Summary Under the proposed Cloud and AI Development Act (CADA), Latvia faces three critical, time-bound obligations triggered by the regulation's entry into force. First, Latvia must designate at least one data centre acceleration zone within six months of entry into force. Second, it must establish a national cloud and AI strategy and designate a national competent authority within one year. Finally, the strategy must be notified to the Commission within three months of its adoption. Because CADA is currently a proposal (COM(2026) 502 final), these dates are conditional on the final legislative text and its subsequent publication in the Official Journal.

Detail

The Cloud and AI Development Act (CADA) establishes a synchronized timeline for Member States to align their national infrastructure and regulatory frameworks with Union-wide sovereignty and capacity goals. For Latvia, as for all Member States, the "clock" does not start on a fixed calendar date but on the day the regulation enters into force.

According to Article 48 of the proposal, the regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union. It generally applies one year after entry into force, but specific obligations have earlier, mandatory deadlines. The following breakdown details the precise timeline Latvia must adhere to under the current proposal.

1. Data Centre Acceleration Zones: 6-Month Deadline

The most immediate obligation concerns physical infrastructure capacity. Article 10(1) explicitly mandates that where data centre capacity is being deployed within the territory of a Member State, that state "shall designate at least one data centre acceleration zone" within its territory by the date of entry into force plus six months.

This designation is not merely a planning exercise; it triggers a cascade of administrative and technical requirements. Once designated, Latvia must ensure that these zones benefit from streamlined permitting processes. Under Article 13, data centre projects deployed in these zones are considered "strategic projects" for the purposes of environmental assessments, allowing them to benefit from a dedicated acceleration toolbox.

Furthermore, Article 10(2) requires Latvia to conduct a comprehensive analysis of the energy needs and greenhouse gas impacts of these zones. This analysis must be reviewed at least every three years and must inform national network development plans to ensure anticipatory grid investments. Failure to designate a zone within the six-month window would delay the legal framework for accelerating data centre deployment, potentially hindering Latvia's ability to meet the Union's broader compute capacity targets.

2. National Cloud and AI Strategy: 1-Year Deadline

Parallel to infrastructure designation, Article 7(1) requires Member States to establish a national cloud and AI strategy by the date of entry into force plus one year. This strategy is the central policy document guiding Latvia's approach to the cloud and AI ecosystem.

The strategy is not a generic digital plan; it must include specific, mandatory elements outlined in Article 7(2), including:

  • Key objectives and priorities for adoption, aligned with the "AI first" principle.
  • Measures to accelerate development at national, regional, and local levels, particularly for SMEs and public sector bodies.
  • Specific measures to support the deployment of data centre capacity, focusing on high-value, energy-efficient facilities.
  • Plans for investing in high-intensity computing infrastructure, such as AI factories and quantum computers.
  • Measures to support the development of cloud computing stack technologies built on open hardware and software.

Recital 33 clarifies that if Latvia already possesses a national strategy that adequately covers these objectives, it is not required to draft a new document. However, if gaps are identified, the existing strategy must be updated to ensure full alignment with CADA's objectives. The strategy must also be assessed at least every three years and updated as necessary.

3. Notification of the Strategy: 3 Months After Adoption

Once Latvia adopts its national cloud and AI strategy, the timeline tightens. Article 7(5) stipulates that Member States "shall notify the Commission of their national strategies within three months of their adoption."

This notification is a critical transparency mechanism. It allows the Commission to monitor the consistency of national strategies across the Union and ensure they contribute to the associated digital targets established under the Digital Decade Policy Programme. The Commission is tasked with monitoring the adoption and revision of these strategies, ensuring that national plans do not diverge from the Union's collective goals for competitiveness and strategic autonomy.

4. National Competent Authority: 1-Year Deadline

Running parallel to the strategy deadline is the requirement to establish the regulatory enforcement body. Article 25(1) mandates that Member States designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework (Title IV) by the date of entry into force plus one year.

These authorities will hold significant powers, including the ability to:

  • Recognize cloud computing service providers at Union assurance levels 1 through 4.
  • Conduct investigations and impose penalties for infringements.
  • Cooperate with competent authorities in other Member States and the Commission.

Article 25(2) requires Latvia to notify the Commission of the names of these authorities, along with their specific tasks and powers. The Commission will maintain a public register of these authorities. Crucially, Article 25(4) establishes that the Member State where the cloud provider has its main establishment (in this case, Latvia, for Latvian providers) has exclusive competence for enforcing the sovereignty chapter. Without a designated authority by the one-year mark, the mechanism for recognizing sovereign cloud services in Latvia would remain legally incomplete.

What this means for you

For public-sector bodies, procurement officers, and IT stakeholders in Latvia, these deadlines are not abstract administrative dates; they define the operational readiness of the national digital ecosystem.

Procurement Readiness: The designation of the national competent authority is a prerequisite for the practical application of the sovereignty framework. Until the authority is designated and operational, the formal recognition of cloud providers at Union assurance levels (2, 3, or 4) cannot be completed. This creates a potential bottleneck for public procurement of critical services. Procurement officers must anticipate that the "sovereign cloud" procurement rules under Article 30 will only become fully actionable once the authority is in place and the national strategy has identified which activities require higher assurance levels.

Infrastructure Planning: The six-month deadline for acceleration zones is a critical trigger for spatial and energy planning. If your organization is involved in site selection or infrastructure development, you must engage with national and local authorities immediately. The designation of these zones determines where streamlined permitting applies and where grid connection assessments will be prioritized. Delaying the identification of potential sites could result in missing the window to benefit from the accelerated permitting regime under Article 13, potentially delaying the deployment of new capacity by years.

Strategic Input: The national cloud and AI strategy will shape the future procurement landscape. Public sector bodies should actively contribute to the drafting of this strategy to ensure it addresses specific barriers to adoption, such as skills gaps or procurement complexity. The strategy must include measures to support the uptake of cloud services by public sector bodies, as required by Article 7(2)(b).

Compliance Monitoring: The requirement to assess the national strategy every three years means that compliance is an ongoing process, not a one-off event. Organizations should prepare for periodic reviews of their cloud and AI adoption plans to ensure they remain aligned with the updated national strategy.

Common misconceptions

Misconception 1: The deadlines are fixed calendar dates (e.g., "by 2027"). This is incorrect. The deadlines are relative to the regulation's entry into force. If the legislative process is delayed, or if the final text is published later than anticipated, all deadlines shift accordingly. The "clock" starts only upon publication in the Official Journal. Stakeholders must monitor the Official Journal for the specific entry-into-force date to calculate their internal timelines accurately.

Misconception 2: Existing digital strategies are automatically compliant. Latvia may have existing national digital or AI strategies. However, CADA requires specific, granular content, such as measures for high-intensity computing, open-source promotion, and specific data centre deployment targets. If the current strategy lacks these elements, it must be updated. Recital 33 clarifies that a new strategy is not needed if the existing one is "adequate," but "adequate" is a high bar requiring full coverage of CADA's objectives.

Misconception 3: Acceleration zones are optional or pilot programs. Article 10(1) uses the mandatory "shall designate." Latvia is legally required to designate at least one zone. This is not a voluntary pilot but a binding obligation to facilitate data centre deployment. Failure to designate a zone would constitute a breach of the regulation once it is in force.

Misconception 4: The competent authority can be designated later without consequence. The one-year deadline for designating the competent authority under Article 25(1) is strict. This authority is the gatekeeper for the sovereignty framework. Without a designated authority, the recognition process for Union assurance levels cannot formally begin. This could delay the ability of Latvian public bodies to procure sovereign cloud services for public-order-relevant activities, as required by Article 30(3).

Official sources

Related

This is general information about a draft EU regulation, not legal advice.