NIS2 Latvia: what you need to know about compliance and certification

NIS2 entities

The Latvian cybersecurity law is relevant for both legal entities and natural persons (collectively referred to as “entities”) that are registered in Latvia and that supply products and/or services in an EU country. The Latvian cybersecurity law largely corresponds to the European NIS2 Directive.

The cybersecurity law explicitly defines which public and private entities are subject to cybersecurity obligations. A distinction is made between essential entities and important entities. The categorisation of entities takes into account the services provided, the size of the entity and the location of the entity.

In principle, your entity is subject to the Latvian cybersecurity law if:

  • Your organisation provides services within a sector listed in Article 20 (essential entities) and 21 (important entities) of the cybersecurity law;
  • Your organisation exceeds the thresholds for medium-sized enterprises; and
  • Your organisation is established in Latvia (with the exception of providers of public electronic communications networks and providers of public electronic communications services).

Here you will find more information to determine whether your organisation is a small, medium-sized or large enterprise.

Please note: small enterprises may also fall within the scope of the Cybersecurity Act, for example if the entity in Latvia is the sole provider of an essential service or if it provides public electronic communications networks, public electronic communications services, trust services, top-level domain name registries and domain name registration services.

In addition to essential and important entities, as defined in Articles 20 and 21 of the Latvian Cybersecurity Act, it also applies to critical information technology infrastructures.

What does this mean for my company?

1. Registration

Each entity must determine through a self-assessment whether it falls within the scope of the Latvian Cybersecurity Law. The Ministry of Defence provides the NKDL test for this purpose, an online tool that guides you through important factors such as the sector and size of the entity. By 1 April 2025 at the latest, the entity must notify the NCSC of its categorisation as an essential or important entity by means of a registration form. As an essential or important entity, you must provide the NCSC with the following information:

  • Name and details of the entity
  • Sector
  • Registered address
  • List of essential and important services provided
  • Current contact details of the entity/director
  • List of countries where the entities provide services
  • IP address range

Further information about registering your entity can be found here.

2. Control measures

Each entity must identify the risks in the field of cybersecurity and assess the consequences these may have for the confidentiality, integrity and availability of its information systems. Based on this analysis, each information system must be assigned a category: A (enhanced security), B (basic security) or C (minimal security). This is done in accordance with the procedure laid down in the Regulation.

If your organisation is categorised as an essential or important entity, this means that you are responsible for implementing appropriate technical and organisational measures to ensure the security of your network and information systems.

As mentioned earlier, Latvia has already transposed the NIS2 Directive into national law, but there is a delay in the adoption of the regulations of the Cabinet of Ministers laying down the specific technical and organisational cybersecurity requirements.

However, this does not mean that you cannot take any action today to implement control measures. It is recommended that you start implementing the minimum set of management measures included in the NIS2 Directive:

  • Policy for risk analysis and security of information systems
  • Incident management
  • Business continuity and crisis management
  • Supply chain security
  • Security when acquiring, developing and maintaining network and information systems, including response to and disclosure of vulnerabilities
  • Policies and procedures to assess the effectiveness of cyber security risk management measures
  • Cyber hygiene and cyber security training
  • Policies and procedures on cryptography and, where applicable, encryption
  • Security aspects relating to personnel, access policy and asset management
  • Where appropriate, multi-factor authentication, secure communication and secure emergency communication systems within the entity
  • Policy for coordinated disclosure of vulnerabilities

Furthermore, as an essential or important entity, you must appoint a cybersecurity manager who is responsible for implementing and monitoring the cybersecurity measures. The requirements that this cybersecurity manager must meet are determined by the government.

In Implementing Regulation 2024/2690, the European Commission has elaborated the above minimum measures for cybersecurity for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service providers, and trust service providers.

3. Reporting obligation for significant incidents

Important and essential entities are required to notify the supervisory authorities when a significant incident occurs. In addition, they must also notify the recipients of their services if the significant incident affects the provision of the services referred to in Articles 20 and 21 of the Latvian Cybersecurity Law.

According to the NIS2 Directive, an incident is considered significant if it:

  • has caused or is likely to cause a serious operational disruption of the services or financial losses for the entity concerned; or
  • has affected or is likely to affect other natural or legal persons by causing substantial material or non-material damage.

The significant incident shall be reported by the essential and important entity to CERT.LV by telephone or email in accordance with the following procedure:

  1. Immediately and within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning, indicating the suspected cause and any cross-border implications;
  2. Immediately and within 72 hours of becoming aware of the significant incident, the entity shall communicate an incident report containing an information update and an initial assessment of the incident;
  3. At the request of the competent CSIRT, the entity shall submit an interim report;
  4. No later than one month after the incident report, the entity shall submit a final report stating:
    • A detailed description of the incident, as well as its severity and consequences;
    • The type of threat or root cause that is likely to have led to the incident;
    • Risk mitigation measures applied and ongoing;
    • The cross-border impact of the incident, if applicable.
  5. If the incident is still ongoing one month after the incident report, the entity must submit a progress report and a final report must be submitted within one month of the incident being resolved.

In Implementing Regulation 2024/2690, the European Commission has defined the criteria for a significant incident for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engine providers and social networking service providers, and trust service providers. These special rules take precedence over national rules in the event of any conflict.

Finally, all entities, regardless of whether they fall within the scope of the cybersecurity law, can voluntarily report (significant) incidents, cyber threats and near misses.

4. Obligations and responsibilities of management

The management bodies of essential and important entities are responsible for compliance with the cybersecurity law and must fulfil various obligations, including:

  • Appointing a cybersecurity manager to coordinate and supervise the implementation of cybersecurity measures by 1 October 2025
  • Approving the cyber security management measures
  • Undertaking training to acquire sufficient knowledge and skills to identify risks and assess management measures and their impact on their services, at least once per calendar year
  • Continuously training the employees of the cyber security entity in the field of cyber security

The management bodies are liable for non-compliance with the Latvian cybersecurity law.

5. Cooperation with authorities

Essential and important entities must cooperate with the national authorities. This concerns the exchange of information on the security of network and information systems, reporting incidents, cooperation with the inspection service, etc.

How can I demonstrate that my company complies with the NIS2 legislation?

To check whether an entity complies with the Latvian cyber security law, each entity must complete a self-assessment. This must be submitted to the supervisory authority by 1 October 2025. In the self-assessment report, for which the government provides a standard form, the entity indicates which rules are followed and how this is done. For owners and managers of important ICT systems and category A information systems, this report is mandatory every year. Other organisations must submit such a self-assessment once every three years.

Penetration tests and security scans must also be carried out; for class A information systems, this is mandatory once every three years.

As indicated in the section “Enforcement and sanctions” below, the competent authorities carry out inspections at the essential and important entities to check compliance with the cybersecurity law.

The entity may have an independent cybersecurity audit carried out by an accredited Conformity Assessment Body (CAB). Based on this independent conformity assessment, the entity can obtain a certificate demonstrating compliance with the NIS2 Act to stakeholders. An important international standard that can be used for this purpose is ISO/IEC 27001. The supervisory authority may also require essential and important entities to have such an audit carried out.

If you would like more information about certification, you can make an appointment with an expert here.

Enforcement and sanctions

The competent authority shall carry out inspections to verify compliance by cybersecurity entities with the requirements laid down in the cybersecurity law. A distinction must be made between essential and important entities:

  • Essential entities are subject to both proactive (ex-ante) and reactive (ex-post) checks.
  • Important entities are in principle only checked reactively, after an incident or in the event of suspected non-compliance with the law.

The Latvian cybersecurity law provides for specific sanctions for entities that do not comply with the legal provisions. These sanctions vary according to the nature and seriousness of the infringement and are divided into administrative measures and administrative fines.

Possible administrative measures that may be imposed include issuing warnings, temporarily prohibiting the performance of management functions, requiring the entity to take certain measures, etc.

Administrative fines that may be imposed are also laid down by law and can amount to up to €10,000,000 or 2% of the total worldwide annual turnover of the essential entity or of the legal owner of critical information and communication technology infrastructure. For important entities, the maximum fine is €7,000,000 or 1.4% of the total worldwide annual turnover. These administrative fines are imposed by the National Cybersecurity Centre or the Office for the Protection of the Constitution.

Timeline

  • 14 December 2022: European NIS2 Directive adopted
  • 16 January 2023: European NIS2 Directive enters into force
  • 1 September 2024: Latvian cybersecurity law enters into force
  • 1 April 2025: Completion of self-assessment and registration
  • 1 October 2025: Appointment of a cybersecurity manager
  • 1 October 2025: Submission of the first self-assessment report

Competent authorities

In Latvia, various authorities are involved in shaping and implementing cybersecurity policy. The coordination and implementation of these policy measures are divided among different agencies, each with specific responsibilities.

The Ministry of Defence is formally responsible for formulating and implementing national cybersecurity policy. The Ministry of Defence supports the work of the National Council for Information Technology Security and the Digital Security Supervisory Commission.

The National Cyber Security Centre (NCSC) acts as the central point of contact for cybersecurity issues, monitors the implementation of national cybersecurity requirements and develops initiatives for national cybersecurity policy.

The Cyber Incident Response Institution of the Republic of Latvia (CERT.LV) is responsible for strengthening IT security by collecting incident reports of cyber attacks.

The Constitution Protection Bureau is a state security service. Its main tasks are intelligence, counter-espionage and the protection of state secrets. It supervises owners and lawful possessors of critical infrastructure and ensures compliance.

For more information on NIS2 in Latvia, please consult the website of the Ministry of Defence.