Who is Latvia's national competent authority under CADA?

Summary As proposed in the Cloud and AI Development Act (CADA), COM(2026) 502 final, Latvia is required to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework within one year of the Regulation's entry into force. The specific identity of this authority has not yet been determined, as CADA is currently a proposal; however, Latvia may designate an existing body or create a new one. Once designated, this authority would hold exclusive competence for enforcing the sovereignty chapter against providers whose main establishment is in Latvia. It would wield significant powers, including the ability to request information, conduct inspections, order the cessation of infringements, and impose fines or periodic penalty payments. The European Commission would maintain a public register of these authorities to ensure transparency.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised governance structure for cloud sovereignty across the EU, relying on a network of national competent authorities. For Latvia, the obligations, powers, and limitations of this authority are strictly defined in Title IV, Chapter I, Sections 4 and 5 of the proposal.

Designation Timeline and Flexibility

Article 25(1) of the CADA proposal mandates that Latvia must designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework. This designation must occur by [date of entry into force plus one year].

The proposal offers flexibility in how Latvia fulfils this obligation. The text explicitly states that Latvia "may designate an existing authority or existing authorities" rather than being forced to create a new administrative body from scratch. This allows Latvia to leverage existing expertise, potentially within its cybersecurity, data protection, or communications regulatory frameworks, provided the designated body is granted the necessary resources and powers.

Exclusive Competence: The "Main Establishment" Rule

A cornerstone of the CADA enforcement model is the principle of exclusive competence based on the provider's location. Article 25(4) establishes that the Member State in which a cloud computing service provider has its main establishment has exclusive competence for enforcing Chapter I of Title IV.

The proposal defines "main establishment" as the place where the provider has its head office or registered office from which the principal financial functions and operational control are exercised.

• Scenario A: If a cloud provider's main establishment is in Latvia, the Latvian competent authority is the sole evaluator and enforcer for that provider across the entire Union. No other Member State's authority can independently enforce the sovereignty rules against this provider.
• Scenario B: If a provider is established in Germany but operates services in Latvia, the German authority holds exclusive competence. However, Latvian authorities may still engage via mutual assistance mechanisms (Article 27) if they suspect non-compliance affecting their territory.

This "one-stop-shop" approach is designed to prevent fragmented enforcement and regulatory arbitrage.

Public Register and Transparency

To ensure legal certainty for cloud providers and public sector buyers, Article 25(2) requires Latvia to notify the European Commission of the names of its competent authorities, along with their specific tasks and powers.

The Commission is then obliged to maintain a public register of these authorities. This register serves as the definitive, Union-wide source for identifying which national body holds jurisdiction over a specific provider. This transparency is critical for providers seeking recognition under Article 17 and for contracting authorities verifying the legitimacy of a provider's assurance level.

Investigative and Enforcement Powers

Once designated, the Latvian competent authority would wield robust powers under Article 26 to ensure effective supervision of cloud computing service providers seeking recognition for Union assurance levels (Levels 1–4).

Investigative Powers (Article 26(1))

To uncover potential infringements, the authority would have the power to:

• Require Information: Demand that cloud providers, and any persons acting for trade or business purposes who may reasonably be expected to hold relevant information (including auditing organisations), provide information as soon as possible.
• Conduct Inspections: Carry out, or request a judicial authority to order, inspections of any premises used for trade, business, or professional purposes. This includes the power to examine, seize, take, or obtain copies of information relating to suspected infringements, irrespective of the storage medium.
• Request Explanations: Ask members of staff or representatives of providers to give explanations regarding suspected infringements and, with their consent, record these answers by technical means.

Enforcement Powers (Article 26(2))

If an infringement is confirmed, the authority would have the power to:

• Order Cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement to bring it effectively to an end.
• Impose Fines: Impose fines, or request a judicial authority to do so, for failure to comply with the Regulation, including non-compliance with investigative orders.
• Impose Periodic Penalty Payments: Impose periodic penalty payments to ensure an infringement is terminated in compliance with an order issued pursuant to the cessation power, or for failure to comply with investigative orders.

These measures must be effective, dissuasive, and proportionate, taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider (Article 26(3)).

Penalties and Compensation Framework

While Article 26 grants the authority the power to impose penalties, Article 24 outlines the broader penalty landscape. Member States, including Latvia, must lay down the specific rules on penalties applicable to infringements of Chapter I by cloud computing service providers. These penalties must be effective, proportionate and dissuasive.

When imposing penalties, authorities must consider non-exhaustive criteria such as:

• The nature, gravity, scale, and duration of the infringement.
• Any action taken to mitigate or remedy the damage.
• Any previous infringements by the party.
• Financial benefits gained or losses avoided.
• The infringing party's annual turnover in the preceding financial year in the Union.

Crucially, Article 24(3) establishes that recipients of cloud computing services have the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under this Chapter.

Cross-Border Cooperation

While the state of main establishment holds exclusive competence, CADA emphasises cross-border cooperation to address systemic risks.

• Mutual Assistance (Article 27): Competent authorities and the Commission must cooperate closely. A competent authority may request specific information from other Member States' authorities to exercise its investigative powers. The receiving authority must comply and inform the requester within two months.
• Cross-Border Cooperation (Article 28): If a "competent authority of destination" (e.g., a Latvian authority if a provider operates there) suspects a provider no longer meets the requirements, it may request the "competent authority of establishment" (e.g., the provider's home state) to assess the matter and take necessary measures. The establishment authority must communicate its assessment within two months.

What this means for you

For in-house counsel, compliance officers, and cloud providers operating in or from Latvia, the proposed designation of a national competent authority under CADA introduces a new layer of regulatory scrutiny.

1. Determine Your Jurisdiction: Immediately assess whether your organisation's main establishment (head office/registered office with operational control) is in Latvia. If yes, you will fall under the exclusive jurisdiction of the Latvian competent authority for all Union-wide recognition and enforcement matters. If your main establishment is elsewhere, you must coordinate primarily with that state's authority, though you may still interact with Latvian authorities regarding local operations.
2. Prepare for Scrutiny: Under Article 26(1), the competent authority has the power to demand information and conduct on-site inspections. Ensure your internal documentation regarding sovereignty assurance levels, subcontractor due diligence, and audit evidence (as per Annex II and III) is readily accessible, accurate, and compliant.
3. Monitor the Public Register: Keep a close watch on the Commission's public register (Article 25(2)) to identify the specific Latvian body once designated. This will be your primary point of contact for recognition applications under Article 17 and for any enforcement communications.
4. Assess Penalty Exposure: Be aware that non-compliance can lead to significant financial penalties, including fines and periodic penalty payments (Article 26(2)), as well as civil liability for damages to service recipients (Article 24(3)). Ensure your governance frameworks are robust to mitigate these risks.
5. Engage Proactively: Given the authority's power to order the cessation of infringements, early dialogue on any potential compliance gaps is advisable. Proactive engagement can facilitate smoother recognition processes and demonstrate good faith.

Common misconceptions

• "CADA has already named Latvia's competent authority."
  • Correction: CADA is a proposal. It does not name specific national authorities. It only mandates that Latvia (and other Member States) designate one or more authorities within one year of the Regulation's entry into force. The specific body may be an existing agency (e.g., the State Chancellery, the Data State Inspectorate, or the Communications Regulatory Board) or a new entity, but this will be determined by Latvian national law implementing the Regulation.
• "Any Member State can enforce against a provider based on where the service is used."
  • Correction: Article 25(4) establishes that the Member State of the provider's main establishment has exclusive competence for enforcement. While other states can request assistance or flag issues (Article 28), the primary enforcement power lies with the state of establishment.
• "The competent authority only handles administrative paperwork."
  • Correction: Article 26 grants the authority strong investigative and enforcement powers, including the ability to conduct inspections, seize information, order cessation of infringements, and impose fines. It is not merely a passive registry.
• "Penalties are fixed by CADA."
  • Correction: CADA sets out criteria for penalties (Article 24(2)) and requires them to be effective, proportionate, and dissuasive, but it does not set fixed fine amounts (unlike the AI Act). Latvia will determine the specific penalty rules and amounts in its national implementing legislation.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Who is Sweden's national competent authority under CADA?
• Who is Spain's national competent authority under CADA?
• Who is Slovenia's national competent authority under CADA?
• Who is Slovakia's national competent authority under CADA?
• Who is Romania's national competent authority under CADA?

This is general information about a draft EU regulation, not legal advice.