Summary Under the proposed Cloud and AI Development Act (CADA), the cloud computing service provider seeking recognition for Union assurance levels 2, 3, or 4 must bear the full cost of the independent third-party audit. Article 20(1) explicitly mandates that these audits be conducted "at their own expense." This financial obligation is a prerequisite for accessing the EU public sector market at higher sovereignty tiers. In contrast, Union assurance level 1 relies on a conformity self-assessment (Article 19) and does not require a paid independent audit.

Detail

The CADA proposal establishes a "Union cloud computing sovereignty framework" designed to mitigate risks associated with dependence on third-country providers. To achieve recognition at the higher tiers of this frameworkβ€”specifically levels 2, 3, and 4β€”providers must undergo rigorous independent audits. A critical component of this regulatory burden is the clear allocation of financial responsibility.

Legal Basis: Article 20(1)

The primary legal basis for the payment obligation is found in Article 20(1) of the CADA proposal. The text is unambiguous regarding the financial responsibility:

"Cloud computing service providers seeking recognition in accordance with Article 17 as offering Union assurance level 2, 3, or 4, shall undergo at their own expense, independent third-party audits to obtain an audit report and an audit opinion from an auditing organisation."

This provision places the financial burden squarely on the provider. The phrase "at their own expense" indicates that the cost is an operational expenditure for the provider. It cannot be passed directly to public sector bodies as a separate line item for the audit itself, nor can it be subsidized by the Union budget. The provider must budget for these costs to access the EU public sector market for activities requiring higher assurance levels.

Scope of the Obligation: Levels 2, 3, and 4 Only

The obligation to pay for an independent audit applies strictly to providers seeking Union assurance levels 2, 3, and 4. It does not apply to Union assurance level 1.

  • Level 1 (Self-Assessment): Under Article 19, providers demonstrate compliance through a "conformity self-assessment." They issue an EU statement of conformity stating that they have met the criteria. While there are internal administrative costs associated with preparing this documentation, there is no statutory requirement for a paid, independent third-party audit.
  • Levels 2–4 (Independent Audit): These levels require increasingly stringent controls, including strict data localization within the Union, restrictions on third-country control, specific cybersecurity certifications (e.g., "substantial" assurance for levels 2 and 3, "high" for level 4), and detailed software supply chain measures. To verify compliance with these complex criteria, an independent auditing organization must perform the audit. The provider pays this organization for its services.

Annual Reviews and Ongoing Costs

The financial obligation is not a one-time fee. Article 20(8) introduces an ongoing requirement for continuous compliance:

"The audited provider shall annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation which shall assess the continued compliance of the audited service with the applicable criteria set out in Annex II."

This means providers must budget for annual review audits to maintain their recognized status. If the auditing organization finds that the provider no longer complies, it may revoke the audit report and opinion. Such a revocation would lead to the loss of the Union assurance level recognition, effectively barring the provider from public procurement contracts requiring that level.

Selection of Auditing Organizations and Independence

While the provider pays for the audit, they retain the right to select the auditing organization, provided it meets the strict independence and competence requirements set out in Article 20(4). These requirements include:

  • Independence: The auditor must be independent from the provider and any connected legal persons.
  • No Conflicts of Interest: The auditor must not have provided non-audit services to the provider in the 12 months prior to or following the audit.
  • Competence: The auditor must have proven technical competence in auditing cloud computing services.

Crucially, Article 20(4)(a)(iii) prohibits fee structures that could compromise objectivity: auditors cannot perform the audit "in return for fees that are contingent on the result of the audit." Providers should ensure that the fees charged are fixed or based on time and materials, not on achieving a specific "positive" opinion.

What this means for you

If you are a cloud computing service provider targeting the EU public sector market, you must integrate audit costs into your pricing models and financial planning.

  1. Budget for Initial and Recurring Costs: You will face a significant upfront cost to achieve initial recognition at levels 2, 3, or 4. Additionally, you must account for annual review fees to maintain compliance. These are operational expenditures that you must absorb as part of your cost of doing business in the EU sovereign market.
  2. Factor Costs into Service Pricing: Since you cannot directly bill the audit cost to the client as a regulatory fee, you should factor these expenses into the overall price of your cloud computing services. This may impact your competitiveness against providers who do not need to meet these higher assurance levels, though public procurement rules under Article 30 will increasingly favor sovereign-compliant services for public-order-relevant activities.
  3. Choose Auditors Strategically: You are free to choose your auditing organization. Obtain competitive quotes from multiple qualified auditors. Ensure that the auditor you select has the specific expertise in cloud infrastructure and cybersecurity required by Article 20(4)(b) and (c) to avoid failed audits and wasted expenditure.
  4. Evaluate the Level 1 to Level 2 Transition: If you currently only offer Level 1 services, moving to Level 2 will trigger this new cost center. Evaluate whether the market demand for Level 2, 3, or 4 services in your target sectors (e.g., law enforcement, defense, critical infrastructure) justifies the investment in independent audits.

Common misconceptions

Misconception: The EU or public sector pays for the audit. Reality: No. Article 20(1) explicitly states the provider undergoes the audit "at their own expense." The Commission establishes the central repository of recognized services (Article 22), but it does not fund the individual audits performed by private auditing organizations.

Misconception: All cloud providers must pay for an audit. Reality: Only providers seeking Union assurance levels 2, 3, or 4 must pay for an independent audit. Providers recognized at Union assurance level 1 only need to perform a self-assessment (Article 19), which does not mandate an independent third-party audit fee.

Misconception: The audit is a one-time cost. Reality: Article 20(8) requires an annual review by an auditing organization to ensure continued compliance. This creates a recurring annual financial obligation for the duration of your recognition. Failure to pay for or complete this review results in the loss of recognition.

Misconception: The provider can choose any auditor. Reality: While the provider selects the auditor, the auditor must meet strict independence criteria under Article 20(4). If an auditor has provided non-audit services to the provider recently or has a conflict of interest, their audit opinion will be invalid.

Related

This is general information about a draft EU regulation, not legal advice.