Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) is a directly applicable EU Regulation. It would bind Latvia immediately upon entry into force, requiring no national transposition law. Latvia would be obligated to: (1) adopt a national cloud and AI strategy within one year (Article 7); (2) designate at least one data centre acceleration zone if deploying capacity (Article 10); and (3) appoint a national competent authority to enforce sovereignty rules (Article 25). These measures would fundamentally alter how Latvian public bodies procure cloud services, how providers demonstrate "Union assurance," and how data centre operators navigate permitting.

Detail

The Cloud and AI Development Act (CADA) represents a structural shift in the EU's digital governance. For Latvia, as for all Member States, the proposal introduces binding obligations designed to strengthen technological sovereignty, expand domestic computing capacity, and reduce reliance on non-European providers. Because CADA is drafted as a Regulation, it applies uniformly across the Union once adopted, eliminating the fragmentation caused by divergent national implementations.

Direct Applicability and Legal Status

Unlike EU Directives, which require Member States to transpose them into national law, Regulations are directly applicable. This means that when CADA enters into force, its provisions become part of Latvian law automatically. Latvia would not need to pass a new "CADA Implementation Act." However, the Regulation grants Member States specific administrative tasks to operationalise its framework locally. For Latvia, this involves establishing new strategic plans, geographic zones, and regulatory bodies within strict timelines.

Key Obligations for Latvia

1. National Cloud and AI Strategy (Article 7) Under Article 7, Latvia must establish a national cloud and AI strategy within one year of the Regulation's entry into force. This strategy is not optional; it is a mandatory instrument to align national policy with Union objectives.

  • Content Requirements: The strategy must include the "AI first" principle, governance frameworks, and measures to accelerate adoption among SMEs and public bodies. Crucially, it must detail measures to support the deployment of data centre capacity, invest in high-intensity computing infrastructure (such as AI factories), and promote cloud stacks built on open hardware and software to strengthen sovereignty.
  • Alignment: The strategy must be consistent with the Digital Decade Policy Programme targets, including the adoption of cloud services by at least 75% of enterprises and the deployment of climate-neutral edge nodes.
  • Timeline: Latvia must notify the Commission of the strategy within three months of adoption and assess it at least every three years using key performance indicators.

2. Data Centre Acceleration Zones (Article 10) To address the EU's compute capacity deficit, Article 10 requires Latvia to designate at least one "data centre acceleration zone" within its territory if it is deploying data centre capacity.

  • Designation Criteria: When selecting these zones, Latvia must consider the available and future power grid capacity, network connectivity, environmental sustainability, and the potential for waste heat reuse. The proposal explicitly encourages the preference for reusing brownfield sites over greenfield sites.
  • Permitting Benefits: Data centre projects deployed in these zones would benefit from streamlined permitting. Under Article 13, the permit-granting procedure for such projects would not exceed 12 months. Member States must also prepare an "aggregated baseline permit" covering common authorisations for the zone, excluding only installation-specific permits.
  • Energy Analysis: Latvia must conduct a comprehensive analysis of the energy needs and greenhouse gas impacts of these zones and ensure network development plans account for future demand.

3. National Competent Authority (Article 25) Article 25 mandates that Latvia designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework.

  • Exclusive Competence: The Member State where a cloud provider has its main establishment (head office or registered office) has exclusive competence. If a provider is established in Latvia, the Latvian authority is the sole enforcer.
  • Powers: These authorities would have investigative powers (e.g., requiring information, inspecting premises) and enforcement powers (e.g., ordering cessation of infringements, imposing fines).
  • Notification: Latvia must notify the Commission of the authority's name, tasks, and powers. The Commission will maintain a public register of these authorities.

Changes for Stakeholders in Latvia

Public Sector Bodies For Latvian public sector bodies, CADA introduces a mandatory sovereignty framework for cloud procurement that replaces current discretionary practices.

  • Risk Assessments: Under Article 29, Latvia (as a Member State) must carry out risk assessments to identify which public sector activities contribute to the preservation of "public order" (e.g., national security, justice, law enforcement).
  • Procurement Obligations: Under Article 30, contracting authorities whose activities are identified as contributing to public order must procure only cloud services recognised at Union Assurance Level 2, 3, or 4. For other activities, a minimum of Union Assurance Level 1 is required.
  • EU Added Value: Under Article 32, Latvian procurement officers must include non-price award criteria evaluating the tenderer's contribution to the European cloud and AI ecosystem (e.g., use of EU-manufactured hardware or EU-developed software).

Cloud Computing Service Providers Providers operating in or targeting the Latvian market face a new compliance regime centred on "Union assurance."

  • Recognition Process: To sell to Latvian public bodies, providers must apply for recognition to the national competent authority of their establishment. If a provider is established in Latvia, it applies to the Latvian authority.
  • Assurance Levels:
    • Level 1: Requires a self-assessment and an EU statement of conformity.
    • Levels 2–4: Require independent third-party audits and a "positive" audit opinion.
  • Sovereignty Criteria: Providers must meet cumulative criteria in Annex II, including establishment in the Union, location of infrastructure and data within the Union, and strict controls on third-country influence. For Level 3 and 4, personnel must be Union citizens (unless the public body explicitly requires otherwise for Level 2).
  • Consequences: Non-compliance or supply of misleading information can lead to revocation of recognition and penalties under Article 24.

Data Centre Operators Operators in Latvia would benefit from the acceleration zone framework but face stricter sustainability mandates.

  • Permitting Speed: Operators in designated zones would benefit from the 12-month permit cap and the aggregated baseline permit.
  • Sustainability: Under Article 11, operators must comply with key performance indicators (KPIs) defined in Delegated Regulation (EU) 2024/1364 regarding energy efficiency.
  • Single Information Points: Operators would have the right to be assisted by a single information point throughout the project lifecycle, coordinating spatial planning, environmental assessments, and grid connections.

What this means for you

For Latvian public-sector procurement officers, IT managers, and infrastructure investors, the transition to CADA would require immediate preparatory actions.

  • Map Your Cloud Usage: Begin identifying which cloud services are used for activities that contribute to public order or involve sensitive data. This mapping determines whether you will need Union Assurance Level 1 or the higher levels (2–4) under Article 30.
  • Update Procurement Templates: Revise tender documents to include mandatory requirements for Union Assurance Levels and EU added-value criteria. Under Article 32, you must evaluate the tenderer's contribution to the European ecosystem, potentially weighting this up to 15 out of 120 points.
  • Engage with the National Competent Authority: Stay informed about the designation of Latvia's national competent authority under Article 25. You will need to interact with this body for guidance on risk assessments and to verify the status of cloud providers in the central repository.
  • Support the National Strategy: Provide input to the relevant ministries as they develop Latvia's national cloud and AI strategy under Article 7. Your operational experience will be crucial in shaping realistic measures for data centre deployment and AI adoption.
  • Monitor Acceleration Zones: If you are a data centre operator, track the designation of Latvia's acceleration zones under Article 10. Locating in these zones could significantly reduce your permitting timeline and administrative burden.

Common misconceptions

"CADA will ban all non-European cloud providers." No. CADA does not ban non-European providers. However, it creates a tiered sovereignty framework that makes it difficult for providers subject to third-country control to achieve the higher assurance levels (2, 3, or 4) required for critical public sector work. Providers from "associated third countries" may qualify for Level 3 if the Commission adopts a specific implementing act under Article 18 confirming sufficient safeguards.

"Latvia needs to pass a new law to implement CADA." No. As an EU Regulation, CADA is directly applicable. Latvia does not need to transpose it into national law. However, Latvia must adopt administrative measuresβ€”such as designating authorities, zones, and strategiesβ€”to fulfil its obligations under the Regulation.

"All public sector cloud use requires the highest security level." No. The framework is risk-based. Under Article 30(2), most standard public sector activities only require Union Assurance Level 1 (a self-assessment). Higher levels are reserved for activities with public order relevance, as determined by the national risk assessment under Article 29.

"Data centre KPIs are listed in CADA." No. The specific Key Performance Indicators (KPIs) for data centre sustainability are not enumerated in CADA itself. Article 11 explicitly refers to the KPIs defined in Delegated Regulation (EU) 2024/1364.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.