What records should a provider keep for CADA enforcement?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers must maintain a rigorous, verifiable record-keeping regime to secure and maintain Union assurance level recognition. Crucially, these records serve as the primary defense against enforcement actions. Providers must log all material changes to trigger Article 23 transparency obligations, preserve evidence of remedial actions to claim mitigation under Article 24(2)(b), and organize data to respond swiftly to Article 26(1)(a) information requests. Failure to maintain these records as proposed could result in "effective, proportionate and dissuasive" penalties without the benefit of leniency.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a sovereignty framework where compliance is not merely a technical state but a documented process. For cloud computing service providers, the ability to prove compliance is as critical as the compliance itself. The regulation creates a triad of record-keeping obligations: maintaining evidence for recognition, fulfilling ongoing transparency duties, and preparing for potential investigations. These obligations are anchored in Article 23 (transparency), Article 24 (penalties), and Article 26 (investigative powers).

1. The Foundation: Records for Recognition and Maintenance

Before a provider can face enforcement, they must first secure their status. Article 17 mandates that providers submit specific evidence to the national competent authority of establishment to be recognised as offering a Union assurance level.

• For Union Assurance Level 1: Providers must conduct a conformity self-assessment and issue an EU statement of conformity under Article 19. The provider must retain the internal documentation, control procedures, and continuous monitoring records that substantiate this statement.
• For Union Assurance Levels 2, 3, and 4: Providers must undergo independent third-party audits under Article 20. Article 17(4) explicitly requires the submission of the audit report, the "positive" audit opinion, and "all the evidence provided to the auditing organisation during the audit procedure."

These records are not static. They form the basis of the provider's entry in the central repository maintained by the Commission under Article 22. If a provider cannot produce the original evidence that led to a "positive" opinion, their recognition could be revoked, triggering immediate enforcement risks.

2. Transparency Reporting: The Article 23 Obligation

Article 23 imposes a continuous duty of transparency. Providers must notify their auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of "any information or any material change in circumstances that may affect the audit report and the 'positive' opinion... or the recognition."

To comply with Article 23, providers must maintain:

• Change Logs: Detailed records of any changes in ownership, infrastructure location, personnel status, or software supply chain that could impact the criteria in Annex II.
• Notification Trail: Proof of the timing and content of notifications sent to auditors and authorities. This is critical to demonstrate that the provider did not conceal a material change.
• Assessment Records: Documentation of the subsequent assessments performed by the auditing organisation or authority, including any decisions to amend or revoke recognition.

Failure to log these changes or to notify promptly can be construed as a lack of cooperation, potentially aggravating penalties under Article 24.

3. Mitigating Penalties: The Article 24 Defense

Article 24 establishes that Member States must lay down rules on penalties that are "effective, proportionate and dissuasive." However, the regulation provides a specific mechanism for leniency. Article 24(2) lists non-exhaustive criteria for imposing penalties, including:

"(b) any action taken by the infringing party to mitigate or remedy the damage caused by the infringement;"

This is the most critical record-keeping requirement for risk management. If a provider infringes the regulation, the penalty could be severe. However, if the provider can demonstrate—through contemporaneous records—that they acted swiftly to mitigate damage, the penalty may be reduced.

Providers must therefore keep:

• Incident Response Logs: Timestamped records of when a breach was detected and when remedial actions were initiated.
• Remediation Evidence: Technical logs showing system fixes, configuration changes, or data isolation measures taken to stop the infringement.
• Communication Records: Documentation of notifications sent to affected public sector bodies or authorities regarding the breach and the steps taken to resolve it.
• Financial Impact Analysis: Records linking the infringement to financial benefits gained or losses avoided, as Article 24(2)(d) is also a penalty criterion. Accurate logging here allows the provider to prove the actual scale of the infringement, preventing authorities from overestimating the "financial benefits gained."

Without these records, a provider cannot substantiate a claim for mitigation under Article 24(2)(b), leaving them exposed to the full weight of the penalty.

4. Anticipating Investigations: The Article 26 Challenge

Article 26 grants national competent authorities broad investigative powers. Article 26(1)(a) specifically empowers authorities to:

"require any cloud computing service provider... to provide that information as soon as possible"

This power extends to "any other persons acting for purposes related to their trade... including auditing organisations." Authorities can demand information relating to a "suspected infringement."

To survive an Article 26 investigation, providers must anticipate these requests by:

• Centralizing Data: Ensuring that all records related to sovereignty criteria (establishment, infrastructure location, personnel, data flows) are indexed and retrievable.
• Preparing Templates: Having pre-drafted response templates for common information requests to minimize the "as soon as possible" response time.
• Preserving Audit Trails: Keeping logs of all interactions with auditing organisations, including access granted to premises and data. Article 26(1)(b) allows authorities to "carry out... inspections of any premises" and "seize, take or obtain copies of information." If records are disorganized or missing, the authority may infer non-compliance.

5. The Role of Auditing Organisations

Auditing organisations are not just gatekeepers; they are potential sources of evidence. Under Article 20(7), an auditing organisation may revoke its audit report if the provider "intentionally or negligently, supplied incorrect or misleading audit evidence."

Providers must keep their own copies of all evidence submitted to auditors. If a dispute arises regarding the accuracy of the evidence, the provider's internal records are the only way to prove that the information was accurate at the time of submission, or to demonstrate that any error was not intentional or negligent—a key distinction for avoiding severe penalties.

What this means for you

For cloud service providers, CADA transforms record-keeping from an administrative task into a strategic compliance imperative.

1. Build a "Single Source of Truth": Create a dedicated, secure, and indexed repository for all Union assurance level documentation. This must include the EU statement of conformity (Level 1), full audit reports and opinions (Levels 2–4), and the complete chain of evidence submitted to auditors.
2. Automate Change Detection: Implement automated logging for any changes in ownership, infrastructure, or personnel. Trigger an immediate workflow to assess if a change is "material" under Article 23 and to draft the required notification.
3. Pre-empt Article 26 Requests: Train legal and technical teams to respond to information requests within hours, not days. Maintain a "ready pack" of standard sovereignty evidence (e.g., data flow diagrams, personnel lists, infrastructure maps) that can be instantly retrieved.
4. Document Every Remedial Step: If a compliance issue arises, document every action taken to fix it. This is your only path to mitigation under Article 24(2)(b). Do not rely on memory; create a formal incident log.
5. Audit Your Auditors: Ensure your contracts with auditing organisations include clauses requiring them to retain records and cooperate with competent authorities under Article 26(1)(a). You may need their records to defend your own compliance.

Common misconceptions

"Once I have my recognition, I can stop logging." Incorrect. Article 23 requires ongoing transparency regarding "material changes." Furthermore, Article 26 allows authorities to investigate suspected infringements at any time. Continuous record-keeping is essential for maintaining recognition and defending against enforcement.

"Financial records are separate from compliance records." Under Article 24(2)(d), penalties are influenced by "financial benefits gained or losses avoided." Providers must be able to link operational breaches to financial impacts. Separating compliance logs from financial data can hinder the ability to prove or disprove such gains during an investigation.

"Only the provider is responsible for records." While the provider holds primary responsibility, Article 26(1)(a) explicitly extends information requests to "auditing organisations" and other persons acting for their trade. Providers must ensure their contracts with auditors and subcontractors include clauses for record retention and cooperation with competent authorities.

Related

• What should a startup cloud provider know about CADA penalties?
• How should a cloud provider prepare for a CADA investigation?
• Does a provider's size affect CADA enforcement measures?
• Can CADA enforcement lead to a provider losing its assurance-level recognition?
• Who pays compensation if a cloud provider breaches CADA?

This is general information about a draft EU regulation, not legal advice.