NIS2 Latvia Compliance Guide: National Cybersecurity Law, NCSC Enforcement, and CERT.LV Requirements for 2026

Latvia transposed the EU NIS2 Directive through a brand-new central statute — the Nacionālās kiberdrošības likums (National Cybersecurity Law) — adopted by the Saeima on 20 June 2024, signed in Riga on 4 July 2024, and in force since 1 September 2024. The law replaced the older Law on the Security of Information Technologies, created a dedicated National Cyber Security Centre (NCSC Latvia) under the Ministry of Defence, designated the Ministry of Defence as the Single Point of Contact, and confirmed CERT.LV as the national CSIRT. Latvia was an early mover and met the EU’s 17 October 2024 deadline with weeks to spare, although the European Commission subsequently issued a reasoned opinion on 7 May 2025 flagging incomplete notification of supporting measures. The framework is now operational, with self-registration at CERT.LV required within three months of entry into force and a self-assessment report obligation triggered by 1 October 2025.

This guide covers Latvia’s NIS2 transposition, the institutional split between the Ministry of Defence (SPOC), the NCSC Latvia (national competent authority), CERT.LV (CSIRT), and the sectoral regulators, entity classification, the Cybersecurity Manager obligation, Cabinet Regulation No. 397 on minimum cybersecurity requirements, penalties, implementation milestones, and practical steps for compliance.

Latvia’s NIS2 Transposition: Where Things Stand

The Legal Framework

Latvia took a consolidated single-statute approach with a brand-new central law:

• National Cybersecurity Law (Nacionālās kiberdrošības likums): Adopted by the Saeima on 20 June 2024, signed on 4 July 2024, and entered into force on 1 September 2024. The law’s preamble expressly states that it contains norms deriving from Directive (EU) 2022/2555 (NIS2), replacing the 2010 Law on the Security of Information Technologies.
• Cabinet Regulation No. 397 (2025): Adopted in 2025, this secondary instrument sets out the minimum cybersecurity requirements for in-scope entities, with most obligations entering into force on 2 July 2025. It governs risk-management, incident-handling, supply-chain security, and documentation duties in technical detail.
• Cybersecurity Strategy 2023–2026: Approved by the Cabinet in March 2023, this preceded the law and provides the strategic umbrella under which the NCSC’s supervision system was built.
• DORA overlay: For financial-sector essential entities where the Digital Operational Resilience Act applies, certain risk-management and incident-reporting obligations follow DORA’s timeline from 17 January 2025 in lieu of the National Cybersecurity Law’s defaults.

The new law follows a “minimum implementation” philosophy, sticking closely to NIS2’s text and adding only a small number of national extensions — most notably a mandatory Cybersecurity Manager designation and a 5-working-day vulnerability disclosure obligation.

Key Dates and Timeline

Milestone	Date	Status
Cybersecurity Strategy 2023–2026 approved	March 2023	Complete
NIS2 Directive adopted	January 2023	—
Cabinet approval of draft bill	19 March 2024	Complete
First reading in Saeima	17 April 2024	Complete
National Cybersecurity Law adopted by Saeima	20 June 2024	Complete
Law signed by the President	4 July 2024	Complete
Law enters into force	1 September 2024	Complete
EU transposition deadline	17 October 2024	Met on time
DORA-sector risk-management obligations live	17 January 2025	Complete
EC reasoned opinion for incomplete notification	7 May 2025	Active
Self-registration at CERT.LV	1 April 2025	Complete
Cabinet Regulation No. 397 in force	2 July 2025	Complete
First self-assessment reports + Cybersecurity Manager notification	1 October 2025	Active
Audit cycles begin (essential: 3-year / important: 5-year)	2026–2027	Upcoming

Important: Although Latvia met the 17 October 2024 transposition deadline substantively, the European Commission issued a reasoned opinion on 7 May 2025 for failure to notify the full set of supporting measures. The substantive law is in force and enforced; the EC proceeding concerns procedural completeness of the notification file, not the law’s validity. The Cabinet Regulation on minimum cybersecurity requirements is in force since 2 July 2025.

Comparison with Other EU Countries

Latvia’s “minimum implementation” approach with a central new statute is comparable to several EU Member States in our country guide series:

• Estonia (RIA): Baltic neighbour, similarly small state with a single dedicated cybersecurity authority (Estonia’s Information System Authority / RIA)
• Finland (Traficom): Nordic neighbour, comparable “tight transposition” approach with Traficom as the central authority and NCSC-FI as the CSIRT
• Sweden (MSB): Nordic neighbour, multi-authority model with sectoral regulators and MSB supervisory oversight
• Denmark (CFCS): Nordic neighbour, sectoral ministries supervise entities, with the Centre for Cyber Security as CSIRT
• Poland (NCSA): Regional neighbour, late transposition with a dedicated national cybersecurity agency
• Czech Republic (NUKIB): Central European model, comparable single-agency approach with NUKIB as the central authority

Key Regulatory Bodies

Ministry of Defence — Single Point of Contact (SPOC)

The Ministry of Defence (Aizsardzības ministrija) is Latvia’s designated Single Point of Contact for EU-level NIS2 coordination:

• Coordinates Latvia’s cross-border cooperation with other Member States and EU bodies
• Supervises the National Cyber Security Centre (NCSC Latvia) and the CERT.LV functions
• Hosts the strategic policy framework for cybersecurity and the National Cybersecurity Council
• Acts as the central liaison with the European Commission, ENISA, and the EU CSIRTs Network

Contact:

• Address: 10/12 K. Valdemāra iela, Riga, Latvia LV-1473
• Email: kanceleja@mod.gov.lv
• Phone: +371 673 35 113, +371 673 35 353
• Fax: +371 672 12 307
• Contact hours: 08:30–17:00 (Mon–Fri)
• Website: mod.gov.lv/en/cybersecurity

NCSC Latvia — National Cyber Security Centre

The National Cyber Security Centre (NCSC Latvia) is the designated national competent authority for NIS2 implementation, sitting under the Ministry of Defence:

• Operates as Latvia’s central regulator for essential and important entities
• Runs the entity registration portal in coordination with CERT.LV
• Issues binding instructions, supervises compliance, and orders external audits under Article 44
• Maintains the catalogue of minimum cybersecurity requirements derived from Cabinet Regulation No. 397
• Coordinates the National Cybersecurity Council and inter-institutional cyber policy
• Handles Cybersecurity Manager notifications and self-assessment reports

Contact: Via the Ministry of Defence (kanceleja@mod.gov.lv) — the NCSC was established as a new institution under the National Cybersecurity Law and operates within the MoD structure.

CERT.LV — National Computer Security Incident Response Team

CERT.LV (Informācijas tehnoloģiju drošības incidentu novēršanas institūcija) is Latvia’s national CSIRT and the technical operational arm of the cybersecurity framework:

• Mandated by the National Cybersecurity Law to represent Latvia in the EU CSIRTs Network
• Sectoral CSIRT for all sectors apart from finance (per Trusted Introducer listing)
• Handles all incident reporting for essential and important entities
• Issues early warnings, alerts, and vulnerability advisories
• Provides technical support, threat intelligence, and post-incident coordination
• Operates the public reporting portal at cert.lv/en/report

Contact:

• Email: cert@cert.lv
• Main phone: +371 670 85 888
• 24/7 emergency phone available via Trusted Introducer directory
• Website: cert.lv/en/

Sectoral Competent Authorities

Latvia uses a multi-authority model with sectoral regulators holding supervisory authority over entities in their respective sectors, all coordinated with the NCSC and CERT.LV:

Authority	Sector
Ministry of Economics (em.gov.lv)	Energy (electricity, oil, gas)
Ministry of Transport (Transporta_sakaru_drosiba@sam.gov.lv)	Transport (air, rail, road, water), Digital infrastructure, DSPs
Financial and Capital Market Commission (fktk@fktk.lv)	Banking, financial market infrastructures, crypto-asset service providers
Ministry of Health (vm@vm.gov.lv)	Healthcare, hospitals, medical device manufacturers, drinking water supply
Ministry of Agriculture	Drinking water supply and distribution (jointly with MoH)
Ministry of the Interior	Public administration, law enforcement
Ministry of Defence / NCSC	Defence, ICT critical infrastructure, cross-sector coordination
Datu valsts inspekcija (DVI / Latvian DPA)	Personal data protection overlay for affected entities

Which Entities Are Affected?

Essential Entities

Under Latvia’s National Cybersecurity Law, essential entities mirror Annex I of the NIS2 Directive, with national adjustments:

• Energy: Electricity, district heating, oil, gas (transmission, distribution, storage, LNG operators)
• Transport: Air carriers, airport managing bodies, port operators, rail infrastructure managers, road transport operators
• Banking and Financial Market Infrastructures: Credit institutions, investment firms, central securities depositories, crypto-asset service providers (MiCA scope)
• Health: Hospitals, healthcare providers, laboratories, pharmaceutical wholesalers, manufacturers of medical devices considered critical
• Drinking Water Supply and Distribution: Dams, reservoirs, water treatment and distribution operators
• Digital Infrastructure: Cloud computing service providers, data centre service providers, DNS service providers, TLD name registries, electronic communications networks and services
• Public Administration: Central government bodies, municipalities with population >50,000
• Space: Operators of ground-based infrastructure supporting EU space programmes
• Critical ICT infrastructure owners and legal holders — covered regardless of essential/important classification (per Article 3)

Important Entities

Important entities mirror Annex II of the NIS2 Directive, plus Latvia-specific inclusions:

• Postal and Courier Services: Latvia Post, private courier operators
• Waste Management: Collection, treatment, and disposal operators
• Chemicals: Production and distribution of hazardous substances
• Food Production and Distribution: Large-scale food processing and supply chain operators
• Manufacturing: Manufacturers of medical devices, electronics, machinery, motor vehicles, and other critical products
• Digital Providers: Online marketplaces, search engines, social networking service platforms
• Research Organisations: Latvia’s research sector was explicitly added (per the Copla implementation summary)

Size Thresholds

Latvia applies the standard NIS2 size-cap rule with a small adjustment for critical infrastructure:

Category	Employees	Annual Turnover	Balance Sheet
Medium enterprise	50+	>€10 million	>€10 million
Large enterprise	250+	>€50 million	>€43 million

Size threshold does NOT apply (entities always in scope regardless of size):

• Trust service providers
• Top-level domain (TLD) name registries
• DNS service providers
• Public electronic communications networks and services providers
• Providers of public electronic communications services operating in Latvia (even if registered elsewhere)
• Sole provider of an economic activity in defined sectors (Articles 20 and 21) — unique Latvian extension
• Owners and legal holders of critical ICT infrastructure (Article 3) — must comply regardless of essential/important classification

Entity Designation Process

Entities must take a proactive self-classification approach:

1. Self-assess whether the entity falls in scope using the criteria in Articles 4–7 and Annexes I/II
2. Self-register with CERT.LV’s national portal within three months of the law’s entry into force (deadline passed 1 April 2025 for the first wave)
3. Submit entity profile, sector classification, and basic information about services and systems
4. Designate a Cybersecurity Manager (per Article 25) — must be notified to authorities by 1 October 2025
5. Submit the first self-assessment report by 1 October 2025 and annually thereafter (per Article 43)
6. Await formal designation by the NCSC as essential or important
7. Cooperate with compliance audits (NCSC-conducted) and external audits (NCSC-ordered) under Article 44

The Cabinet must approve the official list of essential and important entities by 17 April 2025.

Latvia-Specific Requirements (Beyond NIS2 Minimums)

Latvia has added a small number of distinctive national requirements beyond the NIS2 Directive’s minimum standards. The overall approach is described as “minimum implementation,” but the additions are operationally significant:

Mandatory Cybersecurity Manager (Article 25)

Each in-scope entity must appoint a Cybersecurity Manager — a natural person responsible for implementing and overseeing the entity’s cybersecurity measures. For owners of critical ICT infrastructure, the manager must be appointed in consultation with the authorities. The Cybersecurity Manager:

• Must undergo special training (a Latvia-specific addition not found in NIS2)
• Conducts an annual security review of the entity’s information and communication technologies
• Reports identified deficiencies to management and organises remediation
• Acts as the single point of accountability within the entity
• First notification deadline was 1 October 2025

5-Working-Day Vulnerability Disclosure (Article 39)

Latvia introduces a 5-working-day vulnerability disclosure obligation that goes beyond NIS2’s incident-reporting scope:

• Any person who detects a vulnerability in the entity’s information system or electronic communications network must submit a vulnerability disclosure report to the competent cyber incident response authority within five working days
• The reporting entity must designate a process for receiving such disclosures
• This complements but does not replace the standard NIS2 24/72/30-day incident-reporting cascade

Critical ICT Infrastructure Owner Obligations

Under Article 3, owners and legal holders of critical ICT infrastructure are subject to obligations regardless of whether they are designated as essential or important:

• They must comply with the National Cybersecurity Law’s substantive obligations
• They must appoint a Cybersecurity Manager in consultation with authorities
• The NCSC and CERT.LV can impose additional technical measures on these entities
• This category was added to address hybrid infrastructure ownership structures where the operator and the asset owner are different legal persons

Data Centre Special Obligations

For data centres hosting government systems or designated as critical ICT infrastructure, the NCSC may impose:

• Installation of Security Operations Centres (SOCs) under authority supervision
• Enhanced monitoring and reporting duties
• Coordinated vulnerability management with CERT.LV

Annual External Audit Cycle

Cabinet Regulation No. 397 establishes distinct audit cycles based on classification:

• Essential entities: External cybersecurity audit every 3 years
• Important entities: External cybersecurity audit every 5 years
• Internal self-assessment must be performed annually regardless
• The NCSC may order an external audit at any time under Article 44

Penalties and Enforcement

Entity-Level Fines

Latvia’s National Cybersecurity Law adopts the NIS2 maximum penalty framework (aligned with Article 34 of the Directive):

Entity Type	Maximum Fine
Essential Entities	€10 million OR 2% of global annual turnover (whichever is higher)
Important Entities	€7 million OR 1.4% of global annual turnover (whichever is higher)

The enforcement escalation mechanism proceeds as follows:

1. Warnings for first-time or minor breaches
2. Binding directions with remediation timelines
3. Periodic penalty payments to compel compliance
4. Monetary fines at NIS2 maximum thresholds
5. Service suspensions for essential entities in egregious cases

The turnover-based calculation means that large multinationals operating in Latvia (especially in finance, telecoms, and digital infrastructure) could face fines well in excess of the nominal euro amounts.

Personal Liability for Management

The Latvian law introduces explicit management liability for cybersecurity failures:

Violation	Consequence
Repeated negligent breach by management	Ban from management roles for up to 3 years
Willful disregard of compliance obligations	Personal fines (amounts defined by Cabinet Regulation, aligned with NIS2 maximums)
Failure to appoint Cybersecurity Manager	Personal liability of the head of entity

The 3-year management ban is a particularly severe provision — directors and officers who repeatedly ignore their cybersecurity obligations can be disqualified from serving as board members or senior executives in any Latvian in-scope entity for an extended period.

Public Bodies

Ministries, regions, and major municipalities are classified as essential but are exempt from monetary fines. They remain subject to:

• Mandatory corrective directions from CERT.LV
• Public disclosure of failures (reputational risk)
• Compliance audits and reporting obligations
• The Cybersecurity Manager and self-assessment requirements

This exemption mirrors the pattern in several other EU Member States (e.g., Hungary’s exemption for public administration bodies) and reflects the constitutional limits on fining sovereign entities.

Compliance Requirements

Article 21 Risk Management Measures

Under Article 21 of NIS2 (transposed into Latvia’s law), Essential and Important Entities must implement a balanced mix of technical, operational, and organisational measures:

1. Risk analysis and information security policies — documented, annually reviewed, approved by management
2. Incident handling — detection, response, recovery, and post-incident analysis
3. Business continuity and crisis management — backup procedures, disaster recovery, crisis communication
4. Supply chain security — security assessment of ICT third-party providers, contractual security clauses
5. Security in network and information system acquisition, development, and maintenance — secure development lifecycle
6. Vulnerability handling and disclosure — coordinated vulnerability disclosure process, plus Latvia’s 5-working-day reporting rule
7. Cryptography and encryption — encryption of sensitive data at rest and in transit, key management
8. Human resources security — background checks, security training (including Cybersecurity Manager training), disciplinary procedures
9. Asset management — inventory of information assets, classification scheme
10. Access control — least privilege, multi-factor authentication for privileged access, periodic access reviews
11. Multi-factor authentication — required for access to network and information systems
12. Secure communications — encrypted voice, video, and text in the context of incident response

Plus Latvia-specific:

• Cybersecurity Manager designation with annual review (Article 25)
• Annual self-assessment report (Article 43)
• 5-working-day vulnerability disclosure process (Article 39)
• Critical ICT infrastructure additional measures (Article 3)

Incident Reporting Requirements

All in-scope entities must report significant incidents to CERT.LV through the three-stage cascade defined in Article 23 of NIS2:

Notification Stage	Deadline	Content Requirements
Early Warning	24 hours of becoming aware	Indication of whether the incident is suspected to be caused by unlawful or malicious acts, and whether it could have a cross-border impact
Incident Notification	72 hours	Initial assessment of severity and impact, indicators of compromise, affected services
Final Report	1 month	Detailed description, severity, impact, type of threat or root cause, applied and ongoing mitigation measures, cross-border impact (where applicable)
(Latvia extension) Vulnerability Disclosure	5 working days	Vulnerability disclosure reports under Article 39 (separate from incident reports)

Where to report: CERT.LV accepts incident reports through:

• Email: cert@cert.lv
• Reporting portal: cert.lv/en/report
• Phone (business hours): +371 670 85 888

Important: For financial-sector entities covered by DORA, incident reporting follows DORA’s timeline from 17 January 2025 in specified risk-management and incident-reporting areas, with CERT.LV as the technical CSIRT but the Financial and Capital Market Commission as the competent authority for DORA-reportable incidents.

Supply Chain Security

Under Article 21(8) of NIS2 as transposed, Latvian entities must assess and manage cybersecurity risks across their ICT supply chain. This includes:

• Security assessments of software vendors, cloud providers, and ICT service providers
• Contractual cybersecurity requirements in vendor agreements
• Monitoring of supplier security posture (SBOM sharing, security audits)
• Business dependency mapping for critical ICT services
• Special attention to OT/IT segregation in manufacturing and energy sectors

CERT.LV has emphasised that entities cannot transfer NIS2 obligations to third parties and remain responsible for compliance even when services are outsourced or migrated to the cloud. This aligns with our guide on NIS2 supply chain and third-party risk management and the broader supply chain attack loss scenario.

Implementation Roadmap for Latvian Entities

Phase 1: Foundation (Sept 2024 – Dec 2025)

• Confirm self-registration with CERT.LV (deadline 1 April 2025 — must be complete) via the cert.lv/en/report portal infrastructure
• Designate a Cybersecurity Manager and submit the first notification to the NCSC (deadline 1 October 2025 — now active)
• Conduct the first self-assessment report under Article 43 (deadline 1 October 2025 — now active)
• Map the entity to the Annex I/II sector classification and confirm essential vs important status
• Identify all sectoral competent authorities relevant to the entity’s operations
• Begin applying Cabinet Regulation No. 397 minimum cybersecurity requirements (in force since 2 July 2025)
• Identify any “sole provider” or “critical ICT infrastructure” status that brings the entity in scope regardless of size

Phase 2: Operationalisation (2026)

• Implement the 10 Article 21 risk management measures mapped to the entity’s risk profile
• Deploy multi-factor authentication across all privileged access points
• Establish a 5-working-day vulnerability disclosure process
• Set up the 24/72-hour/30-day incident reporting process with CERT.LV (test the procedure end-to-end with a tabletop exercise)
• Begin annual external audit preparation (essential entities face 3-year cycles; important entities 5-year cycles)
• Review and update third-party contracts to include NIS2 cybersecurity obligations
• Run a gap analysis against the NIS2 readiness assessment guide

Phase 3: Continuous Compliance (2027+)

• Maintain the biennial external audit cycle (essential: 3 years; important: 5 years)
• Submit the annual self-assessment report to the NCSC
• Update the Cybersecurity Manager training programme
• Conduct supplier security reviews and SBOM exchanges for critical ICT third parties
• Maintain incident-reporting readiness and test the process at least annually
• Monitor the NCSC’s evolving guidance, technical standards, and enforcement priorities
• Review cyber insurance coverage for NIS2-related exposures and personal management liability
• See our NIS2 compliance checklist for the full year-on-year compliance cadence

Cyber Insurance Implications for Latvian Entities

Why Latvian Entities Need Cyber Insurance

NIS2 creates significant new liability exposure for Latvian organisations:

• Fines up to €10 million or 2% of global turnover for essential entities — insurance can cover defence costs and regulatory investigation expenses
• Personal management liability — directors and officers can face 3-year management bans plus personal fines; D&O policies must explicitly address this NIS2 exposure
• 5-working-day vulnerability disclosure and 24/72/30-day incident reporting obligations increase the importance of pre-arranged incident response retainers
• Service suspensions are a real risk for essential entities in egregious cases
• Third-party claims from customers affected by data breaches or service disruptions
• Audit costs — annual self-assessment and triennial (or quinquennial) external audit expenses
• Cross-border impact for multinationals — a Latvian incident can trigger reporting to other Member State CSIRTs

What Underwriters Should Ask About Latvian Entities

Cyber insurance underwriters assessing Latvian risks should ask:

1. Entity classification — Is the insured designated as essential or important by the NCSC?
2. Self-registration — Has the entity completed CERT.LV self-registration? Is registration data up to date?
3. Cybersecurity Manager — Has a Cybersecurity Manager been formally designated and notified to the NCSC?
4. Self-assessment report — Has the first self-assessment report under Article 43 been submitted (deadline 1 October 2025)?
5. Cabinet Regulation No. 397 compliance — Is the entity compliant with the minimum cybersecurity requirements in force since 2 July 2025?
6. Sole provider status — Does the entity fall in scope under Articles 20 or 21 as a sole provider regardless of size?
7. Critical ICT infrastructure — Does the entity own or hold critical ICT infrastructure triggering Article 3 obligations?
8. DORA applicability — For financial entities, are DORA’s incident-reporting and risk-management obligations layered onto the policy?
9. Vulnerability disclosure process — Is the 5-working-day vulnerability disclosure obligation operationalised?
10. Incident history — Any incidents reported to CERT.LV in the past 3 years?

Coverage Considerations

For Latvian entities, ensure the policy covers:

• Regulatory defence costs under NCSC and CERT.LV enforcement actions
• Personal liability extensions — D&O coverage for management bans (up to 3 years) and personal fines under Latvia’s transposition
• Incident response costs — Pre-approved forensic, legal, and PR retainers that can be activated within the 24-hour early warning window
• Business interruption — Loss of income resulting from a cyber incident, including mandatory service suspensions
• Notification costs for the multi-stage CERT.LV reporting (24h/72h/30-day) and the 5-working-day vulnerability disclosure
• Crisis management and reputational harm
• Audit costs when mandated by NCSC under Article 44
• Supply chain losses from vendor incidents — see supply chain attack loss scenario
• NIS2-related penalties coverage for entity-level fines, where insurable by jurisdiction

Use our cyber insurance buying guide to compare coverage options and our NIS2 compliance checker to assess your current compliance status.

Key Takeaways

1. Latvia transposed NIS2 through a single new statute — the National Cybersecurity Law (Nacionālās kiberdrošības likums) — adopted 20 June 2024 and in force since 1 September 2024, replacing the 2010 IT Security Law
2. The Ministry of Defence is the SPOC, the NCSC Latvia (under MoD) is the national competent authority, and CERT.LV is the national CSIRT — a clean three-tier institutional split
3. Cybersecurity Manager designation is mandatory under Article 25, with a first notification deadline of 1 October 2025 — the manager must undergo special training and conduct an annual security review
4. Self-registration with CERT.LV was required by 1 April 2025 and the first self-assessment reports were due by 1 October 2025; both are now active obligations
5. Cabinet Regulation No. 397 sets out minimum cybersecurity requirements and entered into force on 2 July 2025 — entities must align controls with this technical baseline
6. Latvia’s “minimum implementation” approach keeps the regime close to NIS2’s text but adds the 5-working-day vulnerability disclosure obligation and sole-provider / critical ICT infrastructure rules that catch unique Latvian ownership structures
7. Penalties reach NIS2 maximums — up to €10M or 2% global turnover for essential entities, plus management disqualification of up to 3 years for repeated negligent breaches
8. DORA-overlay applies to financial-sector essential entities from 17 January 2025 — combined compliance with both DORA and the National Cybersecurity Law is required
9. Cyber insurance is essential for Latvian entities — covering regulatory fines, management bans, mandatory audit costs, business interruption, and personal D&O exposure from the new management liability provisions

---

Next Steps:

• Take the NIS2 Compliance Checker — Answer 15 questions to get a personalised gap analysis and compliance roadmap for Latvia’s National Cybersecurity Law
• NIS2 Gap Analysis and Readiness Assessment — Understand how to benchmark your current posture against NCSC and Cabinet Regulation No. 397 requirements
• NIS2 Audit Preparation and Documentation — Build the evidence file needed for NCSC audits under Article 44
• NIS2 Article 21 Technical Measures — Full breakdown of the 10+ risk management measures required under Latvia’s law
• NIS2 Penalties Explained — Understand the full penalty framework including personal liability and 3-year management bans
• NIS2 Essential vs Important Entities — How Latvia’s size thresholds and sole-provider rule interact with NIS2’s general framework
• Cyber Insurance Buying Guide — How to select coverage that addresses Latvia-specific NIS2 exposures

This guide reflects the legal framework as of June 2026 following the entry into force of the National Cybersecurity Law (1 September 2024) and Cabinet Regulation No. 397 (2 July 2025). The EC reasoned opinion of 7 May 2025 concerns the completeness of the transposition notification file rather than the substantive validity of the law. Entities should consult the Latvian Ministry of Defence cybersecurity page and CERT.LV for the latest guidance, and seek legal counsel for entity-specific compliance assessments.