What requirements must a CADA auditing organisation meet?

Summary Under the proposed Cloud and AI Development Act (CADA), an auditing organisation must satisfy rigorous independence, expertise, and ethical requirements to audit cloud services for Union assurance levels 2, 3, and 4. Article 20(4) of the proposal mandates that auditors be independent from the provider, possess "proven expertise, technical competence and capabilities in auditing cloud computing services," and adhere to "proven objectivity and professional ethics" based on codes of practice or standards. Crucially, auditors must avoid conflicts of interest, including a 12-month ban on non-audit services and a 10-year ban on prior audit services for the same provider.

Detail

The Cloud and AI Development Act (CADA) establishes a Union cloud computing sovereignty framework designed to mitigate risks associated with dependence on third-country providers. A cornerstone of this framework is the requirement for independent third-party audits for cloud computing services seeking recognition at Union assurance levels 2, 3, and 4. Unlike Level 1, which relies on self-assessment, higher assurance levels demand external validation. Article 20 of the CADA proposal sets out the specific conditions, qualifications, and operational obligations that an auditing organisation must meet to perform these assessments.

Independence and Conflict of Interest Rules

The integrity of the sovereignty framework hinges on the absolute independence of the auditor. Article 20(4)(a) stipulates that auditing organisations must be "independent from, and do not have any conflicts of interest with, the cloud computing service provider concerned, and any legal person connected to that provider." To operationalise this, the proposal imposes strict temporal and financial restrictions designed to eliminate both actual bias and the appearance of bias:

• Non-audit services restriction: The auditing organisation must not have provided "non-audit services related to the matters audited" to the cloud provider or any connected legal person in the 12-month period before the beginning of the audit. Furthermore, it must commit to not providing such services in the 12-month period after the completion of the audit. This "cooling-off" period prevents the auditor from auditing their own work or being influenced by prior consulting relationships.
• Previous audit services restriction (Rotation): The organisation must not have provided auditing services pursuant to Article 20 to the same provider or any connected legal person in the 10-year period before the beginning of the audit. This decade-long rotation rule is designed to prevent "auditor fatigue" and entrenched relationships that could compromise objectivity over time.
• Contingent fees prohibition: Audits cannot be performed "in return for fees that are contingent on the result of the audit." This ensures that the auditor's financial interest is never tied to a favorable outcome, such as a positive audit opinion or a specific assurance level.

If an auditing organisation's independence or technical competence is "not beyond doubt," Article 20(4) explicitly states that the organisation "should abstain or resign from the audit engagement." This self-regulatory obligation places the onus on the auditor to withdraw if any conflict arises.

Proven Expertise and Technical Competence

CADA recognises that auditing cloud sovereignty involves complex technical, legal, and operational assessments that go beyond general IT compliance. Therefore, Article 20(4)(b) requires auditing organisations to have "proven expertise, technical competence and capabilities in auditing cloud computing services."

This requirement is specific to the domain. Auditors must demonstrate a deep understanding of:

• Cloud architecture and data flow mechanisms: The ability to trace data across distributed environments, including edge, core, and backup locations.
• The specific criteria for Union assurance levels: Detailed knowledge of the cumulative criteria set out in Annex II of the CADA proposal, covering establishment, infrastructure location, personnel citizenship, and third-country control.
• Audit evidence requirements: The capability to assess evidence related to data localisation, personnel screening, and software supply chains as detailed in Annex III.

The proposal does not prescribe a specific certification (such as a specific ISO standard) but relies on the auditor's ability to demonstrate this competence to the national competent authority. This ensures that only organisations with the requisite technical depth can issue audit opinions that carry legal weight across the Union.

Objectivity and Professional Ethics

Beyond technical skills, Article 20(4)(c) mandates that auditing organisations possess "proven objectivity and professional ethics." This is based on adherence to:

• Codes of practice: Established industry codes governing audit conduct.
• Appropriate standards: Relevant professional standards applicable to the auditing of cloud services.

Auditors must perform their duties with the highest degree of professional integrity. They are required to guarantee the "confidentiality, security and integrity of the information, such as trade secrets, that they obtain when performing their tasks." However, Article 20(3) clarifies a critical boundary: this guarantee of confidentiality "shall not be a means to circumvent the applicability of audit obligations in this Regulation." An auditor cannot refuse to access necessary data, premises, or source code by citing confidentiality if such access is required to verify compliance with sovereignty criteria.

Cooperation, Access, and Audit Quality

While independence and expertise are pre-conditions, the operational execution of the audit is equally regulated. Article 20(2) requires audited providers to cooperate fully, giving auditors access to all relevant data and premises. Conversely, the auditing organisation must be capable of utilizing this access effectively.

Audits must be performed "in accordance with best industry practices and high professional ethics and objectivity, with due regard for auditing standards and codes of practice." The resulting audit report must be "substantiated, in writing," and include a "positive" or "negative" audit opinion. If the opinion is negative, the report must include "operational recommendations on specific measures to achieve compliance and the recommended timeframe."

Consequences of Non-Compliance

If an auditing organisation fails to meet these requirements, the consequences are severe. Article 20(7) states that an auditing organisation may revoke its audit report and opinion if the provider supplied incorrect or misleading evidence. More critically, if the auditor itself is found to have lacked independence or competence, the national competent authority may reject the recognition application under Article 17.

Furthermore, Article 24 empowers Member States to lay down rules on penalties applicable to infringements by cloud computing service providers. While penalties primarily target providers, the selection of a non-compliant auditor could lead to a failed audit, resulting in the inability to procure public contracts or face penalties for non-compliance with procurement rules under Article 30.

What this means for you

For cloud service providers aiming to offer services to EU public sector bodies, selecting the right auditing organisation is a critical strategic decision. You cannot simply choose any IT auditor; you must verify that your chosen partner meets the specific CADA criteria.

1. Vet Your Auditor's Independence Rigorously Before engaging an auditor, conduct a thorough conflict-of-interest check. Ensure they have not provided consulting, development, or other non-audit services to your company (or its subsidiaries/parents) in the last 12 months. Additionally, confirm they have not audited your service under CADA or similar frameworks in the last 10 years. Document these checks to demonstrate due diligence to national competent authorities.

2. Verify Technical Competence in Cloud Sovereignty Ask for evidence of your auditor's "proven expertise" specifically in cloud computing audits. This might include:

• Case studies of previous cloud sovereignty or data localisation audits.
• Certifications held by their staff related to cloud security architecture and data flow analysis.
• Demonstrated familiarity with the specific Union assurance level criteria (Annex II) and audit evidence requirements (Annex III).

3. Ensure Ethical Compliance and Code Adherence Confirm that your auditor adheres to recognized codes of practice and professional standards. Request their policy on objectivity and confidentiality. Ensure they have robust procedures to handle trade secrets while still fulfilling their audit obligations, specifically regarding the prohibition on using confidentiality to block access to necessary evidence.

4. Prepare for Rigorous Scrutiny and Access The audit process will be intensive. Auditors will have the right to access your premises, data, and personnel. Ensure your internal documentation, particularly regarding data flows, subcontractor relationships, and software supply chains, is organized and accessible. Failure to provide necessary cooperation can undermine the audit and delay your recognition.

5. Plan for Annual Reviews Article 20(8) requires annual reviews of the audit report and opinion. Your auditor must be capable of performing these recurring assessments efficiently. Build a long-term relationship with an auditor who understands your infrastructure and can streamline the annual review process without compromising the independence rules (e.g., ensuring they do not take on non-audit roles during the cooling-off periods).

Common misconceptions

Misconception 1: Any IT security auditor can perform a CADA audit. Reality: CADA requires specific expertise in cloud computing auditing, not just general IT security. Article 20(4)(b) explicitly demands "proven expertise, technical competence and capabilities in auditing cloud computing services." General IT auditors may lack the specialized knowledge of cloud architecture, data sovereignty, and the specific Union assurance criteria required by the proposal.

Misconception 2: Independence only means not owning shares in the provider. Reality: Independence under CADA is broader and stricter. Article 20(4)(a) prohibits any connection that could compromise objectivity, including recent non-audit services (12-month ban) and previous audit services (10-year ban). It also bans contingent fees. This creates a "clean break" from previous commercial relationships to ensure unbiased assessment.

Misconception 3: Confidentiality protects you from having to show your source code or data. Reality: While auditors must guarantee confidentiality (Article 20(3)), this guarantee "shall not be a means to circumvent the applicability of audit obligations." If verifying compliance with sovereignty criteria requires access to specific data, premises, or even source code (as implied by Annex III audit evidence requirements), the auditor must have access, and you must provide it, under appropriate confidentiality safeguards.

Misconception 4: Once audited, you are set for years. Reality: Article 20(8) mandates an annual review of the audit report and opinion. The auditing organisation must assess continued compliance every year. This means you must maintain your standards and be prepared for recurring scrutiny, not just a one-time certification.

Related

• Who must meet CADA Union assurance levels?
• Who can act as a CADA auditing organisation?
• CADA Audit Report Requirements: What Must Be Included?
• What criteria must a third country meet to be associated under CADA?
• What criteria must a provider meet for CADA assurance level 4?

This is general information about a draft EU regulation, not legal advice.