CADA in Latvia

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies in Latvia must align their digital procurement with a national strategy embedding the "AI first" principle, as mandated by Article 7. When purchasing cloud services, Latvian contracting authorities are obligated to procure only from providers recognized at Union assurance level 1 or higher, with stricter requirements for activities deemed critical to public order under Article 30. Compliance requires mandatory risk assessments every two years, the inclusion of European added value criteria in tenders, and active engagement with Experience and Acceleration Centres for AI (Article 5) as entry points for innovation.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a framework to strengthen the EU's cloud and AI ecosystem, with direct operational implications for public-sector bodies in Latvia. As a Member State, Latvia must transpose these requirements into its national legal and administrative practices, fundamentally altering how public authorities plan, procure, and deploy digital infrastructure. The obligations fall into three primary categories: strategic planning under Article 7, procurement mandates under Articles 30–33, and operational support via Article 5.

Strategic Alignment and the "AI First" Principle

The foundation of CADA compliance for Latvian public bodies lies in national strategy. Article 7 requires Member States to establish national cloud and AI strategies within one year of the regulation's entry into force. These strategies are not merely advisory; they must include specific measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels, particularly among public sector bodies, small and medium-sized enterprises (SMEs), and small mid-caps (SMCs).

A core component of this strategy is the inclusion of the "AI first" principle, as defined in the Apply AI Strategy. This principle urges organizations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into account potential risks. For Latvian public bodies, this means that new digital projects must explicitly consider AI integration from the outset rather than as an afterthought. The national strategy must also outline measures to support the broad deployment of AI in strategic sectors such as healthcare, energy, and mobility, and to ensure the accessibility of high-quality data for AI development.

Latvia must notify the Commission of its national strategy within three months of adoption and assess it at least every three years. The European Artificial Intelligence Board (AI Board), established under the AI Act, will advise and assist Latvia in coordinating these strategies, ensuring they align with broader EU objectives.

Procurement Obligations and Union Assurance Levels

The most direct operational impact of CADA on Latvian procurement officers comes from Title IV, which establishes a Union cloud computing sovereignty framework. Article 30 sets strict procurement rules for cloud computing services based on risk assessments conducted under Article 29.

Minimum Assurance Level: All Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as offering Union assurance level 1. This is a baseline requirement. Under Annex II, Union assurance level 1 requires that the provider is established in the Union, its infrastructure and assets are located in the Union, and customer data remains exclusively within the Union unless explicitly required otherwise by the public sector body.

Critical Public Order Activities: For contracting authorities whose activities have been identified as contributing to the preservation of public order—such as those in national security, internal security, external border management, defence, justice, or law enforcement—stricter rules apply. Article 30(3) mandates that these authorities must only procure cloud computing services recognized as offering Union assurance levels 2, 3, or 4. These higher levels impose additional criteria, such as requirements for Union citizenship for personnel, European cybersecurity certification, and stricter controls on third-country influence.

Risk Assessments: To determine which assurance level is appropriate, Member States and Union entities must carry out risk assessments under Article 29. These assessments must be conducted by the date of entry into force plus one year, and thereafter every two years, or whenever necessary. The assessments identify public sector activities that contribute to the preservation of public order and determine the appropriate Union assurance level (2, 3, or 4). Latvian authorities must consider the sensitivity, criticality, and magnitude of data processed, as well as the risk of unlawful access by third countries. If a risk assessment requires migration to another cloud service, the transition must occur within a reasonable period not exceeding 12 months.

Derogations: Article 30(4) provides limited derogations. Contracting authorities may decide not to procure from recognized providers only if:

1. The subject matter cannot be supplied by recognized services available in the central repository, and no adequate alternative exists.
2. A similar procurement process launched within the previous year received no suitable tenders.
3. Applying the requirements would result in disproportionate cost.

European Added Value and Innovation

Beyond sovereignty, CADA aims to boost the European digital supply chain. Article 32 requires contracting authorities to include non-price award criteria in public procurement procedures for innovative cloud computing services and AI systems. These criteria must allow authorities to evaluate the tenderer's contribution to the development of a European cloud and AI ecosystem.

Specifically, authorities must evaluate:

• The tenderer's contribution to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
• The integration of technologies developed in the Union, including research results from Union-funded programs.
• The extent to which critical computing, storage, and networking hardware components are designed and/or manufactured in the Union.

These criteria must be ancillary and not decisive in the award of the contract, preserving the primacy of technical and financial criteria. However, they serve as a powerful tool for Latvian procurement officers to favor providers that reduce dependency on non-EU technologies.

Furthermore, Article 33 introduces monitoring obligations for the procurement of innovation. Latvia must monitor its use of innovation procurement in cloud and AI, reporting yearly on SME participation trends. The objective is to ensure that at least 25% of procurement for cloud computing services and AI systems is awarded to innovative SMEs. National strategies must include plans on how to achieve this objective.

Support Mechanisms: Experience and Acceleration Centres

To facilitate compliance and adoption, Article 5 requires Member States to establish Experience and Acceleration Centres for AI (Centres for AI). In Latvia, these centres will build on existing European Digital Innovation Hubs (EDIHs). Their primary role is to support the integration and scaling-up of AI use cases in strategic industrial and public sectors.

For Latvian public bodies, these centres serve as entry points to the European AI innovation ecosystem. They help organizations accelerate digital transformation by providing access to AI technologies, connecting them with European providers, and ensuring access to upskilling schemes. Article 4(8) explicitly links the promotion of broad AI adoption to the network of Centres for AI. Public bodies are encouraged to leverage these centres to test, validate, and deploy AI solutions, reducing the barrier to entry for smaller municipalities and agencies that may lack in-house technical expertise.

What this means for you

For procurement officers and digital leaders in Latvian public bodies, CADA introduces a structured, compliance-heavy approach to cloud and AI adoption.

1. Audit Your Current Strategy: Review your organization's digital roadmap against the upcoming Latvian national cloud and AI strategy. Ensure that "AI first" is embedded in project planning. If your current strategy does not address AI opportunities and risks, it will need updating within the first year of CADA's application.
2. Map Your Data and Activities: Conduct an internal audit to determine if your activities contribute to the preservation of public order. If yes, you must prepare for mandatory risk assessments under Article 29. This will dictate whether you need Union assurance level 1, 2, 3, or 4. Do not assume level 1 is sufficient for all services.
3. Check Your Providers: Verify that your current cloud providers are recognized in the central repository under the appropriate Union assurance level. If they are not, you must plan a migration within 12 months of the risk assessment conclusion. For level 1, ensure the provider is established in the EU and keeps data in the EU. For higher levels, check for citizenship requirements and cybersecurity certifications.
4. Update Tender Documents: Revise your procurement templates to include the non-price award criteria specified in Article 32. Explicitly ask bidders about the origin of their hardware and software, and their contribution to the European digital supply chain. This will help you legally favor EU-based solutions without violating competition law.
5. Engage with Centres for AI: Contact the local Experience and Acceleration Centre for AI in Latvia. Use their resources for pilot projects, especially if you are an SME or a smaller public body. They can provide technical support, access to testing facilities, and connections to European providers, helping you meet the 25% innovation procurement target for SMEs.

Common misconceptions

• "CADA bans all non-EU cloud providers." This is incorrect. CADA does not ban non-EU providers outright. Instead, it creates a tiered assurance system. Non-EU providers can potentially qualify for Union assurance level 3 if their home country is designated as an "associated third country" under Article 18, provided it meets strict criteria regarding data protection and lack of extraterritorial interference. However, for most public sector activities, especially those involving sensitive data, EU-established providers will be the primary option.
• "Union assurance level 1 is only for small businesses." False. Level 1 is the minimum requirement for all public sector bodies whose activities do not contribute to public order. This includes many standard administrative functions. It requires the provider to be established in the EU and keep data in the EU, which is a significant baseline for sovereignty.
• "The 'AI first' principle means we must use AI in every project." No. "AI first" means considering AI as a potential solution during the design phase of business processes. It is a strategic consideration, not a mandatory deployment requirement. If AI is not appropriate for a specific use case, that is a valid outcome of the assessment.
• "European added value criteria will make tenders too expensive." Article 32 explicitly states that these criteria must be ancillary and not decisive. They are part of the quality evaluation, not a price surcharge. Their purpose is to break ties between technically and financially equal bids by favoring those that strengthen the EU's digital sovereignty.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• CADA compliance for Italy: National strategy, procurement & AI first
• CADA compliance for Malta: National strategy, procurement and AI centres
• CADA compliance for Denmark: National strategy, procurement rules & AI Centres
• CADA in Croatia: National Strategy, Procurement Rules & AI Centres
• What must Latvia include in its national cloud and AI strategy under CADA?

This is general information about a draft EU regulation, not legal advice.