Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers recognised as offering a specific Union assurance level must maintain continuous transparency by promptly reporting any material changes that could affect their audit opinion or recognition status. As proposed in Article 23, providers must notify both their auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of such changes. This obligation ensures the central repository of recognised services remains accurate and that public sector bodies can rely on the continued validity of the provider's sovereignty assurance. Furthermore, Article 20(8) mandates an annual review of the audit report and opinion to verify continued compliance with the criteria in Annex II. Failure to report or maintain compliance can lead to the amendment or revocation of recognition.

Detail

The CADA proposal establishes a Union cloud computing sovereignty framework designed to mitigate risks associated with dependence on third-country providers. A core component of this framework is the recognition mechanism, which allows cloud computing service providers to be formally recognised as offering one of four Union assurance levels (1 to 4). This recognition is not a static, one-time event; it is a dynamic status contingent on ongoing compliance and rigorous transparency. The proposal creates a dual-layered verification system: immediate reporting of material changes and periodic annual audits.

The Obligation to Report Material Changes (Article 23)

Article 23 of the CADA proposal sets out specific transparency obligations for recognised cloud computing service providers. The core requirement is that a provider must notify relevant authorities "as soon as possible" upon becoming aware of any information or material change in circumstances that may affect:

  1. The audit report and the 'positive' audit opinion issued under Article 20; or
  2. The recognition of the service under Article 17.

The proposal explicitly defines the recipients of this notification to ensure a dual-track response mechanism:

  • The Auditing Organisation: The independent third party that conducted the audit for Union assurance levels 2, 3, or 4.
  • The National Competent Authority of Establishment: The national authority responsible for recognising the provider and supervising compliance.

This dual-notification requirement ensures that both the technical auditor and the regulatory supervisor are simultaneously aware of potential risks to the provider's compliance status. The proposal emphasises that this notification must occur without undue delay, reflecting the need for real-time accuracy in the sovereignty framework. The text of Article 23(1) states: "On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

The Reassessment Chain Reaction

Once notified, the process triggers a cascading reassessment mechanism designed to protect the integrity of the Union assurance framework.

Step 1: Auditor Assessment (Article 23(2)) According to Article 23(2), the auditing organisation must assess whether the audit report or audit opinion needs to be amended or revoked based on the new information. If the auditor determines that the material change impacts compliance, they must amend or revoke the report. Crucially, if the audit report or opinion is amended or revoked, the auditing organisation must, "as soon as possible, notify the national competent authority of establishment."

Step 2: Authority Assessment (Article 23(3)) Following the auditor's notification, under Article 23(3), the national competent authority of establishment must assess whether its recognition of the cloud computing service needs to be amended or revoked. If the authority decides to amend or revoke the recognition, it must, "as soon as possible, notify the national competent authorities of the other Member States and the Commission."

This chain of communication ensures that a loss of assurance in one jurisdiction is rapidly reflected across the Union. It prevents public sector bodies from inadvertently procuring services that no longer meet the required sovereignty standards. The transparency duties in Article 23 are the primary mechanism for keeping the central repository (established under Article 22) accurate. As Article 22(3) notes, the revocation of an audit report or recognition must be published in the central repository and remain available there for five years.

The Role of Annual Audit Reviews (Article 20)

While Article 23 handles ad-hoc material changes, Article 20 provides the periodic verification mechanism. Article 20(8) stipulates that audited providers must annually submit their audit report and the associated 'positive' audit opinion for review. This review can be conducted by the same auditing organisation or a different one.

The text of Article 20(8) states: "The audited provider shall annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation which shall assess the continued compliance of the audited service with the applicable criteria set out in Annex II."

Based on this annual review, the auditing organisation may confirm, update, or revoke the initial audit report and opinion. This annual cycle works in tandem with the transparency obligations of Article 23. If a material change occurs between annual reviews, Article 23 ensures it is addressed immediately. If no material changes occur, Article 20(8) ensures that compliance is systematically verified on a yearly basis, preventing "recognition drift" where a provider might slowly deviate from criteria over time without triggering an immediate change event.

What this means for you

For cloud service providers and data centre operators seeking or holding recognition under CADA, these provisions impose a continuous duty of vigilance and reporting. You cannot treat recognition as a static badge; it is a dynamic status contingent on ongoing compliance.

1. Establish Internal Monitoring Protocols

You must implement internal processes to detect "material changes" in your operations, infrastructure, or corporate structure. This includes changes in:

  • Ownership and Control: Any shift in shareholding or control that might introduce third-country influence, which is strictly scrutinised under Union assurance levels 2, 3, and 4.
  • Infrastructure Location: Any movement of data, assets, or personnel outside the Union, which would breach the localisation criteria in Annex II.
  • Subcontracting: Changes in your supply chain, particularly if new subcontractors are introduced or existing ones change their operational jurisdiction.
  • Cybersecurity Incidents: Significant breaches that might affect the security certifications required for higher assurance levels.

2. Prepare for Immediate Notification

When a material change is identified, you must have a clear protocol to notify both your auditor and the national competent authority "as soon as possible." Delays in reporting could be viewed as a failure to comply with transparency obligations, potentially leading to penalties under Article 24 or revocation of recognition. Ensure your legal and compliance teams have direct lines of communication with your auditing organisation. The proposal does not define a specific timeframe (e.g., 24 hours), but the phrase "as soon as possible" implies immediate action upon discovery.

3. Plan for Annual Reviews

Budget for and prepare for the annual audit review required by Article 20(8). This is not merely an administrative formality; it is a substantive reassessment of your compliance with Annex II criteria. Maintain detailed records of your operations throughout the year to facilitate this review. If you switch auditing organisations, ensure a seamless handover of audit evidence to avoid gaps in your recognised status. The annual review is the "safety net" that catches issues that may have been missed or developed gradually.

4. Monitor the Central Repository

Regularly check the central repository maintained by the Commission. While your primary duty is to report changes, understanding how your status is displayed publicly helps you manage stakeholder expectations. If your recognition is amended or revoked, this will be publicly visible, impacting your ability to serve public sector clients. The repository serves as the single source of truth for contracting authorities.

Common misconceptions

Misconception 1: "Transparency obligations only apply if I lose my recognition." Reality: Article 23 requires reporting of any material change that may affect the audit opinion or recognition. You do not need to wait until you have actually failed compliance. If a change creates a risk to your status (e.g., a new shareholder from a non-associated third country), you must report it immediately, even if you believe you can still meet the criteria. The obligation is triggered by the possibility of an effect, not the certainty of failure.

Misconception 2: "Annual reviews replace the need for immediate reporting." Reality: Article 20(8) provides an annual check, but Article 23 operates independently for material changes. If a significant event occurs mid-year, you cannot wait for the next annual review to disclose it. The proposal explicitly separates these timelines to ensure real-time accuracy. Waiting for the annual review to report a material change would likely constitute a breach of Article 23.

Misconception 3: "Only the auditor needs to know about changes." Reality: Article 23(1) explicitly requires notification to both the auditing organisation and the national competent authority of establishment. Failing to notify the national authority, even if you have informed your auditor, would constitute a breach of transparency obligations. The regulator must be informed directly to exercise its supervisory powers.

Misconception 4: "Minor operational tweaks don't need to be reported." Reality: The threshold is "material change." While trivial administrative updates may not qualify, changes to data flow paths, security protocols, or subcontractor agreements often are material in the context of sovereignty assurance. When in doubt, consult your auditor. Under-reporting can lead to revocation if the change is later discovered to have impacted compliance. The burden of determining materiality lies with the provider, and erring on the side of over-reporting is safer.

Related

This is general information about a draft EU regulation, not legal advice.