NIS2 Country Guide

NIS2 Latvia: National Cybersecurity Law 2024

See how Latvia has implemented the NIS2 Directive through the National Cybersecurity Law, which entered into force on 1 September 2024, what it means for essential and important entities, and how the National Cyber Security Centre and CERT-LV oversee compliance, registration and minimum cybersecurity requirements.

Get Ready Checklist Get Consultation
Latvia NIS2 law in force: 2024 Competent authority: National Cyber Security Centre / CERT-LV

Introduction: NIS2 Directive & the Latvian context

Latvia was already operating a cybersecurity regime under the Law on the Security of Information Technologies. With NIS2, Latvia has moved to a new National Cybersecurity Law that significantly updates the legal framework and expands the number of organisations subject to cybersecurity obligations.

The new law strengthens risk management, incident reporting and supervision across both public and private sectors, and is complemented by detailed minimum cybersecurity requirements adopted in 2025.

Quick link: New to NIS2? Start with our general guides “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in Latvia

Latvia has implemented NIS2 through the National Cybersecurity Law (Nacionālās kiberdrošības likums), adopted by Parliament on 20 June 2024 and replacing the former Law on the Security of Information Technologies.

The law entered into force on 1 September 2024 and explicitly aims to implement the requirements of Directive (EU) 2022/2555 (NIS2) and strengthen national cybersecurity measures.

In 2025, Latvia introduced minimum cybersecurity requirements through Cabinet Regulation No. 397 and related secondary legislation, further detailing technical and organisational measures for entities in scope.

Status

NIS2 is fully transposed in Latvia. The National Cybersecurity Law is in force and supported by minimum cybersecurity requirements and other implementing regulations.

Legal structure

The National Cybersecurity Law sets out obligations for essential and important entities, defines supervisory powers, and is complemented by Cabinet regulations on minimum cybersecurity requirements and incident reporting.

Supervisory approach

The National Cyber Security Centre and CERT-LV coordinate supervision, registration and incident handling, working with sectoral regulators where necessary.

NIS2 Latvia: what you need to know about compliance

Latvia closely follows the NIS2 model of essential and important entities. The new law significantly expands the number of regulated organisations, with estimates ranging from several thousand to nearly eight thousand entities in scope by 2025.

Who is in scope?

  • Entities operating in NIS2 Annex I sectors (energy, transport, health, drinking water, digital infrastructure, public administration, etc.).
  • Entities operating in NIS2 Annex II sectors (postal and courier services, waste management, food, manufacturing of critical products, research, etc.).
  • Medium-sized and larger organisations meeting NIS2 staff or turnover thresholds.
  • Entities covered regardless of size, such as DNS and TLD service providers, trust services, and major cloud or data-centre operators.

Core obligations

  • Implement risk-management measures aligned with NIS2, including governance, policies and technical controls.
  • Maintain inventories of critical systems, networks and information assets.
  • Detect, manage and report significant incidents within defined timeframes (early warning, incident notification, final report).
  • Manage supply-chain cybersecurity risk and include security and notification clauses in key contracts.
  • Ensure management bodies approve cybersecurity risk-management measures and exercise ongoing oversight.

Registration & categorisation

Entities must self-assess and register with the competent authority when they provide essential or important services. The Latvian law categorises entities into groups based on criticality and service type, which determines the intensity of supervision and reporting.

Practical note: Many entities that were not regulated under the previous law now fall under the National Cybersecurity Law and need to reassess their status, register and upgrade their cybersecurity controls accordingly.

Competent authorities & CSIRT

Latvia has a centralised NIS2 model anchored in the National Cyber Security Centre and CERT-LV, with support from sectoral regulators for specific domains.

Role Authority Notes
National competent authority & NIS2 contact point National Cyber Security Centre (under the Ministry of Defence) Coordinates NIS2 implementation, registration, supervision and national cybersecurity policy. Acts as the main contact point for entities and for EU-level cooperation.
National CSIRT CERT-LV Receives incident reports, issues alerts and recommendations, and supports technical response and information sharing for essential and important entities.
NIS2 contact point NIS2 contact office (National Cyber Security Centre) Provides guidance, FAQs and direct support for entities on NIS2-related questions and interpretation of the Latvian law.
Sectoral regulators Various authorities In some sectors, specialised regulators support or share supervisory tasks with the National Cyber Security Centre and CERT-LV.

NIS2 timeline & key dates (Latvia)

20 June 2024 — Parliament adopts the National Cybersecurity Law implementing NIS2.
1 September 2024 — National Cybersecurity Law enters into force and replaces the Law on the Security of Information Technologies.
1 April 2025 — Entities must identify their status and register (self-identification/registration deadline).
17 April 2025 — Deadline for approving the list of essential/important entities.
2 July 2025 — Cabinet Regulation on minimum cybersecurity requirements enters into force, detailing technical and organisational measures.
2025–2026 — Regular supervisory audits, compliance reviews and enforcement measures carried out by the National Cyber Security Centre.

Sector-specific notes for Latvia

  • Energy: electricity and gas infrastructure operators are treated as essential entities, with strict continuity and reporting requirements.
  • Transport: key road, rail, air and port operators are covered as essential or important entities.
  • Digital infrastructure: data centres, cloud providers, electronic communications networks and DNS/TLD operators are a major focus of the Latvian regime.
  • Public administration: central and selected local public authorities are brought into scope to protect critical public services and e-government systems.
  • Manufacturing and services: certain manufacturers and service providers critical to national security or economic stability are included based on NIS2 and national criteria.

Penalties for non-compliance

The National Cybersecurity Law introduces an enforcement and sanctions regime aligned with NIS2, allowing for substantial administrative fines, corrective measures and strengthened supervision where entities do not meet their obligations.

  • High administrative fines, including turnover-based penalties for serious or repeated breaches.
  • Binding orders and mandatory remediation plans issued by the competent authority.
  • Enhanced supervision and follow-up audits for entities with systemic deficiencies.
  • Potential management liability where governance and oversight obligations are not met.

How to prepare for NIS2 in Latvia

  1. Assess if you are in scope: map your services and size against NIS2 Annex I & II sectors and the categories defined in the National Cybersecurity Law.
  2. Confirm registration obligations: check registration deadlines and required data for essential and important entities with CERT-LV / National Cyber Security Centre.
  3. Run a NIS2 gap assessment: compare your existing cybersecurity posture against legal requirements and minimum cybersecurity regulations.
  4. Strengthen incident detection & reporting: implement monitoring, escalation and reporting processes that meet Latvian timelines and formats.
  5. Review supply-chain risk: identify critical ICT and service providers and update contracts to include cybersecurity and incident-notification obligations.
  6. Align with recognised frameworks: use ISO/IEC 27001, NIST CSF or similar frameworks to structure governance, risk management and documentation.
  7. Train leadership and staff: ensure management and key teams understand their responsibilities under the National Cybersecurity Law and NIS2.
Run Eligibility Check Start Readiness Test

Official links & resources

🇱🇻 National Cybersecurity Law (Ministry of Defence)
📘 Minimum cybersecurity requirements & NIS2 (National Cyber Security Centre)
📊 European Commission — NIS2 implementation in Latvia
📄 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Latvia

Has Latvia fully transposed NIS2?
Yes. Latvia has fully transposed NIS2 through the National Cybersecurity Law, which entered into force on 1 September 2024, supported by minimum cybersecurity requirements adopted in 2025.
Who is the NIS2 competent authority in Latvia?
The National Cyber Security Centre, together with CERT-LV, acts as the main competent authority and national CSIRT for NIS2 purposes, coordinating supervision and incident handling.
Do we have to register under the Latvian law?
Entities that qualify as essential or important under the National Cybersecurity Law are required to register with the competent authority, provide information about their services and systems, and keep their data up to date.
Is ISO 27001 certification mandatory?
No specific certification is mandated by name, but aligning with recognised standards such as ISO/IEC 27001 is strongly recommended to structure and demonstrate NIS2 compliance in Latvia.
Information provided for general guidance; always consult the official Latvian legislation, publications of the National Cyber Security Centre and legal counsel for definitive NIS2 compliance requirements.