Latvia NIS2 Competent Authorities: NCSC Latvia, CERT.LV, Constitution Protection Bureau, and the Mandatory Cybersecurity Manager
Latvia’s National Cybersecurity Law (NCL) entered into force on 1 September 2024, implementing NIS2 across a three-authority supervisory structure. The NCSC receives registrations and monitors compliance, CERT.LV handles incident reporting, and the Constitution Protection Bureau oversees critical ICT infrastructure. The most significant national addition: every in-scope entity must appoint a dedicated cybersecurity manager and formally notify the authorities by 1 October 2025 — a requirement that goes further than NIS2 Article 20’s management training obligation and applies to all essential and important service providers without exception.
Does Latvia’s Cybersecurity Law Apply to Your Organisation?
The NCL applies to three categories of entity. Knowing which one applies to you determines your supervisory authority, your compliance obligations, and your deadlines.
Providers of essential services are entities operating in sectors listed in NIS2 Annex I — energy, transport, banking, healthcare, water supply, digital infrastructure, and space — that meet the large enterprise threshold: generally 250 or more employees or €50 million or more in annual turnover. Certain sectors (DNS resolution services, TLD registries, cloud computing providers) classify all providers as essential regardless of size.
Providers of important services are entities in Annex I and Annex II sectors — including postal and courier services, waste management, manufacturing of critical products, food production, digital service providers, and research — at the medium enterprise threshold: 50 or more employees or €10 million or more in annual turnover. Latvia includes the research sector as an optional extension, one of the few national additions it made in an otherwise minimum-transposition approach.
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
Critical ICT infrastructure operators are a Latvia-specific category covering owners of particularly sensitive national ICT systems. These entities fall under the Constitution Protection Bureau for supervisory purposes and must comply regardless of company size — the only category where Latvia departs from the standard NIS2 thresholds.
The NCSC provides an interactive assessment tool at mod.gov.lv for entities unsure of their classification. Latvia assigns all in-scope systems to one of three security categories — A (highest sensitivity), B (intermediate), and C (lower tier) — which govern the depth of obligations under Cabinet Regulation No. 397. For the full EU-level criteria separating essential from important entities, the essential vs. important entities guide covers the thresholds and sector rules in detail.
| Category | Applies to | Latvia addition | Supervisory authority |
|---|---|---|---|
| Essential service provider | Annex I sector, 250+ employees or €50M+ turnover | None beyond EU baseline | NCSC Latvia |
| Important service provider | Annex I/II sector, 50+ employees or €10M+ turnover | Research sector included | NCSC Latvia |
| Critical ICT infrastructure operator | Latvia-specific — any size | Category not in EU NIS2 | Constitution Protection Bureau |
Latvia’s Three NIS2 Authorities: NCSC, CERT.LV, and the Constitution Protection Bureau
Latvia distributes NIS2 responsibilities across three distinct bodies, each with a clearly defined mandate. Getting the routing right matters: incident reports go to CERT.LV, entity registrations go to the NCSC, and critical infrastructure operators report to the Constitution Protection Bureau for certain obligations.
National Cybersecurity Centre (NCSC Latvia)
The NCSC, established under the Ministry of Defence, is Latvia’s primary supervisory authority for most in-scope entities. Its responsibilities include:
- Receiving registrations from essential and important service providers
- Compiling the national register of in-scope entities, reviewed at least every two years and approved by the Digital Security Oversight Committee
- Conducting ex-ante compliance audits for essential entities and ex-post checks for important entities
- Receiving cybersecurity manager appointment notifications from essential and important service providers
- Developing national cybersecurity policy and coordinating cross-sector incident response
The Ministry of Defence serves as Latvia’s official EU Single Point of Contact (SPOC) — the designated channel for cross-border NIS2 coordination with other member states. For registration and compliance queries: NIS2@mod.gov.lv [1].
CERT.LV
CERT.LV is Latvia’s national CSIRT and the institution that receives cyber incident reports under the NCL. When a significant incident occurs, entities notify CERT.LV directly — not the NCSC. CERT.LV holds TC-CSIRT Trusted Introducer accreditation and is a member of FIRST (Forum of Incident Response and Security Teams), placing it within the EU CSIRT network established under NIS2 [1].
CERT.LV maintains Latvia’s national security incident map and may issue technical mitigation guidance to entities following report submission.
Contact: cert@cert.lv | +371 670 85 888 | cert.lv/en
Constitution Protection Bureau
The Constitution Protection Bureau (Satversmes aizsardzības birojs, SAB) holds specific supervisory authority for Latvia’s critical ICT infrastructure operators. If your organisation is classified in this Latvia-specific category, your primary supervisory relationship for certain obligations is with the SAB rather than the NCSC. The SAB is also the designated notification recipient when critical infrastructure operators appoint their cybersecurity manager [2].
Sector-specific competent authorities
Within their respective sectors, Latvia designates additional authorities that handle NIS2 compliance supervision alongside the NCSC:
| Sector | Competent authority |
|---|---|
| Energy (electricity, gas, oil, district heating) | Ministry of Economics |
| Transport (air, rail, water, road) | Ministry of Transport |
| Banking and financial market infrastructure | Financial and Capital Market Commission |
| Healthcare, drinking water, wastewater | Ministry of Health |
| Digital infrastructure and digital service providers | Ministry of Transport |
The Mandatory Cybersecurity Manager: Latvia’s Addition Beyond NIS2
NIS2 Article 20 requires management bodies to approve cybersecurity risk-management measures and receive training on cybersecurity risks — and allows them to be held liable for violations. Latvia’s NCL goes further: every essential and important entity must appoint a dedicated cybersecurity manager (kiberdrošības vadītājs) — a named individual responsible for implementing and overseeing cybersecurity measures — and formally notify the supervisory authorities of that appointment.
This obligation does not appear in the NIS2 Directive as a binding requirement. Latvia is among a small number of EU member states to mandate the role by law, placing it alongside countries such as Croatia (which requires mandatory phishing simulations and biennial self-assessments) and Cyprus (which shortened the incident early-warning window to six hours) as states that have added substance beyond the EU baseline [2].
What the role requires
The cybersecurity manager must:
- Oversee the entity’s compliance with the NCL and Cabinet Regulation No. 397
- Serve as the primary liaison with CERT.LV for cyber incident handling
- Conduct annual cybersecurity reviews of the organisation’s security posture
- Coordinate submission of the self-assessment questionnaire to the NCSC
Appointment deadline: 1 October 2025. After appointment, the entity must submit the designated notification form to the NCSC (essential and important service providers) or to the Constitution Protection Bureau (critical ICT infrastructure operators) [2][3].
Vetting requirements under Cabinet Regulation No. 397
Cabinet Regulation No. 397 — titled “Minimum Cybersecurity Requirements” and in force from 2 July 2025 — establishes eligibility criteria for cybersecurity managers that go beyond professional qualifications [3]. An appointee must not have been affiliated with:
- The USSR, the Latvian SSR, or any foreign intelligence, security, or counterintelligence service
- Any organisation banned under Latvian law or by court decision
These vetting conditions reflect Latvia’s national security context as a NATO member state bordering Russia and Belarus. They apply specifically to the cybersecurity manager role — not to all employees — and must be satisfied before the formal notification is submitted to the NCSC or SAB.
Two geopolitical additions in Cabinet Regulation No. 397
The same regulation introduces operational requirements with no equivalent in the EU NIS2 baseline [3]:
IT vendor restriction: In-scope entities may not enter into new IT service agreements with providers registered in Russia, Belarus, or countries designated as supporting terrorism under Latvian law. Existing contracts with vendors from the restricted countries should be reviewed for renewal obligations and migration timelines — the regulation’s in-force date of 2 July 2025 is the compliance reference point.
Auditor registration requirement: External cybersecurity auditors must be registered in a NATO member state, EU member state, EFTA country, or IP4 country. This applies when engaging external parties for compliance audits or security reviews under the NCL.
Registering with the NCSC
The NCL required in-scope entities to notify the NCSC by 1 April 2025. Registration is submitted via Latvia’s official e-address system — addressed to “Aizsardzības ministrija Nacionālais kiberdrošības centrs” — and must include [4]:
- Organisation registration number, sector, and NACE codes
- Contact details and designated cyber contact person
- Status designation (essential or important service provider)
- IP address ranges used for service delivery
- Countries in which services operate
Registration forms in Excel format are available at mod.gov.lv. Submissions require an electronic signature. General queries: NIS2@mod.gov.lv.
Entities that missed the April 2025 deadline should register as soon as possible. Latvia’s graduated enforcement model — which starts with written warnings before moving to fines — means proactive engagement with the NCSC reduces exposure to maximum sanctions. The full NIS2 scope criteria, including size-threshold exceptions for specific sectors, are covered in the NIS2 scope guide.
Reporting Cyber Incidents to CERT.LV
The NCL’s incident reporting framework mirrors NIS2 Article 23’s three-step structure. Significant incidents — those that cause or could cause severe disruption to your service delivery or meaningful financial damage to other organisations — must be reported to CERT.LV on this timeline:
| Step | Deadline | What to report |
|---|---|---|
| Early warning | Within 24 hours of becoming aware | Notification that a significant incident has occurred |
| Initial report | Within 72 hours | Preliminary impact assessment, incident type, indicators of compromise |
| Final report | Within 30 days | Root cause, remediation steps taken, cross-border impact if applicable |
CERT.LV uses submissions to compile the national incident map and may issue technical mitigation guidance to affected entities after submission. For entities in sectors with dedicated competent authorities — banking supervised by the Financial and Capital Market Commission, energy by the Ministry of Economics — confirm whether parallel notification to your sector supervisor is required alongside CERT.LV reporting [1].
Contact: cert@cert.lv | +371 670 85 888 | cert.lv/en
Building a documented incident response process before any incident occurs is the standard approach. The NIS2 compliance checklist maps the incident reporting obligations alongside the full Article 21 measure set for comparison.
Enforcement and Penalties
Latvia differentiates supervision intensity by entity tier and uses a graduated enforcement model before reaching monetary fines [2].
Essential entities face proactive ex-ante supervision: the NCSC and sector authorities can conduct compliance audits and inspections without waiting for an incident. Important entities face reactive ex-post supervision, triggered by incidents, complaints, or suspected non-compliance.
When violations are found, Latvia’s enforcement ladder moves through four stages before maximum fines:
- Written warning
- Binding direction with a remediation deadline
- Periodic daily penalty while non-compliance continues
- Monetary fine up to the statutory caps
| Entity type | Maximum fine |
|---|---|
| Essential entity or critical ICT infrastructure operator | €10,000,000 or 2% of total global annual turnover (whichever is higher) |
| Important entity | €7,000,000 or 1.4% of total global annual turnover (whichever is higher) |
Director liability: Repeated negligent breaches of cybersecurity obligations under the NCL can result in a three-year management ban for senior managers — personal accountability beyond the standard NIS2 fines framework [2].
Public sector entities are exempt from monetary fines but face mandatory corrective orders from CERT.LV and public disclosure of non-compliance, a reputational consequence in place of financial penalties.
Latvia NIS2 Compliance Checklist
Use this checklist to verify your organisation’s status against Latvia’s key NCL obligations. Most initial deadlines fell in early-to-mid 2025; the cybersecurity manager appointment remains the active priority for entities not yet in compliance.
| Task | Deadline | Owner |
|---|---|---|
| Determine essential / important / critical ICT classification | 1 April 2025 — verify now if not done | Compliance Officer |
| Register with NCSC (NIS2@mod.gov.lv) | 1 April 2025 — register now if missed | Legal / Compliance |
| Appoint cybersecurity manager and complete vetting check | 1 October 2025 | Board / HR |
| Notify NCSC or Constitution Protection Bureau of appointment | 1 October 2025 | Cybersecurity Manager |
| Submit first self-assessment questionnaire | 1 October 2025 | Cybersecurity Manager |
| Review IT vendor contracts for Russia / Belarus restriction | Ongoing — Cabinet Regulation No. 397 in force 2 July 2025 | IT / Legal |
| Establish CERT.LV incident reporting process (24h / 72h / 30d) | Before any significant incident | IT Security |
| Annual employee cybersecurity training | Annual — Cabinet Regulation No. 397 | HR / IT |
Frequently Asked Questions
Can the cybersecurity manager role be filled by an external consultant?
Latvia’s NCL requires appointment of a named individual responsible for cybersecurity implementation within the organisation. Cabinet Regulation No. 397 sets out eligibility criteria but does not explicitly exclude external consultants. The role must be substantive — it involves conducting annual security reviews, maintaining active CERT.LV liaison, and coordinating self-assessment submissions. For most organisations, a dedicated in-house appointment with a defined portion of time is the lower-risk interpretation. Contact the NCSC at NIS2@mod.gov.lv for guidance specific to your entity classification.
Our company is established outside Latvia but serves Latvian customers. Does the NCL apply?
Latvia’s NCL applies primarily to entities registered in Latvia. For services provided from a non-Latvian base, NIS2’s place-of-establishment rules generally mean you are supervised by the member state where you are registered. Exceptions apply for DNS providers, TLD registries, and domain name registrars, where NIS2 assigns jurisdiction based on criteria set out in the directive itself.
What happens if we missed the April 2025 registration deadline?
Registration is still required. Latvia’s graduated enforcement approach — written warnings before fines — means entities that engage proactively face less exposure than those that remain unregistered. Submit registration via NIS2@mod.gov.lv as soon as possible and document the steps your organisation has taken to comply since the deadline passed.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- NIS2 Directive Implementation in Latvia — European Commission Digital Strategy
- Latvia — EU NIS2 Directive — Eversheds Sutherland
- “Minimum Cybersecurity Requirements” Come into Force — WIDEN Legal
- Register with the National Cyber Security Centre — Ministry of Defence Latvia
- Overview of Latvia’s Cybersecurity Law: How Did It Transpose NIS2? — Advisera
- NIS 2 Directive Article 20: Governance — nis-2-directive.com
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
