Summary Under the proposed Cloud and AI Development Act (CADA), only independent organisations with proven expertise, technical competence, and capabilities in auditing cloud computing services can act as an auditing organisation. Article 20(4) of the proposal sets strict, cumulative criteria: the body must demonstrate objectivity and professional ethics based on adherence to codes of practice. Crucially, the auditor must have no conflicts of interest with the cloud provider, enforced by a 12-month cooling-off period for non-audit services, a 10-year rotation rule for audit services, and a ban on contingent fees.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous sovereignty framework to ensure that cloud computing services used by the public sector and critical infrastructure are secure, resilient, and free from undue third-country influence. While Union assurance level 1 relies on a provider's self-assessment, Union assurance levels 2, 3, and 4 require a formal, independent third-party audit.

Article 20 of the CADA proposal outlines the "Independent audit" process. It mandates that cloud computing service providers seeking recognition for these higher assurance levels must undergo audits at their own expense. The law is designed to ensure that the entity verifying the provider's compliance is truly independent, technically capable, and ethically sound.

Who Qualifies as an Auditing Organisation?

According to Article 20(4), an auditing organisation is not defined by a specific professional title (such as "chartered accountant") but by a set of cumulative criteria. To be eligible to conduct these audits, an organisation must meet three core requirements:

  1. Demonstrate Independence: The organisation must be independent from the cloud computing service provider and any legal person connected to that provider. This is not merely a statement of intent but is enforced through strict temporal and financial barriers.
  2. Possess Proven Expertise: The body must have "proven expertise, technical competence and capabilities in auditing cloud computing services." This ensures that auditors understand the complex technical architectures, data flows, security protocols, and sovereignty-specific criteria inherent in cloud environments.
  3. Uphold Objectivity and Ethics: The organisation must demonstrate "proven objectivity and professional ethics," based in particular on adherence to codes of practice or appropriate standards.

The Independence Requirements (Article 20(4)(a))

The most detailed constraints apply to independence. Article 20(4)(a) imposes three specific "cooling-off" and conflict-of-interest rules to prevent an auditor from being financially or operationally compromised by the client they are auditing:

  • No Recent Non-Audit Services: The auditing organisation must not have provided non-audit services related to the matters audited to the cloud provider (or connected entities) in the 12-month period before the beginning of the audit. Furthermore, they must commit to not providing such services in the 12-month period after the completion of the audit. This prevents a scenario where an auditor softens their findings to secure a future consulting contract with the same provider.
  • Firm Rotation (The 10-Year Rule): To prevent long-term familiarity from blinding an auditor to risks, the organisation must not have provided auditing services pursuant to Article 20 to the same cloud provider (or connected entities) in the 10-year period before the beginning of the audit. This forces providers to rotate their audit firms regularly, ensuring fresh eyes on their compliance posture.
  • No Contingent Fees: The audit cannot be performed in return for fees that are contingent on the result of the audit. The fee must be fixed or based on effort, not on whether the provider passes or fails.

Technical Competence and Ethical Standards

Beyond independence, Article 20(4)(b) and (c) focus on quality. The auditing organisation must have proven technical competence. Given the rapid evolution of cloud technology, this implies that auditors must stay current with industry standards, cybersecurity frameworks, and data protection regulations.

Additionally, they must adhere to codes of practice or appropriate standards. While the CADA proposal does not list a single specific standard (such as ISO 27001) in Article 20(4) itself, Recital 55 clarifies that audits should be performed in accordance with "best industry practices and high professional ethics and objectivity, with due regard for auditing standards and codes of practice."

The Commission is empowered to adopt delegated acts under Article 20(9) to supplement the Regulation by laying down detailed rules on the performance of audits, including the procedural steps, rules for auditing organisations, their technical competences, and auditing methodologies. This means the specific technical benchmarks may be refined in secondary legislation, but the baseline requirement for "proven expertise" is immediate.

The Role and Output of the Auditing Organisation

Once selected, the auditing organisation's role is to assess the provider's compliance with the criteria set out in Annex II of the CADA. They must produce an audit report that includes a "positive" or "negative" audit opinion.

  • A "positive" opinion is given where all evidence shows that the provider complies with the audit criteria.
  • A "negative" opinion is given where the auditing organisation considers that the provider does not comply.
  • If the auditor cannot reach a conclusion on specific aspects, they must include an explanation of why in the report.

The auditing organisation must also maintain confidentiality. Article 20(3) requires them to ensure an adequate level of confidentiality and professional secrecy regarding information obtained during the audit. However, this confidentiality does not allow them to hide non-compliance; they must report their findings to the national competent authority of establishment.

What this means for you

If you are a cloud service provider aiming for Union assurance levels 2, 3, or 4, you cannot simply choose any large accounting firm or cybersecurity consultancy. You must verify that your chosen partner meets the strict Article 20(4) criteria.

1. Check Your Current Providers for Conflicts: Review your current relationships with audit and consulting firms. If you have engaged a firm for non-audit consulting services (e.g., security architecture design, compliance gap analysis, or software implementation) in the last 12 months, they are legally barred from auditing your sovereignty compliance under CADA. You will need to engage a different firm for the audit, and that firm must commit to not providing such services for the next 12 months.

2. Plan for Firm Rotation: If you have used the same firm for previous cybersecurity or sovereignty audits, check the 10-year clock. If it has been less than 10 years since their last audit under this specific regulatory framework, they are ineligible. You must select a new auditor. This is a significant operational consideration for large providers with long-standing vendor relationships.

3. Verify Technical Competence: Do not assume a general financial auditor has the "proven expertise... in auditing cloud computing services" required by Article 20(4)(b). Look for firms with specific certifications or track records in cloud infrastructure auditing. The audit will involve deep technical dives into your software bill of materials (SBOM), data flow diagrams, access controls, and third-country control mechanisms. An auditor lacking this technical depth may fail to provide a meaningful assessment, risking your recognition.

4. Budget for the Audit: Article 20(1) states these audits are at the provider's expense. Given the strict independence rules, you may need to onboard a new specialist firm, which can involve higher initial costs. Factor this into your pricing for public sector contracts.

Common misconceptions

Misconception 1: Any accredited auditor can perform a CADA audit. Reality: Accreditation for financial audits or general ISO standards does not automatically qualify an organisation. Article 20(4) specifically requires "proven expertise, technical competence and capabilities in auditing cloud computing services." The audit focuses on sovereignty, data localisation, and third-country control, which are distinct from traditional financial or generic IT security audits.

Misconception 2: I can use the same firm for consulting and auditing if they are separate teams. Reality: Article 20(4)(a)(i) prohibits the organisation from having provided non-audit services in the 12 months prior. Even if the consulting and auditing teams are structurally separate within the same legal entity, the firm as a whole is barred from performing the audit. This is a strict firewall to ensure absolute independence.

Misconception 3: The audit is a one-time event. Reality: Article 20(8) requires the audited provider to submit the audit report and the associated "positive" audit opinion for review annually. The auditing organisation (either the same one, subject to the 10-year rule, or a new one) must assess continued compliance every year.

Misconception 4: Confidentiality prevents the auditor from reporting non-compliance. Reality: Article 20(3) mandates confidentiality, but Article 20(5) requires a substantiated audit report with a positive or negative opinion. This report is submitted to the national competent authority. Confidentiality protects trade secrets from public disclosure, not from regulatory oversight.

Related

This is general information about a draft EU regulation, not legal advice.