Skip to content
World Watch/Latvia/Cybersecurity

Cybersecurity · Latvia

Cybersecurity law in Latvia: NIS2 compliance (2026)

Comprehensive lawNational Cyber Security Law (Nacionālās kiberdrošības likums), in force 1 September 2024; implementing NIS2 (EU Directive 2022/2555); competent authority: National Cyber Security Centre (NCSC) under the Ministry of Defence, supported by CERT.LVCountry index 96 · A+

Latvia shaded by its cybersecurity status

Cybersecurity in Latvia: comprehensive law, anchored by National Cyber Security Law (Nacionālās kiberdrošības likums), in force 1 September 2024; implementing NIS2 (EU Directive 2022/2555); competent authority: National Cyber Security Centre (NCSC) under the Ministry of Defence, supported by CERT.LV.

Latvia adopted the National Cyber Security Law on 20 June 2024 (in force 1 September 2024), replacing the former Law on the Security of Information Technologies and fully transposing the EU NIS2 Directive. The law applies to over 2,000 essential and important service providers across sectors including energy, transport, banking, health, and digital infrastructure. Supplementary Cabinet Regulation No. 397 'Minimum Cybersecurity Requirements' entered into force on 2 July 2025, detailing technical and organisational measures and incident-reporting procedures.

NIS2 & cybersecurity law in Latvia

In Latvia, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.

Framework
the NIS2 Directive (EU) 2022/2555, transposed into national law
Approach
cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
Applies to
medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
Incident reporting
an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
Maximum fine
up to €10 million or 2% of global annual turnover for essential entities
Oversight
the national competent authority and CSIRT designated under NIS2

NIS2 is a directive, so Latvia implements it through national law; exact scope and deadlines can vary slightly by transposition.

NIS2 in Latvia: FAQ

Does NIS2 apply in Latvia?

Yes. As an EU member, Latvia has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.

Who must comply with NIS2 in Latvia?

Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.

What are the NIS2 incident-reporting deadlines in Latvia?

An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.

What are the penalties under NIS2 in Latvia?

Up to €10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.

Key points

NIS2 Transposition

The National Cyber Security Law (adopted 20 June 2024, in force 1 September 2024) is Latvia's primary vehicle for transposing NIS2. It replaces the previous Law on the Security of Information Technologies and mirrors NIS2's essential/important entity classification based on sector and company size/turnover.

Competent Authority

The National Cyber Security Centre (NCSC) was established on 1 September 2024 under the Ministry of Defence as the single competent authority and point of contact for NIS2 obligations. CERT.LV serves as the national CSIRT and operational incident-handling body.

Incident Reporting Duties

Essential and important entities must report significant cybersecurity incidents to CERT.LV: an early warning within 24 hours of awareness (suspected cause, cross-border implications), followed by a full incident report within 72 hours. Reporting forms and procedures are governed by Cabinet Regulation No. 397 (in force 2 July 2025).

Minimum Cybersecurity Requirements

Cabinet Regulation No. 397 'Minimum Cybersecurity Requirements', in force 2 July 2025, specifies mandatory technical and organisational security measures (risk management, business continuity, supply-chain security) and the self-assessment framework for covered entities.

Compliance Deadlines

Covered entities were required to register with the NCSC by 1 April 2025, appoint a designated Cybersecurity Manager by 1 October 2025, and submit their first self-assessment report by 1 October 2025.

Penalties

Essential service providers face fines up to €10 million or 2% of global annual turnover (whichever is higher). Important entities face up to €7 million or 1.4% of turnover. Escalating enforcement includes warnings, binding directions, periodic penalties, service suspension, and a management-role ban of up to three years for repeated negligent breaches.

Timeline - major decisions & events

Sep 1, 2024lawofficial
National Cyber Security Law Enters into Force; National Cybersecurity Centre Established

Latvia's National Cyber Security Law (Nacionālās kiberdrošības likums) replaced the 2010 Information Technologies Security Law, creating the National Cybersecurity Centre under the Ministry of Defence and expanding covered sectors beyond the NIS2 baseline. The law introduced mandatory cybersecurity managers, a National Cybersecurity Council, and self-assessment obligations with staggered compliance deadlines through October 2025.

Latvijas Vēstnesis (likumi.lv)
Aug 20, 2024incident
Sustained DDoS Campaign Hits Latvian Public Sector and Transport Websites

Intensive, targeted DDoS attacks began against Latvian public-sector and transport-sector internet resources, causing intermittent disruptions; CERT.LV characterised the volume as the highest in two years. The campaign, attributed to Russia-linked threat actors, illustrated Latvia's front-line exposure to cyber-enabled hybrid warfare and directly reinforced the urgency of the incoming National Cyber Security Law.

Latvijas Sabiedriskie Mediji (LSM – Latvian Public Broadcasting)
Jun 20, 2024lawofficial
Saeima Adopts National Cyber Security Law (NIS2 Transposition)

Latvia's parliament passed the National Cyber Security Law in final reading, transposing the EU NIS2 Directive ahead of the EU-wide October 2024 deadline and establishing stronger incident-reporting obligations, expanded sector coverage, and new governance structures including the National Cybersecurity Council. The new law also provided for the Constitutional Protection Bureau (SAB) and CERT.LV to play reinforced supervisory roles.

Latvijas Republikas Saeima
Mar 14, 2023guidanceofficial
Cabinet of Ministers Approves Cybersecurity Strategy 2023-2026

Latvia's Cabinet adopted its third national cybersecurity strategy, driven by Russia's full-scale invasion of Ukraine and the resulting surge in hybrid cyber threats against Baltic critical infrastructure. The strategy prioritised creation of the National Cybersecurity Centre, NIS2 transposition, resilience of critical infrastructure, and enhanced NATO and EU cooperation.

Latvijas Aizsardzības ministrija (Ministry of Defence)
Sep 17, 2019guidanceofficial
Cabinet of Ministers Approves Cybersecurity Strategy 2019-2022

Latvia's government adopted its second national cybersecurity strategy, defining five action areas: ICT system resilience, universal access to strategic systems, public awareness and education, international cooperation, and the rule of law in cyberspace. The strategy formalised implementation of NIS Directive obligations already in force and set the groundwork for sector-specific security requirements.

Latvijas Aizsardzības ministrija (Ministry of Defence)
Jan 1, 2013decisionofficial
CERT.LV Transferred to Ministry of Defence Supervision

CERT.LV, Latvia's national computer emergency response team, moved from the Ministry of Transport to oversight by the Ministry of Defence, reflecting the strategic reclassification of cybersecurity as a national security and defence matter. This institutional alignment prefigured the later embedding of all cybersecurity governance within the defence ministry structure.

CERT.LV
Oct 28, 2010lawofficial
Saeima Passes Information Technologies Security Law, Latvia's First Statutory Cybersecurity Framework

Latvia's parliament adopted the Law on the Security of Information Technologies (in force from 1 February 2011), formally establishing CERT.LV under the University of Latvia's Institute of Mathematics and Computer Science and creating statutory duties for incident handling and critical information infrastructure protection. The law served as the primary national cybersecurity instrument for 13 years until replaced in 2024.

Latvijas Vēstnesis (likumi.lv)
Jun 1, 2007lawofficial
Budapest Convention on Cybercrime Enters into Force for Latvia

The Council of Europe Convention on Cybercrime became binding on Latvia (signed May 2004, ratified April 2007), harmonising Latvian criminal law with international standards on computer-related offences, electronic evidence, and mutual legal assistance. Latvia simultaneously joined the Additional Protocol criminalising racist and xenophobic content distributed through computer systems.

Council of Europe – Octopus Cybercrime Community

Latvia - other topics

Cybersecurity in other countries

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →