Overview of Latvia’s Cybersecurity Law and Comparison with the NIS2 Directive

Latvia has transposed the NIS 2 Directive into its local legislation by publishing its National Cybersecurity Law in July 2024 — in Latvian it is called “Nacionālās kiberdrošības likums.”

So, how does this Latvian Cybersecurity Law compare with the NIS 2 Directive, and what are the additional requirements?

Latvia’s Cybersecurity Law follows the EU’s NIS2 Directive very closely when it comes to governance, cybersecurity measures, and incident reporting. Latvia’s law widens the scope a bit further than NIS2, clarifies some points from NIS2 about assessment and supervision, and introduces the role of cybersecurity manager.

The basics of Latvia’s Cybersecurity Law

As prescribed by the NIS2 Directive, the main purpose of Latvia’s Cybersecurity Law is to reduce cybersecurity risks related to critical infrastructure organizations (essential and important entities), and to increase the resilience of their network and information systems. It also defines the main roles of the government bodies that enforce cybersecurity in Latvia.

The official text of Latvia’s Cybersecurity Law can be found here (in Latvian): https://likumi.lv/ta/id/353390-nacionalas-kiberdrosibas-likums, and it replaces the existing Information Technology Security Law.

The rest of this article will focus on cybersecurity requirements that essential and important entities need to comply with — the focus of this article is not to describe the role of government bodies that need to enforce compliance with the Cybersecurity Law.

Similarities and differences

The key similarities and differences between Latvia’s Cybersecurity Law and the NIS 2 Directive are summarized in the table below:

Highlights Latvia’s Cybersecurity Law compared to NIS2 Directive
Which companies must comply Similar criteria as in the NIS2 Directive, but only for companies that are registered in Latvia. Some exceptions exist for communications providers and critical infrastructure entities.
Deadlines The National Cybersecurity Law went into effect on September 1, 2024. Organizations covered by the law are required to determine their status and register by April 1, 2025, and to appoint a cybersecurity manager and submit their first self-assessment report by October 1, 2025.
Responsibilities of senior management The same as the NIS 2 Directive’s (see Article 20), but the Cybersecurity Law requires entities to appoint a cybersecurity manager.
Importance of training The same as the NIS 2 Directive’s (see Article 20), but the Cybersecurity Law requires the cybersecurity manager to go through special training.
Risk-based approach to cybersecurity The same as the NIS 2 Directive’s (see Article 21).
Cybersecurity measures The same as the NIS 2 Directive’s (see Article 21).
Supply chain security The same as the NIS 2 Directive’s (see Article 21).
Incident reporting obligations The same as the NIS 2 Directive’s (see Article 23).
Using certified IT products and services The same as the NIS 2 Directive’s (see Article 24).
Supervision and enforcement Self-assessment report must be submitted to the authorities; authorities may conduct a compliance audit or order the entity to conduct an external audit.
Fines The same as the NIS 2 Directive’s (see Article 34).
Completely new requirements A cybersecurity manager must be nominated; the cybersecurity manager performs security reviews once a year; self-assessment must be performed; vulnerabilities must be disclosed to authorities; additional data center obligations.

Which companies must comply with Latvia’s Cybersecurity Law?

Like in the NIS2 Directive, Latvia’s Cybersecurity Law defines that essential and important entities must comply with this law.

However, there are some differences:

  • Only companies registered in Latvia must comply with Latvia’s Cybersecurity Law. The exception to this are providers of public electronic communications networks and providers of publicly available electronic communications services — they have to be compliant with the Cybersecurity Law if they provide services in Latvia, no matter where they are registered.
  • The law defines in its article 20 that a company, if it is the only one that provides economic activity in the sectors defined in this article, will be considered an essential entity no matter its size.
  • Similar to the bullet above, the law defines in its article 21 that a company, if it is the only one that provides economic activity in the sectors defined in this article, will be considered an important entity no matter its size.
  • In its article 3, the law also defines that “owners and legal holders of critical infrastructure for information and communication technologies” must also comply, regardless of whether they are considered essential or important.

See also: Which companies must comply with NIS 2? Essential vs. important entities.

Deadlines

Whereas the NIS2 Directive went into effect in October 2024, Latvia’s Cybersecurity Law went into effect in September 2024.

This law has various deadlines:

  • By October 17, 2024, the government must adopt numerous regulations regarding implementation.
  • By April 1, 2025, additional detailed regulations on data centers and other areas must be issued.
  • Entities must self-assess their status as essential or critical service providers for the first time by April 1, 2025.
  • The list of essential and critical service providers must be approved by April 17, 2025.
  • Cybersecurity managers’ first notification deadline is October 1, 2025.

Supervision and enforcement

Article 25 of the Latvian Cybersecurity Law requires companies to, “at least once a year, carry out a security review of information and communication technologies and, in accordance with its results, organize the rectification of any deficiencies identified.”

Further, article 43 prescribes the obligation to send a self-assessment report to the authorities, and that further details of this report will be defined by the government.

Article 44 enables the authorities to carry out a compliance audit, or to order an entity to carry out an external audit of its compliance with cybersecurity requirements.

New requirements in Latvia’s Cybersecurity Law

There are a couple of novelties in Latvia’s Cybersecurity Law, when compared to NIS2:

  • Companies must appoint a cybersecurity manager, i.e., “a person responsible for implementing and overseeing the implementation of cybersecurity measures in that entity” according to article 25.
  • Owners or legal possessors of the critical infrastructure of information and communication technologies must appoint a cybersecurity manager in consultation with the authorities.
  • The cybersecurity manager must perform a security review as described in the previous section.
  • Data centers hosting government systems have added obligations, including potential installation of Security Operations Centers (SOCs) under the supervision of the authorities.
  • Article 39 defines that “if a person detects a vulnerability in the subject’s information system or electronic communications network, he shall immediately, but no later than within five working days, submit a vulnerability disclosure report to the competent cyber incident response authority.”

Requirements that are the same as in the NIS2 Directive

There is a lot in Latvia’s Cybersecurity Law that is practically the same as in NIS 2:

However, the law defines that the Latvian government will introduce rules for the items mentioned above — for example, rules for data centers, early warning sensors, how risk management needs to be performed, etc.

Latvia’s Cybersecurity Law vs. the NIS2 Directive

Overall, Latvia’s Cybersecurity Law follows the NIS2 Directive very closely, especially related to governance, cybersecurity measures, and incident reporting.

Latvia’s law widens the scope a bit further than NIS2, it clarifies some points from NIS2 about assessment and supervision, and it introduces the role of cybersecurity manager.

Of course, it remains to be seen what kind of regulations the Latvian government will make with regards to cybersecurity implementation, since this will influence the compliance efforts a lot.

To find all the documents needed for complying with the NIS2 Directive, check out this NIS 2 Documentation Toolkit that includes all policies, procedures, plans, and other templates.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic