Cybersecurity regulation in Latvia (2026)

The National Cyber Security Law (adopted 20 June 2024, in force 1 September 2024) is Latvia's primary vehicle for transposing NIS2. It replaces the previous Law on the Security of Information Technologies and mirrors NIS2's essential/important entity classification based on sector and company size/turnover.

The National Cyber Security Centre (NCSC) was established on 1 September 2024 under the Ministry of Defence as the single competent authority and point of contact for NIS2 obligations. CERT.LV serves as the national CSIRT and operational incident-handling body.

Essential and important entities must report significant cybersecurity incidents to CERT.LV: an early warning within 24 hours of awareness (suspected cause, cross-border implications), followed by a full incident report within 72 hours. Reporting forms and procedures are governed by Cabinet Regulation No. 397 (in force 2 July 2025).

Cabinet Regulation No. 397 'Minimum Cybersecurity Requirements', in force 2 July 2025, specifies mandatory technical and organisational security measures (risk management, business continuity, supply-chain security) and the self-assessment framework for covered entities.

Covered entities were required to register with the NCSC by 1 April 2025, appoint a designated Cybersecurity Manager by 1 October 2025, and submit their first self-assessment report by 1 October 2025.

Essential service providers face fines up to €10 million or 2% of global annual turnover (whichever is higher). Important entities face up to €7 million or 1.4% of turnover. Escalating enforcement includes warnings, binding directions, periodic penalties, service suspension, and a management-role ban of up to three years for repeated negligent breaches.