Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers recognised under the Union sovereignty framework must immediately notify two specific entities of any material changes: their auditing organisation and the national competent authority of establishment. As mandated by Article 23(1), these notifications must be made "as soon as possible" once the provider becomes aware of information or circumstances that may affect their audit report, their "positive" audit opinion, or their official recognition status. This dual-notification duty ensures the EU's central repository of sovereign cloud services remains accurate and that public sector buyers are protected from sudden compliance risks.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous "Union cloud computing sovereignty framework" to reduce the EU's strategic dependence on non-European providers and safeguard public order. A cornerstone of this framework is the system of Union assurance levels (Levels 1 to 4), which categorise cloud services based on their trustworthiness, data localisation, and operational autonomy. Achieving these levels requires strict conformity assessments and independent third-party audits. However, compliance under CADA is not a static, one-time achievement; it is a continuous, dynamic obligation.

The Core Obligation: Article 23(1)

Article 23, titled "Transparency obligations," codifies the ongoing duty of recognised providers to maintain the accuracy of their status. The primary rule is explicitly set out in Article 23(1):

"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

This provision creates a strict dual-notification duty. A provider cannot simply update internal records, wait for the next scheduled annual review, or notify only one party. They must proactively alert both the private entity that certified them (the auditing organisation) and the public regulator responsible for their oversight (the national competent authority of establishment) simultaneously.

Defining "Material Change"

While Article 23 does not provide an exhaustive list of every trigger, the context of the sovereignty framework and the criteria in Annex II clarifies what constitutes a "material change." A material change is any alteration in the provider's operational, technical, legal, or ownership circumstances that could impact their compliance with the specific criteria for their assigned Union assurance level.

Examples of changes likely to trigger this obligation include:

  • Changes in Control or Ownership: If a third-country entity acquires a significant stake, or if the provider becomes subject to the control of a third country, this may violate criteria for Levels 3 and 4, which strictly limit or prohibit such control.
  • Infrastructure Relocation: Moving data storage, processing, or backup infrastructure outside the Union, unless explicitly permitted by the public sector body under the specific assurance level rules.
  • Subcontractor Shifts: Engaging new subcontractors who do not meet the stringent security, location, or citizenship requirements (e.g., Union citizenship for personnel at higher levels) of the assurance level.
  • Cybersecurity Incidents: Significant breaches that compromise the integrity of the service, the confidentiality of customer data, or the "positive" audit opinion regarding cybersecurity standards.
  • Legal or Regulatory Shifts: New laws in the provider's home jurisdiction (or a third country controlling the provider) that could force data disclosure to foreign authorities, undermining the sovereignty guarantees certified in the audit.
  • Software Supply Chain Changes: Introduction of third-country software components without the required migration plans or source code audits, as required for Levels 2, 3, and 4.

The Notification Chain and Follow-Up

Article 23 establishes a clear, sequential chain of responsibility following the initial provider notification:

  1. Provider Notification: The recognised provider notifies the auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of the material change.
  2. Auditing Organisation Assessment: Under Article 23(2), the auditing organisation must assess whether the audit report or the "positive" audit opinion needs to be amended or revoked based on the new information. If the organisation amends or revokes the report/opinion, it must notify the national competent authority of establishment immediately.
  3. Competent Authority Assessment: Under Article 23(3), the national competent authority of establishment assesses whether the official recognition of the cloud service (granted under Article 17) needs to be amended or revoked. If the authority amends or revokes the recognition, it must notify the competent authorities of other Member States and the European Commission.

This chain ensures that the central repository of recognised services (maintained under Article 22) is updated in real-time, preventing public sector bodies from procuring services that no longer meet the required assurance level.

Consequences of Failure to Notify

The CADA proposal treats transparency as a critical pillar of the single market. Failure to notify material changes can lead to severe consequences. Under Article 24, Member States must lay down rules on penalties for infringements of the sovereignty chapter, which must be "effective, proportionate and dissuasive." When determining penalties, authorities must consider factors such as the nature, gravity, scale, and duration of the infringement, as well as any financial benefits gained by the provider.

Furthermore, if a provider fails to notify a change that leads to non-compliance, their recognition may be revoked. This removal from the central repository effectively bars them from selling to public sector bodies that require a specific Union assurance level, causing significant commercial disruption.

What this means for you

For cloud service providers aiming to serve the European public sector, Article 23 imposes a significant operational burden that extends beyond standard IT governance. You must integrate sovereignty compliance into your continuous monitoring and change management processes.

1. Establish Robust Internal Monitoring You cannot comply with the "as soon as possible" mandate if you are unaware of material changes. Your internal governance frameworks must include real-time monitoring of:

  • Ownership structures and shareholder changes (especially those involving third-country entities).
  • Subcontractor and supply chain modifications.
  • Data flow and infrastructure location updates.
  • Cybersecurity incident logs and vulnerability reports.

2. Define "Material" in Your Compliance Policies While the law uses the term "material change," you should define specific thresholds in your internal compliance manuals. For instance, does a change in a minor, non-critical subcontractor trigger a notification? Likely not. But a change in the primary data hosting location or a shift in the ultimate beneficial ownership? Definitely. Clear internal definitions will help your compliance team act swiftly and accurately.

3. Prepare for Dual Reporting Ensure your legal and compliance teams have established, tested lines of communication with both your auditing organisation and your national competent authority of establishment. Delays in notifying one party over the other could be viewed as non-compliance. The notification must be simultaneous or near-simultaneous to both entities to satisfy Article 23(1).

4. Document Everything Keep detailed records of all notifications sent, including the date, time, content, and recipient. This documentation will be vital if you face an investigation or need to demonstrate that you acted in good faith and within the required timeframe.

5. Plan for Re-audits Be prepared for the auditing organisation to request immediate re-evaluations following a notification. Have the necessary documentation, access to premises, and source code ready to facilitate these audits quickly, as delays could further jeopardise your recognised status.

Common misconceptions

Misconception 1: Notification is only required for negative events. Many providers assume they only need to notify authorities if they have suffered a breach or lost compliance. However, Article 23 requires notification of any material change that may affect the audit report or recognition. This includes positive changes that might alter the risk profile or require a reassessment of the assurance level. If a change impacts the criteria in Annex II, it must be reported.

Misconception 2: The annual audit covers all changes. Providers often rely on the annual review mentioned in Article 20(8) to update their status. While the annual review is mandatory, it does not absolve providers of the duty to notify material changes as they occur. The "as soon as possible" requirement in Article 23(1) is distinct from the annual cycle. Waiting for the annual audit to report a significant change that occurred months earlier would likely be considered a failure to comply with the transparency obligations.

Misconception 3: Only the public sector needs to be informed. Providers may think they should notify their public sector customers directly. While contractual obligations may require this, the legal duty under Article 23 is specifically to the auditing organisation and the national competent authority of establishment. These entities then manage the broader implications, including updating the central repository and informing other Member States if necessary.

Misconception 4: This only applies to Level 4 services. The transparency obligations in Article 23 apply to providers recognised under the framework, which includes Levels 1, 2, 3, and 4. While the criteria for each level differ, the duty to maintain the accuracy of the recognition and audit opinion through timely notification is universal across the framework.

Related

This is general information about a draft EU regulation, not legal advice.