When must a cloud provider report changes under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers holding a Union assurance level recognition must notify their auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of any information or material change in circumstances that may affect their audit report, positive audit opinion, or recognition status. This obligation, explicitly set out in Article 23(1) of the proposal, applies dynamically to all recognised providers (Levels 1–4) to ensure the continuous accuracy and reliability of the EU's cloud sovereignty framework. Failure to report promptly could lead to the amendment or revocation of recognition.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous Union cloud computing sovereignty framework designed to mitigate strategic dependencies on third-country providers and safeguard the Union's public order. A cornerstone of this framework is the recognition of cloud computing services at four distinct "Union assurance levels" (1 to 4). Each level corresponds to a specific set of cumulative criteria regarding establishment, infrastructure location, personnel citizenship, cybersecurity certification, and third-country control, as detailed in Annex II of the proposal.

However, the Commission recognises that cloud environments are inherently dynamic. Infrastructure configurations, personnel rosters, subcontractor networks, and legal jurisdictions can shift rapidly. A static assessment at the time of initial recognition or annual audit is insufficient to guarantee long-term sovereignty and security. Consequently, Article 23 of the proposal introduces a critical, ongoing transparency obligation. It mandates that providers proactively report any changes that could undermine their compliance status, ensuring that the central repository of recognised services remains accurate and trustworthy.

The Core Obligation: Article 23(1)

The primary trigger for notification is defined precisely in Article 23(1) of the CADA proposal. The text states:

"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

This provision imposes two non-negotiable duties on the provider:

1. Timeliness ("As soon as possible"): The regulation does not specify a fixed timeframe (e.g., 24 or 72 hours). Instead, it imposes a duty of immediate action. The phrase "as soon as possible" implies that once a provider becomes aware of a relevant change, they must act without undue delay. Given the potential security and sovereignty implications—such as a sudden shift in third-country control or a major infrastructure breach—delays could be interpreted as a failure to comply with transparency obligations, potentially triggering enforcement actions.
2. Scope of Notification: The provider must simultaneously notify two distinct entities:
   • The Auditing Organisation: The independent third party that conducted the initial or annual audit (mandatory for Levels 2, 3, and 4).
   • The National Competent Authority of Establishment: The regulatory body in the Member State where the provider has its main establishment, responsible for the formal recognition decision.

What Constitutes a "Material Change"?

While CADA does not provide an exhaustive, closed list of every possible material change, the context of the assurance levels in Annex II clarifies what types of circumstances are relevant. A change is "material" if it has the potential to affect the validity of the audit report and the 'positive' audit opinion issued under Article 20, or the provider's recognition under Article 17.

Examples of material changes likely to trigger this obligation include, but are not limited to:

• Infrastructure Relocation: Moving data storage, processing assets, or backup systems outside the Union. This would directly breach the data localisation criteria for Levels 1–4 (unless explicitly permitted by the public sector body).
• Personnel Changes: Changes in the citizenship or security clearance status of personnel involved in service provision. This is particularly critical for Levels 3 and 4, which require personnel to be Union citizens and, where appropriate, hold national security clearances.
• Subcontractor Changes: Onboarding new subcontractors that are not established in the Union, or that are subject to the control of a third country. This alters the supply chain sovereignty profile and may breach criteria regarding third-party control and support.
• Control and Ownership: Changes in the ownership structure, capital, or governance that introduce third-country control. Higher assurance levels (2–4) have strict prohibitions or specific derogation requirements regarding third-country control.
• Cybersecurity Incidents: Significant breaches or vulnerabilities that compromise the state-of-the-art cybersecurity standards required for the specific assurance level.
• Legal and Regulatory Shifts: New laws or regulatory changes in the provider's home jurisdiction or a controlling third country that could compel data access, service disruption, or force compliance with restrictive measures (e.g., sanctions) contrary to CADA requirements.

The Consequences of Notification: The Reassessment Chain

Notification is not merely an administrative formality; it initiates a formal reassessment process designed to maintain the integrity of the framework. Article 23(2) and (3) outline the subsequent steps:

• Auditing Organisation's Role: Upon receiving the notification, the auditing organisation must assess whether the audit report or the 'positive' opinion needs to be amended or revoked. If the organisation determines that the change affects compliance, it must amend or revoke the report/opinion and notify the national competent authority of establishment "as soon as possible."
• Competent Authority's Role: The national competent authority must then assess whether its original recognition of the cloud computing service needs to be amended or revoked. If it decides to amend or revoke the recognition, it must notify the competent authorities of other Member States and the Commission.

This chain of communication ensures that all relevant stakeholders across the EU are immediately aware if a service's sovereignty status has degraded, allowing for swift market correction and protecting public sector bodies from relying on non-compliant services.

What this means for you

For cloud service providers and data centre operators aiming to operate in the EU public sector market, Article 23 requires the implementation of robust internal monitoring and incident response protocols. You cannot rely solely on annual audits; you must have continuous visibility into your operational, legal, and corporate environment.

Key Action Items:

1. Define "Material" Internally: Develop an internal policy that clearly defines what constitutes a "material change" for your specific assurance level. Map these changes against the cumulative criteria in Annex II to ensure no relevant change goes unreported.
2. Establish Rapid Reporting Channels: Create dedicated, secure channels for notifying your auditing organisation and the national competent authority. Ensure that your legal, compliance, and technical teams are trained to identify triggers immediately upon occurrence.
3. Monitor Subcontractors and Supply Chain: Since subcontractor changes are a common source of sovereignty risk, implement strict onboarding and continuous monitoring processes for all third-party vendors. Any change in their location, ownership, or security posture must be evaluated for materiality.
4. Document Everything: Keep detailed records of all notifications sent, the exact date and time of awareness, the nature of the change, and the subsequent actions taken by auditors and authorities. This documentation will be crucial for demonstrating compliance during enforcement actions.
5. Plan for Reassessment: Be prepared for the possibility that a notification could lead to the amendment or revocation of your audit opinion or recognition. Have contingency plans in place to mitigate business disruption if your assurance level is downgraded or if you lose recognition entirely.

Common misconceptions

Misconception 1: Only annual audits matter. Many providers assume that compliance is determined once a year during the independent audit. CADA explicitly rejects this static view. Article 23 makes it clear that obligations are continuous. A provider that is compliant during its annual audit but fails to report a material change occurring mid-year is in violation of the regulation.

Misconception 2: Only technical changes need reporting. Providers often focus on technical infrastructure changes (e.g., server migrations) but overlook legal or corporate changes. However, changes in ownership, control, or applicable third-country laws are equally material, especially for Levels 2–4 which have strict criteria regarding third-country control and legal safeguards.

Misconception 3: Notification is optional if the change is minor. The threshold is whether the change may affect the audit report or recognition. Even if the provider believes the change is minor, if there is any uncertainty about its impact on compliance, the safe course of action is to notify. The auditing organisation and competent authority will then determine if an amendment or revocation is necessary. Failing to notify and subsequently being found non-compliant carries significantly higher risks than an unnecessary notification.

Misconception 4: SMEs are exempt from this obligation. While SMEs benefit from a simplified recognition process for Union assurance level 1 (automatic recognition of their EU statement of conformity without prior national authority recognition under Article 17(3)), they are still subject to the transparency obligations in Article 23 if they are recognised providers. The duty to report material changes applies to all recognised providers, regardless of size.

Related

• CADA Transparency Checklist: How Cloud Providers Must Report Material Changes
• What examples of material changes must a CSP report under CADA?
• Why must NCAs notify other Member States of recognition changes under CADA?
• Who must cloud providers notify of changes under CADA?
• CADA Procurement Rules: When Public Bodies Must Use Recognised Cloud Services

This is general information about a draft EU regulation, not legal advice.