What sovereign cloud providers and options are available in Latvia under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Latvia does not maintain a unique national list of sovereign cloud providers. Instead, it participates in a unified EU framework of four "Union assurance levels." Public bodies in Latvia must procure cloud services that meet the assurance level determined by their national risk assessment, with a mandatory minimum of Union assurance level 1 for all public sector activities. Providers seeking to serve these buyers must obtain formal recognition from their national competent authority and be listed in the European Commission's central repository of recognised services. Crucially, providers subject to third-country control face strict limitations, particularly at Levels 3 and 4, where they are generally excluded unless the third country is designated as "associated" under Article 18.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised regulatory framework to reduce the EU's dependence on non-European cloud providers and to protect public order by ensuring the operational autonomy and data sovereignty of cloud services used by public sector bodies. For cloud service providers and data centre operators targeting the Latvian market, understanding the Union cloud computing sovereignty framework is critical, as it dictates eligibility for public procurement contracts.

The Union Cloud Computing Sovereignty Framework and Assurance Levels

As proposed in Article 16, CADA establishes a Union cloud computing sovereignty framework comprising four distinct assurance levels. These levels define the criteria cloud computing service providers must meet to be considered "Union assured." The framework is designed to be proportionate, ensuring that public order is preserved while maintaining control and agency by public-sector bodies. The specific criteria for each level are detailed in Annex II.

1. Union Assurance Level 1 (Baseline): This is the entry-level requirement for all public sector procurement. Providers must be established in the Union, and their infrastructure and assets (including those of subcontractors) must be located in the Union. Customer data, including metadata and telemetry, must remain exclusively within the Union unless the public sector body explicitly requires otherwise. Providers must demonstrate compliance with state-of-the-art cybersecurity standards and provide full transparency regarding subcontractors.

   • Third-Country Control: If a provider is subject to the control of a third country or a legal entity established in a third country, it must guarantee that there are no existing laws and practices in that third country that require the provider to report information on software vulnerabilities to authorities of that third country prior to those vulnerabilities being known to have been exploited.

2. Union Assurance Level 2 (Substantial): This level introduces stricter requirements for operational autonomy. Both the provider and its subcontractors must be established in the Union. Infrastructure, assets, and personnel must be located in the Union. Data generated by the service cannot be used to train or fine-tune AI systems operated by third countries, nor can it be transferred outside the Union.

   • Cybersecurity: Providers must obtain a European cybersecurity certificate of at least assurance level "substantial" under a European cybersecurity certification scheme covering cloud computing services (once established under Regulation (EU) 2019/881). Until such a scheme is established, national cybersecurity certification schemes shall apply where they exist. Where no Union or national schemes exist, the provider must demonstrate compliance with the highest cybersecurity standards under applicable Union law.
   • Support: Technical and operational support must be initiated and performed exclusively within the Union.

3. Union Assurance Level 3 (High): This level mandates that all personnel involved in providing the service, including subcontractors, must be Union citizens. Where appropriate, personnel must also have the necessary national security clearance issued by a Member State when handling classified information.

   • Third-Country Control: The provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country.
   • Derogation: By way of derogation, a provider subject to third-country control may be audited for Level 3 where the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances. This requires the third country to have no measures enabling it to exercise control over the provider in a way that conflicts with EU data protection laws or compels service disruption.
   • Cybersecurity: Providers must obtain a European cybersecurity certificate of at least assurance level "substantial" (following the same fallback logic as Level 2).

4. Union Assurance Level 4 (Highest): The highest level of assurance, intended for the most sensitive public order activities. It includes all requirements of Level 3 but adds that sensitive data identified through risk assessment must remain exclusively within the Union at all times.

   • Cybersecurity: Providers must obtain a European cybersecurity certificate of at least assurance level "high" (following the same fallback logic as Levels 2 and 3).
   • Software Control: Providers must demonstrate effective control over software components, ensuring that no third country holds effective control over their design, development, maintenance, or evolution.

Recognition and the Central Repository

For a provider to offer services to Latvian public bodies at any of these levels, it must undergo a formal recognition process. Article 17 outlines that providers submit an application for recognition to the national competent authority of their establishment.

• Level 1: Involves a conformity self-assessment and an EU statement of conformity.
• Levels 2, 3, and 4: Require a positive audit opinion from an independent auditing organisation, supported by an audit report.

Once recognised, the service is registered in a central repository. Article 22 mandates that the Commission shall establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17. The national competent authority that granted the recognition registers the service in this repository. This central repository is publicly available and serves as the single source of truth for buyers across the EU, including in Latvia, to identify which providers have met the necessary sovereignty criteria.

Implications for Buyers in Latvia

For organisations in Latvia, particularly public sector bodies, the choice of cloud provider is no longer a purely commercial decision; it is a compliance requirement driven by risk assessment. Article 29 requires Member States and Union entities to carry out risk assessments to determine which public sector activities contribute to the preservation of public order. Based on these assessments, Article 30 dictates procurement obligations:

• Minimum Requirement: All Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised at Union assurance level 1.
• Higher Assurance Requirements: Contracting authorities in Latvia whose activities have been identified as contributing to the preservation of public order (e.g., in sectors falling under the NIS2 Directive, national security, defence, or justice) must only procure services recognised at Union assurance levels 2, 3, or 4, depending on the specific risk assessment outcomes.

This means that Latvian public bodies cannot simply choose the cheapest or most convenient provider. They must select from the list of providers in the Commission's central repository who hold the specific assurance level required for their operational context.

Distinguishing Sovereign Offerings from Non-EU Exposed Providers

A key objective of CADA is to mitigate risks associated with providers subject to third-country laws, such as the US CLOUD Act, which can compel data disclosure regardless of where the data is stored. The sovereignty framework distinguishes between providers based on control and jurisdictional exposure.

• EU/EEA-Controlled Sovereign Offerings: Providers that are established in the Union and not subject to the control of a third country (as defined in the criteria for Levels 2, 3, and 4) offer the highest degree of sovereignty. For Level 3 and 4, the provider must not be subject to third-country control at all. This ensures that no foreign government can legally compel the provider to access customer data or disrupt service continuity.
• Providers Exposed to Non-EU Law: Providers that are subject to the control of a third country or a legal entity established in a third country face stricter scrutiny.
  • At Level 1, they must guarantee no pre-exploitation vulnerability reporting laws exist.
  • At Level 2, they must demonstrate that third-country control does not restrict their ability to perform services or grant access to data.
  • At Level 3 and 4, such providers are generally excluded unless the Commission has specifically designated their home country as an "associated third country" under Article 18. This designation requires the third country to have no measures enabling it to exercise control over the provider in a way that conflicts with EU data protection laws or compels service disruption.

What this means for you

For cloud service providers and data centre operators looking to operate in Latvia under CADA, the path to market for public sector clients is structured around formal recognition and transparency.

1. Assess Your Control Structure: Determine if your provider is subject to third-country control. If you are a subsidiary of a non-EU parent, you must be prepared to demonstrate effective legal, technical, and organisational separation between the Union entity and the third-country parent. This is a prerequisite for Levels 2, 3, and 4.
2. Prepare for Audits: If you aim for Level 2, 3, or 4, you must engage an independent auditing organisation to conduct a third-party audit. This audit will verify your compliance with the specific criteria in Annex II, including data localisation, personnel citizenship (for Levels 3 and 4), and software supply chain security.
3. Apply for Recognition: Submit your application for recognition to the national competent authority of your establishment. If you are established in Latvia, you will work with Latvia's designated competent authority. If you are established in another Member State, your home authority will evaluate you, but Latvian authorities may raise objections during the 60-day review period.
4. Monitor the Central Repository: Ensure your service is correctly registered in the Commission's central repository (Article 22). This is the primary tool Latvian public buyers will use to verify your status. Without being in this repository, you cannot be procured by Latvian public bodies for activities requiring sovereign assurance.
5. Stay Updated on Risk Assessments: Monitor how Latvian public bodies classify their activities. As Latvia conducts its risk assessments under Article 29, the demand for higher assurance levels (2, 3, and 4) will grow in critical sectors like defence, justice, and critical infrastructure.

Common misconceptions

• "Latvia has its own list of sovereign providers." Incorrect. CADA establishes a single EU-wide framework. While Latvia's competent authority plays a role in recognition and enforcement, the list of recognised providers is maintained in a central EU repository, not a national one.
• "Level 1 is enough for all government use." Incorrect. While Level 1 is the minimum for all public sector activities, many Latvian public bodies will be classified as contributing to "public order" (e.g., police, tax administration, health data). These bodies will be required to procure Level 2, 3, or 4 services, depending on the sensitivity of the data and the criticality of the service.
• "Data localisation is the only requirement for sovereignty." Incorrect. While data localisation is a key component, sovereignty under CADA also encompasses operational autonomy, personnel citizenship (for higher levels), software supply chain control, and freedom from third-country legal compulsion. A provider can keep data in the EU but still be subject to foreign laws that allow data access or service disruption, disqualifying it from higher assurance levels.
• "Any EU-based provider is automatically sovereign." Incorrect. A provider established in the EU may still be subject to third-country control (e.g., via ownership or voting rights). Such providers must meet specific criteria to be recognised at Level 2, and are generally excluded from Level 3 and 4 unless the third country is designated as "associated" under Article 18.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What sovereign cloud providers and options are available in Sweden under CADA?
• What sovereign cloud providers and options are available in Spain under CADA?
• What sovereign cloud providers and options are available in Slovenia under CADA?
• What sovereign cloud providers and options are available in Slovakia under CADA?
• What sovereign cloud providers and options are available in Portugal under CADA?

This is general information about a draft EU regulation, not legal advice.