The cloud service provider MUST document procedures that allow the relevant federal or national cybersecurity authority to verify compliance with the C3A criteria by an audit. The responsible authority is the one in the country where the data center is located.

The cloud service provider MUST document procedures that allow the German federal administration to verify compliance with the C3A criteria by an audit.

The audit rights may be derived from a contract or law that explicitly reserves the right for the federal or national authority to conduct audits. If possible, the authority tries to make use of existing audits (e.g., BSI C5, SOC 2 Type 2) before carrying out an audit. Any audit shall be conducted in accordance with the cloud service provider's strict security and confidentiality protocols, including defined notice periods, to protect the data of other tenants and the integrity of the data centre. While costs are a commercial matter, the right to audit is a regulatory mandate. Fees shall not be so high as to effectively deny this right.