03
Thu, Oct
87 New Articles

Summary of Latvia’s New National Cyber Security Law

Latvia
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

On 1 September 2024, the National Cyber Security Law came into force, replacing the Law on the Security of Information Technologies. 

The new law aims to enhance and bolster cybersecurity in Latvia, implementing in 2022 revised EU Network and Information Security Directive or “NIS2”, which aims to achieve a uniformly high level of cybersecurity across the European Union (EU). The law will considerably expand the sectors required to adhere to cybersecurity regulations. This expansion of regulated subjects will ensure a consistent level of cybersecurity across different sectors in Latvia and between the public and private sectors. The National Cyber Security Law will apply to providers of essential and important services, as well as critical information and communication technology (ICT) infrastructure.

Providers of essential and important services will encompass state and local institutions, along with medium and large enterprises operating in one of the sectors stipulated in the law, such as ICT, digital services, electronic communications, public media, energy, transport, water, food, medicine and pharmaceuticals, manufacturing, financial services, postal services, education, science, and security. Alongside, organisations whose disruption could significantly impact public security, state security, public health or pose a substantial systemic risk, especially in sectors where such disruption could have a cross-border effect, will also be categorised as essential service providers. As before, the institutions and businesses eligible for the ICT critical infrastructure list will be approved by the Cabinet of Ministers.

The new requirements will entail several obligations, including:

  • registration by 1 April 2025;
  • appointment of a Cyber Security Manager by 1 October 2025;
  • submission of a self-assessment report by 1 October 2025;
  • compliance with minimum cybersecurity requirements;
  • reporting of cybersecurity incidents.

In instances of significant non-compliance, the competent authorities will have the authority to impose substantial fines.

By Indrikis Liepa, Partner, and Agnese Gerharde, Senior Associate, Cobalt