CADA Repository

Summary Under the proposed Cloud and AI Development Act (CADA), the central repository of cloud computing services must publish and retain records of any revocation of an audit report and audit opinion for a period of five years. This retention obligation, set out in Article 22(3), is distinct from the revocation of a service's formal recognition by a national competent authority, although both outcomes are recorded in the same central repository. Compliance officers must ensure that any material changes triggering such revocations are reported immediately to auditing organisations and competent authorities to avoid these long-term public records and potential penalties.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous transparency framework for cloud computing services seeking recognition under the Union assurance levels. A cornerstone of this framework is the central repository, which serves as the single source of truth for public sector bodies, auditing organisations, and competent authorities regarding the sovereignty status of cloud providers.

The Central Repository’s Mandate

Under Article 22(1) of the CADA proposal, the Commission is mandated to establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17. This repository is not merely a static list; it is a dynamic tool designed to facilitate the secure and efficient storage, access, and exchange of relevant information between public sector customers, auditing organisations, competent authorities, and the Commission.

The repository is publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website, as stipulated in Article 22(4). This transparency is crucial for contracting authorities who must procure services aligned with specific Union assurance levels (1 through 4) based on risk assessments conducted under Article 29.

Recording Audit Opinion Revocations

The specific mechanics of how negative outcomes are handled in the repository are detailed in Article 22(3). The provision states:

"The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This clause introduces two distinct types of negative events that are recorded:

1. Revocation by an Auditing Organisation: This occurs when an independent third-party auditor, having conducted an audit under Article 20, determines that a provider no longer complies with the audit criteria for Union assurance levels 2, 3, or 4. Under Article 20(7), an auditing organisation may revoke its audit report and audit opinion if the audited provider intentionally or negligently supplied incorrect or misleading audit evidence.
2. Revocation by a Competent Authority: This occurs when the national competent authority of establishment withdraws the formal recognition of a cloud computing service. Under Article 17(11), a competent authority may revoke its recognition if it finds that the provider intentionally or negligently supplied incorrect or misleading information during the recognition process.

The Five-Year Retention Period

The requirement that these records remain available for five years is a critical compliance metric. This duration is not arbitrary; it ensures that historical data regarding a provider's compliance failures remains accessible to future contracting authorities and regulators. This long-term visibility prevents providers from simply rebranding or reapplying after a short cooling-off period without their past non-compliance being visible to the market.

It is important to note that the five-year clock starts from the date of publication in the repository, not necessarily the date of the underlying incident or the date the revocation was issued. The publication must occur as soon as possible following the revocation, as implied by the general transparency obligations in Article 23.

Distinction Between Audit Revocation and Recognition Revocation

While Article 22(3) groups both revocations in a single sentence, they stem from different parts of the CADA governance structure.

• Audit Revocation is a technical finding by a private-sector auditing organisation. It signifies that the service no longer meets the technical and operational criteria for a specific assurance level (e.g., data localisation, personnel citizenship, or software supply chain controls as detailed in Annex II).
• Recognition Revocation is an administrative decision by a public authority. It signifies that the provider's legal status to offer a specific assurance level to public sector bodies has been withdrawn.

Often, an audit revocation will trigger a recognition revocation. If an auditing organisation revokes a positive audit opinion, the provider can no longer claim compliance with the higher assurance levels (2, 3, or 4). Consequently, the competent authority must assess whether its recognition needs to be amended or revoked under Article 23(3). The repository captures both the root cause (audit revocation) and the legal consequence (recognition revocation), providing a complete audit trail.

Triggering Events for Revocation

To understand what leads to these records being created, compliance officers must look at Article 23 (Transparency obligations). Providers are required to notify the auditing organisation and the national competent authority of establishment as soon as they become aware of any information or material change in circumstances that may affect the audit report or recognition.

If a provider fails to report such changes, or if the changes are severe (e.g., a breach of data localisation requirements or the discovery of undisclosed third-country control), the auditing organisation may revoke the audit report under Article 20(7). Similarly, if the competent authority discovers misleading information was provided during the initial application, it may revoke recognition under Article 17(11). Both outcomes result in a five-year entry in the central repository.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, the five-year retention of revocation records in the CADA repository has significant strategic and operational implications.

1. Long-Term Reputational Risk: A revocation is not a temporary blip. It remains visible to all potential public sector clients for five years. This can severely impact a provider's ability to bid for contracts in the public sector, as contracting authorities are obligated under Article 30 to procure only from recognised services. A five-year stain on the repository record could effectively bar a provider from high-assurance public sector markets for half a decade.
2. Strict Reporting Obligations: To avoid revocation, providers must have robust internal monitoring systems to detect "material changes" early. Under Article 23(1), notification to the auditor and competent authority must happen "as soon as possible." Delays in reporting can be construed as negligence, potentially triggering the revocation clauses in Article 20(7) and Article 17(11).
3. Audit Preparedness: Providers aiming for Union assurance levels 2, 3, or 4 must ensure their audit evidence is impeccable. Under Article 21, audit evidence must be relevant, sufficient, and reliable. If an auditor finds evidence to be incorrect or misleading, they have the statutory power to revoke the opinion. Compliance teams should treat audit evidence preparation with the same rigor as financial reporting.
4. Penalties and Compensation: Beyond the reputational damage of repository publication, providers face direct financial risks. Article 24 outlines penalties and compensation rules. Recipients of cloud services have the right to seek compensation for any damage or loss suffered due to an infringement of the sovereignty framework. Additionally, Member States must impose effective, proportionate and dissuasive penalties for infringements, which can include significant fines based on the provider's annual turnover.

Common misconceptions

• Misconception: "Only the competent authority's revocation is published."
  • Correction: Article 22(3) explicitly states that both the revocation of an audit report/opinion by an auditing organisation and the revocation of recognition by a competent authority are published in the repository. The technical failure (audit) and the administrative failure (recognition) are both recorded.
• Misconception: "Revocation records are removed after one year."
  • Correction: The mandatory retention period is five years. This is a fixed term designed to ensure long-term transparency and prevent repeat offenders from quickly re-entering the market without their history being visible.
• Misconception: "The repository is private and only accessible to regulators."
  • Correction: Article 22(4) mandates that the central repository be publicly available. Any stakeholder, including competitors and civil society, can access the list of recognised services and the records of revocations.

Related

• CADA Repository: How long do revoked recognitions stay published?
• How is the CADA central repository kept up to date?
• Why list in the CADA repository? Public procurement access & market advantage
• Who registers a cloud service in the CADA central repository?
• Who maintains the CADA central repository of cloud services?

This is general information about a draft EU regulation, not legal advice.