Who pays for the independent audit under CADA? Costs for Levels 1–4

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking recognition for Union assurance levels 2, 3, or 4 must bear the full cost of independent third-party audits. Article 20(1) explicitly states that these audits are conducted "at their own expense." The EU budget or Member States do not subsidize these compliance costs. However, providers seeking only Union assurance level 1 can avoid these audit costs entirely by completing a conformity self-assessment and issuing an EU statement of conformity, as no external auditor is required for this baseline level.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a Union cloud computing sovereignty framework to reduce dependencies on third-country providers and safeguard public order. A critical component of this framework is the requirement for providers to demonstrate compliance with specific sovereignty and security criteria to receive a "Union assurance level." The financial responsibility for proving this compliance is strictly tiered based on the assurance level sought.

The Statutory Obligation: "At Their Own Expense"

For providers aiming to offer services at Union assurance levels 2, 3, or 4, independent verification is not optional; it is a mandatory condition for recognition. The proposal places the financial burden squarely on the cloud service provider.

Article 20(1) of the CADA proposal states:

"Cloud computing service providers seeking recognition in accordance with Article 17 as offering Union assurance level 2, 3, or 4, shall undergo at their own expense, independent third-party audits to obtain an audit report and an audit opinion from an auditing organisation."

This provision is unambiguous. The phrase "at their own expense" means the provider must contract and pay the auditing organisation for all services rendered. This includes the preparation of the audit report, the issuance of the audit opinion, and any necessary travel or data access costs incurred by the auditor. There is no mechanism in the proposal for the EU or national governments to reimburse these costs.

The Cost-Saving Path: Union Assurance Level 1

The proposal creates a distinct, lower-cost pathway for providers who do not require the highest levels of sovereignty assurance. Union assurance level 1 serves as the baseline for all cloud services procured by public sector bodies under Article 30(2).

For this level, the proposal explicitly removes the requirement for an independent audit. Instead, Article 19 establishes a conformity self-assessment procedure:

• The provider carries out a self-assessment of compliance with the criteria for Union assurance level 1 set out in Annex II.
• The provider issues an EU statement of conformity stating that compliance has been demonstrated.
• By issuing this statement, the provider assumes full responsibility for the compliance of the service.

Consequently, providers targeting only Level 1 avoid the significant costs associated with hiring an external auditing organisation. Their costs are limited to internal resources required to gather evidence and draft the statement of conformity.

Why the Distinction Exists

The divergence in cost structures reflects the risk profile and sovereignty requirements associated with each level:

• Union Assurance Level 1 (Self-Assessment): This level covers basic establishment in the Union, data residency within the Union, and general cybersecurity standards. The proposal deems a self-declaration sufficient for these foundational criteria, lowering the barrier to entry for smaller providers and general-purpose services.
• Union Assurance Levels 2, 3, and 4 (Independent Audit): These higher levels involve stricter criteria, including:
  • Personnel requirements: Union citizenship for staff (conditional at L2, mandatory at L3/L4).
  • Cybersecurity certification: Requirement for a European cybersecurity certificate of at least "substantial" assurance (L2/L3) or "high" assurance (L4).
  • Third-country control: Stricter prohibitions on control by third countries or legal entities established in third countries.
  • Data usage: Prohibitions on using generated data to train AI systems operated by third countries.

Because the stakes for public order and security are higher at these levels, CADA requires an objective, external verification by an independent third party to ensure the criteria are met. Article 20(4) further mandates that auditing organisations must be independent, with no conflicts of interest, proven expertise, and adherence to professional ethics.

What the Audit Cost Covers

The costs borne by the provider for levels 2–4 will cover the auditing organisation's work to assess compliance against the detailed criteria in Annex II. Based on Annex III (Audit Evidence), this includes:

1. Evidence Collection and Verification: The auditor must review extensive documentation, including Software Bills of Materials (SBOMs), data flow diagrams, proof of infrastructure location, employment contracts for personnel, and cybersecurity certificates.
2. Operational Inspections: Auditors may require access to premises, IT systems, and administrative logs to verify that infrastructure and support operations are performed exclusively within the Union.
3. Report Generation: The auditor must produce a substantiated audit report and a formal "positive" or "negative" audit opinion. A "positive" opinion is required for recognition.
4. Annual Reviews: Article 20(8) requires audited providers to submit their audit report and associated "positive" audit opinion for annual review. The provider must pay for this recurring assessment to maintain their recognition. Failure to undergo this annual review would result in the loss of the assurance level status.

The Role of the Auditing Organisation

Providers are free to select their auditing organisation, provided it meets the strict independence and competence requirements set out in Article 20(4). Key requirements include:

• Independence: The auditor must not have provided non-audit services related to the matters audited in the 12 months before or after the audit.
• Expertise: The auditor must have proven technical competence in auditing cloud computing services.
• Objectivity: The auditor must adhere to codes of practice and professional ethics.

The auditing organisation is paid directly by the cloud provider. In return, the auditor provides the audit report and opinion, which the provider then submits to the national competent authority of establishment for recognition under Article 17.

What this means for you

If you are a cloud service provider planning to serve EU public sector bodies or Union entities, you must factor audit costs into your business model if you aim for assurance levels 2–4.

1. Budget for Recurring Compliance Costs Unlike one-time certifications, CADA requires annual reviews under Article 20(8). You must budget not just for the initial audit but for yearly renewals. Failure to pay for or undergo these audits will result in the loss of your Union assurance level recognition, potentially barring you from public sector contracts that require levels 2–4.

2. Consider Level 1 if Costs Are Prohibitive If your service does not handle highly sensitive data or critical public order functions, you may only need Union assurance level 1. By opting for level 1, you can avoid independent audit costs entirely. You will instead incur internal costs for conducting a self-assessment and drafting your EU statement of conformity. This is a viable strategy for SMEs or providers offering general-purpose cloud services that do not fall under the specific public order risk assessments of Article 29.

3. Select Auditors Carefully Since you are paying for the audit, you have the right to choose your auditor. However, ensure they meet the strict independence criteria in Article 20(4). Choosing an auditor with conflicts of interest (e.g., one that provided consulting services to you recently) could invalidate your audit opinion and lead to recognition rejection.

4. Prepare for Annual Reviews Article 20(8) mandates an annual review of your compliance. You must maintain a relationship with your auditing organisation (or hire a new one each year) and budget for this ongoing expense. The auditor will assess whether you still meet the criteria, and you must pay for this verification.

Common misconceptions

Misconception 1: The EU or Member States pay for the audit. Reality: No. Article 20(1) explicitly states that providers undergo audits "at their own expense." The EU budget does not cover these compliance costs.

Misconception 2: All cloud providers must pay for an independent audit. Reality: No. Only providers seeking recognition for Union assurance levels 2, 3, or 4 must undergo independent audits. Providers seeking Union assurance level 1 can self-assess and issue a statement of conformity without an external auditor (Article 19).

Misconception 3: The audit is a one-time cost. Reality: No. Article 20(8) requires providers to submit their audit report and opinion for annual review. You must pay for this recurring assessment to maintain your status.

Misconception 4: Auditors can provide consulting services to the provider. Reality: No. Article 20(4) requires auditing organisations to be independent. They cannot have provided non-audit services related to the matters audited in the 12 months before or after the audit. This ensures the audit's objectivity.

Related

• How do I prepare for a CADA independent third-party audit?
• CADA Compliance: Self-Assessment vs. Independent Audit Explained
• CADA Compliance Checklist: Roles, Deadlines & Assurance Levels
• CADA Public Procurement Checklist: Risk Assessments, Assurance Levels & Added Value
• What happens after a negative CADA audit opinion?

This is general information about a draft EU regulation, not legal advice.