "incorrect or misleading information" under Article 20(7) and Article 17(11) is a direct threat to your market access.
  4. Prepare for Contingency: Develop a business continuity plan for the event of revocation. If your recognition is amended or revoked, public sector clients may be forced to migrate to a different provider. Having a clear migration strategy and communication plan can mitigate reputational damage and contractual liabilities.
  5. Understand the Scope of "Material": Do not underestimate what constitutes a material change. Even seemingly minor operational shifts can affect the sovereignty criteria. When in doubt, notify the auditor and the competent authority. The penalty for over-reporting is minimal; the penalty for under-reporting is the loss of recognition.

Common misconceptions

"Recognition is permanent once granted." This is incorrect. CADA explicitly designs recognition as a conditional status. Article 20(8) mandates an annual review, and Article 23 requires immediate reporting of changes. A provider that stops complying after the initial grant will lose their status.

"I only need to tell the auditor about changes." This is a dangerous misconception. Article 23 requires notification to both the auditing organization and the national competent authority of establishment. Failing to inform the competent authority directly can lead to enforcement actions and revocation, even if the auditor is informed.

"Level 1 providers have no ongoing obligations." While Level 1 providers do not face the annual independent audit requirement of Article 20(8), they are still subject to the transparency obligations of Article 23. They must report any material changes that could affect their conformity self-assessment or their EU statement of conformity.

"Revocation only happens for fraud." Revocation can occur for both intentional and negligent acts. Article 20(7) and Article 17(11) explicitly state that "intentionally or negligently" supplying incorrect or misleading information is grounds for revocation. Careless errors in reporting can have the same consequence as deliberate fraud.

Related

This is general information about a draft EU regulation, not legal advice.