Which CADA assurance levels require an independent audit?

Summary Under the proposed Cloud and AI Development Act (CADA), independent third-party audits are mandatory for cloud computing service providers seeking recognition at Union Assurance Levels 2, 3, and 4. Providers aiming for the entry-level Union Assurance Level 1 are exempt from external audits; instead, they must conduct a conformity self-assessment and issue an EU statement of conformity. This tiered approach, defined in Article 20(1), balances market accessibility for smaller providers with rigorous, audited scrutiny for services handling sensitive public-order data.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised "Union cloud computing sovereignty framework" comprising four distinct assurance levels. These levels range from Level 1 (baseline) to Level 4 (highest assurance). The mechanism for demonstrating compliance varies fundamentally between the baseline level and the higher tiers, creating a bifurcated compliance landscape for providers.

The Mandatory Audit Requirement for Levels 2, 3, and 4

For any cloud computing service provider seeking to be recognised as offering Union Assurance Levels 2, 3, or 4, the proposal imposes a strict obligation to undergo external verification. Article 20(1) of the proposal explicitly mandates:

"Cloud computing service providers seeking recognition in accordance with Article 17 as offering Union assurance level 2, 3, or 4, shall undergo at their own expense, independent third-party audits to obtain an audit report and an audit opinion from an auditing organisation."

This requirement is not optional. The audit must be conducted by an auditing organisation that is independent from the provider and free from conflicts of interest. The proposal specifies that these organisations must demonstrate proven expertise, technical competence, and objectivity. They are prohibited from providing non-audit services to the provider in the 12 months before or after the audit, and they cannot be paid contingent fees based on the audit result.

The output of this process is twofold: an audit report detailing the findings and methodology, and an audit opinion. The opinion must be either "positive" (confirming compliance) or "negative" (indicating non-compliance). Only a "positive" audit opinion allows the provider to proceed to the recognition phase with the national competent authority.

Furthermore, this is not a one-off event. Article 20(8) requires audited providers to submit their audit report and associated positive opinion for annual review. The auditing organisation must assess continued compliance with the applicable criteria, confirming, updating, or revoking the initial opinion based on the findings.

The Self-Assessment Route for Level 1

In stark contrast, Union Assurance Level 1 operates on a self-declaration basis, removing the barrier of external audit costs for providers targeting the baseline market. Providers seeking Level 1 recognition do not engage an independent auditor. Instead, they must perform a conformity self-assessment.

Under Article 19, the process for Level 1 is as follows:

1. Self-Assessment: The provider assesses its own compliance with the Level 1 criteria set out in Annex II. These criteria include being established in the Union, keeping infrastructure and data within the Union (unless explicitly required otherwise by the public sector body), and ensuring transparency regarding subcontractors.
2. Statement of Conformity: Upon completing the assessment, the provider must issue an EU statement of conformity. By issuing this statement, the provider assumes full responsibility for the compliance of the service with the Level 1 criteria.
3. Public Availability: The statement must be made publicly available.

This mechanism is designed to lower administrative burdens and facilitate market entry, particularly for Small and Medium-sized Enterprises (SMEs). Article 17(3) provides a specific derogation for SMEs: the EU statement of conformity issued by an SME under Article 19 is directly and automatically recognised in all Member States without the need for prior recognition by a national competent authority. This "automatic recognition" feature is a key incentive for smaller providers to join the sovereign cloud ecosystem.

The Role of National Competent Authorities

The divergence in assessment methods leads to different interactions with national authorities. For Levels 2, 3, and 4, the provider must submit the audit report and the positive audit opinion to the national competent authority of establishment. The authority then verifies the evidence and, if satisfied, adopts a recognition decision that is valid across the Union. This process involves a review period where other Member States may raise objections.

For Level 1, the interaction is minimal for SMEs due to automatic recognition. For non-SMEs, the provider submits the EU statement of conformity and evidence to the national competent authority, which assesses the evidence before granting recognition. However, the core verification burden remains with the provider, not an external auditor.

What this means for you

As a cloud service provider, your choice of assurance level—or the level required by your public sector customers—dictates your compliance strategy, budget, and operational timeline.

If you are targeting Union Assurance Level 1:

• Internal Governance is Key: You must establish robust internal control procedures to verify your own compliance with Level 1 criteria. This includes documenting your establishment in the Union and ensuring data and infrastructure remain within EU borders.
• Cost Efficiency: You avoid the significant costs of hiring external auditing organisations. This makes Level 1 the most accessible entry point for SMEs and new market entrants.
• Liability: By issuing the EU statement of conformity, you assume sole responsibility. If you provide incorrect or misleading information, you face penalties under Article 24, and your recognition may be revoked.
• SME Advantage: If you qualify as an SME, your self-assessment is automatically recognised EU-wide, bypassing the national authority review process entirely.

If you are targeting Union Assurance Levels 2, 3, or 4:

• Budget for External Audits: You must allocate significant resources for independent third-party audits. These are conducted at your own expense and must be renewed annually.
• Auditor Selection: You are free to select your auditing organisation, but it must meet strict independence criteria. Ensure your auditor is not providing non-audit services (like consulting or IT implementation) that could create a conflict of interest.
• Deep Scrutiny: Auditors will require full access to your premises, data, and documentation. They will examine your software supply chain (including SBOMs), personnel screening, and operational controls. You must cooperate fully; hindering the audit is prohibited.
• Cumulative Criteria: Remember that criteria are cumulative. To achieve Level 3, you must meet all Level 1 and Level 2 criteria plus the specific Level 3 requirements (e.g., Union citizenship for personnel). You cannot use a Level 1 self-assessment to qualify for Level 2; a distinct independent audit is required for each tier above Level 1.

Common misconceptions

Misconception 1: Level 1 requires no verification. While Level 1 does not require an external audit, it is not unverified. Providers must conduct a genuine conformity self-assessment and issue a formal EU statement of conformity. National competent authorities retain the power to investigate if there are suspicions of non-compliance, and providers face penalties for supplying incorrect information. The "self-assessment" is a legal declaration of compliance, not a mere formality.

Misconception 2: You can choose the audit level based on preference. The assurance level is not a marketing choice; it is determined by the risk assessment of the public sector body procuring the service. Under Article 29, Member States and Union entities must conduct risk assessments to identify activities contributing to the preservation of public order (e.g., national security, justice, law enforcement). If an activity is identified as public-order relevant, Article 30(3) mandates that the contracting authority procure only services recognised at Level 2, 3, or 4. You cannot offer a Level 1 service if the customer's risk assessment requires a higher level of assurance.

Misconception 3: A single audit covers all levels. No. The criteria for each level are cumulative and distinct. While a provider seeking Level 3 must meet all Level 1 and 2 criteria, the verification method changes. A Level 1 self-assessment cannot substitute for the independent audit required for Level 2. Each tier above Level 1 requires its own distinct independent third-party audit process to validate the specific additional criteria (such as Union citizenship for personnel at Level 3).

Related

• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• CADA Audit Rule: Why Higher Assurance Levels Require Lower-Tier Compliance
• When does CADA require self-assessment versus an independent audit?
• How does the CADA independent audit work? Levels 2–4 explained
• Who must meet CADA Union assurance levels?

This is general information about a draft EU regulation, not legal advice.