Cybersecurity · Latvia
Cybersecurity law in Latvia: NIS2 compliance (2026)
Latvia shaded by its cybersecurity status
Cybersecurity in Latvia: comprehensive law, anchored by National Cyber Security Law (Nacionālās kiberdrošības likums), in force 1 September 2024; implementing NIS2 (EU Directive 2022/2555); competent authority: National Cyber Security Centre (NCSC) under the Ministry of Defence, supported by CERT.LV.
Latvia adopted the National Cyber Security Law on 20 June 2024 (in force 1 September 2024), replacing the former Law on the Security of Information Technologies and fully transposing the EU NIS2 Directive. The law applies to over 2,000 essential and important service providers across sectors including energy, transport, banking, health, and digital infrastructure. Supplementary Cabinet Regulation No. 397 'Minimum Cybersecurity Requirements' entered into force on 2 July 2025, detailing technical and organisational measures and incident-reporting procedures.
NIS2 & cybersecurity law in Latvia
In Latvia, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.
- Framework
- the NIS2 Directive (EU) 2022/2555, transposed into national law
- Approach
- cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
- Applies to
- medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
- Incident reporting
- an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
- Maximum fine
- up to €10 million or 2% of global annual turnover for essential entities
- Oversight
- the national competent authority and CSIRT designated under NIS2
NIS2 is a directive, so Latvia implements it through national law; exact scope and deadlines can vary slightly by transposition.
NIS2 in Latvia: FAQ
Yes. As an EU member, Latvia has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.
Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.
An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.
Up to €10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.
Key points
The National Cyber Security Law (adopted 20 June 2024, in force 1 September 2024) is Latvia's primary vehicle for transposing NIS2. It replaces the previous Law on the Security of Information Technologies and mirrors NIS2's essential/important entity classification based on sector and company size/turnover.
The National Cyber Security Centre (NCSC) was established on 1 September 2024 under the Ministry of Defence as the single competent authority and point of contact for NIS2 obligations. CERT.LV serves as the national CSIRT and operational incident-handling body.
Essential and important entities must report significant cybersecurity incidents to CERT.LV: an early warning within 24 hours of awareness (suspected cause, cross-border implications), followed by a full incident report within 72 hours. Reporting forms and procedures are governed by Cabinet Regulation No. 397 (in force 2 July 2025).
Cabinet Regulation No. 397 'Minimum Cybersecurity Requirements', in force 2 July 2025, specifies mandatory technical and organisational security measures (risk management, business continuity, supply-chain security) and the self-assessment framework for covered entities.
Covered entities were required to register with the NCSC by 1 April 2025, appoint a designated Cybersecurity Manager by 1 October 2025, and submit their first self-assessment report by 1 October 2025.
Essential service providers face fines up to €10 million or 2% of global annual turnover (whichever is higher). Important entities face up to €7 million or 1.4% of turnover. Escalating enforcement includes warnings, binding directions, periodic penalties, service suspension, and a management-role ban of up to three years for repeated negligent breaches.
Timeline - major decisions & events
Latvia's National Cyber Security Law (Nacionālās kiberdrošības likums) replaced the 2010 Information Technologies Security Law, creating the National Cybersecurity Centre under the Ministry of Defence and expanding covered sectors beyond the NIS2 baseline. The law introduced mandatory cybersecurity managers, a National Cybersecurity Council, and self-assessment obligations with staggered compliance deadlines through October 2025.
Latvijas Vēstnesis (likumi.lv) ↗Intensive, targeted DDoS attacks began against Latvian public-sector and transport-sector internet resources, causing intermittent disruptions; CERT.LV characterised the volume as the highest in two years. The campaign, attributed to Russia-linked threat actors, illustrated Latvia's front-line exposure to cyber-enabled hybrid warfare and directly reinforced the urgency of the incoming National Cyber Security Law.
Latvijas Sabiedriskie Mediji (LSM – Latvian Public Broadcasting) ↗Latvia's parliament passed the National Cyber Security Law in final reading, transposing the EU NIS2 Directive ahead of the EU-wide October 2024 deadline and establishing stronger incident-reporting obligations, expanded sector coverage, and new governance structures including the National Cybersecurity Council. The new law also provided for the Constitutional Protection Bureau (SAB) and CERT.LV to play reinforced supervisory roles.
Latvijas Republikas Saeima ↗Latvia's Cabinet adopted its third national cybersecurity strategy, driven by Russia's full-scale invasion of Ukraine and the resulting surge in hybrid cyber threats against Baltic critical infrastructure. The strategy prioritised creation of the National Cybersecurity Centre, NIS2 transposition, resilience of critical infrastructure, and enhanced NATO and EU cooperation.
Latvijas Aizsardzības ministrija (Ministry of Defence) ↗Latvia's government adopted its second national cybersecurity strategy, defining five action areas: ICT system resilience, universal access to strategic systems, public awareness and education, international cooperation, and the rule of law in cyberspace. The strategy formalised implementation of NIS Directive obligations already in force and set the groundwork for sector-specific security requirements.
Latvijas Aizsardzības ministrija (Ministry of Defence) ↗CERT.LV, Latvia's national computer emergency response team, moved from the Ministry of Transport to oversight by the Ministry of Defence, reflecting the strategic reclassification of cybersecurity as a national security and defence matter. This institutional alignment prefigured the later embedding of all cybersecurity governance within the defence ministry structure.
CERT.LV ↗Latvia's parliament adopted the Law on the Security of Information Technologies (in force from 1 February 2011), formally establishing CERT.LV under the University of Latvia's Institute of Mathematics and Computer Science and creating statutory duties for incident handling and critical information infrastructure protection. The law served as the primary national cybersecurity instrument for 13 years until replaced in 2024.
Latvijas Vēstnesis (likumi.lv) ↗The Council of Europe Convention on Cybercrime became binding on Latvia (signed May 2004, ratified April 2007), harmonising Latvian criminal law with international standards on computer-related offences, electronic evidence, and mutual legal assistance. Latvia simultaneously joined the Additional Protocol criminalising racist and xenophobic content distributed through computer systems.
Council of Europe – Octopus Cybercrime Community ↗Latvia - other topics
Cybersecurity in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →