Latvia

(a) What is the NIS2 implementation status?

The National Cybersecurity Law (NCL), which implements NIS2, was adopted by the Saeima (the Parliament of Latvia) in its third and final reading on 20 June 2024. The Cabinet of Ministers is now expected to pass regulations and issue instructions on a broad range of cybersecurity matters by 17 October 2024.

(b) What is the envisaged NIS2 implementation timeline?

The NCL came into force on 1 September 2024.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The NCL repealed the Law on the Security of Information Technologies, which had been in force since 1 February 2011. It empowers the Cabinet of Ministers to pass regulations and issue instructions on a broad range of cybersecurity matters, including minimum cybersecurity requirements, which cover (i) self-assessment and notification obligations, (ii) requirements for cybersecurity managers and auditors, (iii) standards for the information and communication technology (ICT) resource catalogue, (iv) methodology for classifying information systems into security categories, (v) standards for cybersecurity risk management and ICT continuity plan, and (vi) criteria for evaluating and reporting cybersecurity incidents.

(d) Who will be the supervisory authority and how are they preparing the market?

The National Cybersecurity Centre (NCC) is the primary authority responsible for cybersecurity matters. It serves as the central contact point for addressing cybersecurity issues, overseeing national cybersecurity efforts, developing cybersecurity policies, and fostering international collaboration in the cybersecurity domain. The NCC also monitors the cybersecurity practices of “essential” and “important” service providers, except for the operators of critical ICT infrastructure. Cybersecurity of critical ICT infrastructure has historically been managed by the Constitution Protection Bureau.

(e) What should you be doing/on the lookout for?

The Ministry of Defence estimates that the NCL will apply to approximately 2,000 entities. Articles 20 and 21 of the NCL outline the criteria for classifying service providers as either “essential” or “important,” while the Cabinet of Ministers is responsible for approving the list of critical ICT infrastructure. Step No 1: Self-Assessment of NCL Status Each service provider must carry out a self-assessment to determine whether it falls within the scope of the NCL. The service provider should consider factors such as its legal status, place of registration, size, sector, and criticality during the self-assessment. The Ministry of Defence has developed an interactive online test to assist relevant entities with the self-assessment under the NCL (the NCL Test is available in Latvian only). Step No 2: Notification of NCL Status If an entity meets the eligibility criteria to be classified as an “essential” or “important” service provider, it must notify the National Cybersecurity Centre of its status under the NCL by 1 April 2025. The notification form for reporting NCL status will be introduced later through the regulations of the Cabinet of Ministers on minimum cybersecurity requirements. Step No 3: Appointment of a Cybersecurity Manager The NCL subject must appoint a cybersecurity manager by 1 October 2025. The forthcoming regulations of the Cabinet of Ministers on minimum cybersecurity requirements will set out the qualifications and security standards required for cybersecurity managers. The appointment of a cybersecurity manager must be formally notified to the National Cybersecurity Centre or the Constitution Protection Bureau by submitting the relevant form. Step No 4: Development of an ICT Resource Catalogue The NCL subject must review its ICT architecture and infrastructure, information systems, and ICT-driven products and services to create and maintain an up-to-date catalogue of ICT resources. The minimum information required for this catalogue will be outlined in the forthcoming regulations of the Cabinet of Ministers on minimum cybersecurity requirements. Step No 5: Categorisation of Information Systems The NCL subject must assess each catalogued information system to determine its security category by evaluating the impact values (high, moderate, or low) for each security objective (confidentiality, integrity, and availability) of the information types processed by the respective information system. The forthcoming regulations of the Cabinet of Ministers on minimum cybersecurity requirements will outline the methodology for classifying information systems into three specific security categories: (i) Category A (highest security), (ii) Category B (basic security), and (iii) Category C (minimum security). Step No 6: Development of Cybersecurity Policy and Continuity Plan The NCL subject must develop two key internal documents: (i) a cybersecurity policy, which outlines cybersecurity principles and objectives, the organisational structure of the cybersecurity department, ICT-driven products and services, and associated cybersecurity risks; and (ii) a cybersecurity risk management and ICT continuity plan, which details the methodology for assessing cybersecurity risks, provides a comprehensive risk assessment, outlines a risk mitigation action plan, and includes a crisis management plan for cybersecurity incidents. The cybersecurity policy and the ICT continuity plan must be reviewed and updated regularly, but no less frequently than annually. Step 7: Cybersecurity Training for Personnel The NCL subject must organise regular cybersecurity training for employees across all relevant departments, with particular emphasis on ICT-related personnel. Additionally, periodic upskilling sessions should be systematically conducted to ensure that all employees stay up-to-date with the latest developments and best practices in cybersecurity. Step 8: Notification of Cybersecurity Incidents The NCL subjects must promptly report major cybersecurity incidents to the cybersecurity incident prevention institution, CERT.LV. An early warning of a major cybersecurity incident must be submitted immediately, but no later than within 24 hours. The initial report on such an incident must be provided within 72 hours, while the final report must be presented to CERT.LV within 30 days. The NCL also encourages the reporting of cybersecurity incidents of lesser magnitude, near-miss incidents, and cybersecurity threats. Step 9: Submission of a Self-Assessment Report The NCL subject must complete and submit a self-assessment compliance report to the NCC by 1 October 2025. The report should detail the level of compliance with the minimum cybersecurity requirements, including the implementation of appropriate and proportionate technical and organisational measures to manage cybersecurity risks and respond to cybersecurity incidents. Gross non-compliance with the NCL requirements may result in penalties of (i) up to EUR 10 million or up to 2% of net turnover for “essential” service providers, (ii) up to EUR 7 million or up to 1.4% of net turnover for “important” service providers, and (iii) up to EUR 10 million or up to 2% of net turnover for operators of critical ICT infrastructure.