Latvia NIS2 Fines Reach €10M — and Directors Risk 3-Year Disqualification Under NCSC Enforcement
Latvia’s National Cybersecurity Centre (NCSC) gained enforcement authority on 1 September 2024, when the National Cyber-Security Law (Nacionālās kiberdrošības likums) entered force. Two provisions distinguish Latvia’s implementation from most EU member states: directors can be personally disqualified from management roles for up to three years following repeated compliance failures, and every covered entity must appoint a certified cybersecurity manager by October 2025 — a formally accountable role with its own qualification requirements and no equivalent in the baseline NIS2 Directive.
This guide covers the complete enforcement picture: fine thresholds under Article 34 of the NIS2 Directive, the escalation ladder the NCSC follows before reaching the maximum penalty, Cabinet Regulation No. 397’s prescriptive technical requirements, and the deadlines that apply to essential and important entities operating in Latvia. For a broader overview of Latvia’s NIS2 framework, see our Latvia NIS2 country guide.
Who Latvia’s National Cyber-Security Law Covers
The law applies to essential and important entities operating across the sixteen sectors in NIS2 Directive Annexes I and II. Standard EU size thresholds apply — 250+ employees or €50M+ revenue for essential-entity classification, 50+ employees or €10M+ revenue for important-entity classification — with specific categories qualifying regardless of size, including critical infrastructure operators, central government bodies, and designated digital infrastructure providers.
| Category | Example sectors | General size threshold |
|---|---|---|
| Essential entity | Energy, transport, banking, healthcare, drinking water, digital infrastructure, space | 250+ employees OR €50M+ revenue / €43M+ balance sheet (or sector-critical status regardless of size) |
| Important entity | Postal services, waste management, food production, chemicals, manufacturing, digital providers, research | 50–249 employees OR €10M–€50M revenue / balance sheet |
Latvia added one scope expansion beyond the NIS2 baseline that compliance teams at smaller organisations must not overlook: all electronic communications providers operating in Latvia are classified as essential entities regardless of company size. A small ISP with fewer than 50 employees faces the same maximum fine ceiling — and the same cybersecurity manager obligation — as a nationwide telecoms carrier. This is a material departure from the NIS2 Directive’s default, under which small providers would typically qualify as important entities.
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
Entities were required to submit a self-assessment and register their entity category with the NCSC by 1 April 2025. Late or inaccurate registration is itself a compliance failure subject to enforcement, and removes any good-faith defence during a subsequent inspection. See our NIS2 entity registration guide for the full registration process.
Fine Tiers: Essential vs Important Entities Under Article 34
Latvia adopted the NIS2 Directive’s penalty thresholds directly, without imposing stricter national maximums or adding statutory minimum fine floors. Administrative fines are triggered when an entity breaches Article 21 (cybersecurity risk-management measures) or Article 23 (incident notification obligations) of Directive 2022/2555.
| Entity type | Maximum administrative fine | Trigger |
|---|---|---|
| Essential entity | €10,000,000 or 2% of total worldwide annual turnover in the preceding financial year — whichever is higher | Breach of NIS2 Article 21 or Article 23 |
| Important entity | €7,000,000 or 1.4% of total worldwide annual turnover in the preceding financial year — whichever is higher | Breach of NIS2 Article 21 or Article 23 |
The “whichever is higher” structure has real consequences for global organisations. An essential entity with €800M worldwide annual turnover faces a potential fine ceiling of €16M (2% × €800M) — materially above the €10M absolute floor because the directive sets the €10M as a minimum ceiling, not a cap. For a Latvian SME with €5M global turnover, 2% yields just €100,000 — well below the €10M floor, which then becomes the operative ceiling. The NCSC applies whichever calculation produces the higher result in each enforcement case.
Latvia’s penalty structure contrasts with Bulgaria, which added statutory minimum fine floors of €25,000 (essential) and €12,500 (important) on top of the NIS2 maximums. Latvia sets no minimum — the NCSC determines fine amounts within the ceiling based on the severity and duration of the violation, whether it was intentional or negligent, the entity’s cooperation during investigation, and any prior enforcement history. For the underlying EU-level penalty framework and how Latvia compares across member states, see our NIS2 penalties overview and the essential vs important entity classification guide.
Director Disqualification: Latvia’s Severest Enforcement Tool
Beyond monetary fines, Latvia’s National Cyber-Security Law empowers the NCSC to ban directors and senior managers from holding any management position for up to three years following repeated negligent breaches of cybersecurity obligations. NIS2 Directive Article 20 requires management bodies to accept liability for infringements of the directive, and Article 32 gives competent authorities the power to hold individual managers personally accountable and impose temporary prohibitions on exercising management functions. Latvia implemented this as a maximum three-year disqualification period — a severity that goes beyond most EU member state implementations.
Disqualification is an escalated measure, not a first response. The NCSC is expected to pursue the standard enforcement ladder — warnings, binding directions, periodic penalty payments, and monetary fines — before seeking disqualification. But repeated negligent breaches is not defined quantitatively in the law, leaving the NCSC discretion in how many failures, over what period, in what compliance domain, suffice. Two or more substantive failures in the same domain — persistent failure to report incidents within the required window, or ongoing absence of a cybersecurity manager after receiving a formal warning — could be sufficient to trigger proceedings.
The threshold is negligence, not intent. A director cannot avoid disqualification by claiming ignorance of the compliance failure if the failure was objectively detectable and the entity had been notified of the gap. Demonstrating a structured, documented compliance programme — an appointed cybersecurity manager, regular self-assessments, documented security governance — is the primary substantive defence against both the maximum fine and disqualification.
For guidance on structuring board-level NIS2 accountability and the governance obligations that sit beneath Article 20, see our board and director obligations guide and our NIS2 supervisory measures overview.
The Cybersecurity Manager Requirement (Latvia-Only)
Latvia’s National Cyber-Security Law introduced a compliance obligation with no direct NIS2 baseline equivalent: every covered entity must appoint a cybersecurity manager — a formally designated person responsible for implementing and overseeing the entity’s cybersecurity measures. The appointment deadline was 1 October 2025.
This role is distinct from a CISO or a Data Protection Officer. The cybersecurity manager is the entity’s primary point of contact with CERT.LV (Latvia’s Cyber Incident Response Institution) and must conduct at least one full security review of all information and communication technologies annually. Cabinet Regulation No. 397 specifies that cybersecurity managers — and external auditors — must hold a recognised certification: CISA, ISO/IEC 27001 Lead Auditor, CISSP, or CISM are cited as the accepted credentials. This makes the cybersecurity manager a qualified technical role, not a nominal administrative appointment.
The regulation also restricts who may conduct external cybersecurity audits: auditors must be professionals based in NATO, EU, EFTA, or IP4 countries. Engaging a cybersecurity consultant registered in Russia, Belarus, or a state officially designated as supporting terrorism is explicitly prohibited for both audit and IT service provision.
Why absence is a structural compliance problem: An entity that reaches an NCSC inspection without a qualified cybersecurity manager cannot demonstrate compliance with its Article 21 security governance obligations. There is no substitute role or interim arrangement recognised in the law. The absence leaves the entity’s entire compliance position without a documented accountable owner, eliminating the due-diligence defence entirely. Enforcement action for non-appointment follows the standard escalation ladder, but the NCSC is unlikely to treat the absence as a minor procedural gap when it is a named statutory obligation with a passed deadline.
Cabinet Regulation No. 397: What the Minimum Requirements Actually Mandate
Cabinet Regulation No. 397, titled “Minimum cybersecurity requirements,” entered force on 2 July 2025. Unlike ISO 27001 or the NIS2 CIR 2024/2690 implementing regulation — which allow entities to design control frameworks around their own risk profile — Cabinet Regulation No. 397 is prescriptive: compliance means meeting its specific requirements directly, not demonstrating equivalent controls through an alternative framework. An entity with ISO 27001 certification is not automatically compliant with Cabinet Regulation No. 397; the regulation’s four mandatory documents must exist as discrete artefacts.
Every covered entity must maintain these four documents:
- Cybersecurity policy — must include the organisational structure, a description of information and communication technology systems in use, and current threat exposure context
- IT resource catalog — a register of all information systems subject to cybersecurity obligations
- Cyber risk management and continuity plan — covering incident identification procedures, response steps, stakeholder notification protocols, and system recovery procedures
- Incident log — a running record of all cybersecurity incidents
Beyond documentation, the regulation mandates: annual cybersecurity training for every employee using ICT (content tailored to job function and qualifications, reviewed and updated annually or when the threat landscape changes); backup procedures enabling complete system restoration including executable code, scripts, and scheduled tasks; and access control with the authority to block individual user access for up to five working days when a security threat is identified.
Supply chain restriction: Entities may not enter IT service agreements with providers registered in Russia, Belarus, or states officially designated as supporting terrorism — and the prohibition extends to sub-processors, not just direct suppliers. This applies to software, managed services, and infrastructure contracts. For broader supply chain compliance obligations under Article 21(2)(d), see our supply chain security guide.
NCSC Enforcement Powers and the Escalation Ladder
The National Cybersecurity Centre (NCSC) is Latvia’s primary NIS2 supervisory authority, responsible for compliance oversight across covered sectors. CERT.LV — the Cyber Incident Response Institution — handles incident response coordination and receives the mandatory 24-hour early warning and 72-hour initial notifications; it is not a sanctions authority. The NCSC follows a five-step escalation before reaching the maximum administrative fine:
| Step | Measure | Practical effect |
|---|---|---|
| 1 | Warning | Formal notice identifying specific compliance gaps; entity given a remediation deadline |
| 2 | Binding direction | NCSC orders specific corrective action — non-compliance with the direction triggers the next step |
| 3 | Periodic penalty payment | Recurring financial pressure to compel compliance with binding directions |
| 4 | Administrative fine | Monetary sanction up to €10M / 2% (essential) or €7M / 1.4% (important) |
| 5 | Service suspension or director disqualification | Last resort; used where an entity presents ongoing systemic risk or directors show repeated negligence |
The escalation ladder does not require the NCSC to proceed through every step sequentially. In cases involving serious incidents, deliberate violations, or where an entity previously received a warning and took no action, the NCSC can move directly to monetary fines. An entity that failed to report a significant incident within 24 hours and has no cybersecurity manager in place is unlikely to benefit from the warning stage.
Public sector enforcement differs. State and municipal institutions are not subject to monetary fines under Latvia’s framework. Instead, the NCSC issues corrective orders paired with mandatory public disclosure of the compliance failure — a reputational enforcement mechanism that can carry significant consequences for government agencies. This approach mirrors the NIS2 Directive’s intent for public sector accountability while avoiding the legal complexity of state self-fining. For the reporting obligations that sit alongside enforcement, see our NIS2 incident reporting guide.
Key Compliance Deadlines for Latvia
| Date | Obligation | Who it applies to |
|---|---|---|
| 1 September 2024 | National Cyber-Security Law entered force; NCSC supervisory authority activated | All essential and important entities |
| 1 April 2025 | Self-assessment submission and entity registration as essential or important | All essential and important entities |
| 2 July 2025 | Cabinet Regulation No. 397 minimum technical requirements enter force | Essential + important entities; state and municipal institutions |
| 1 October 2025 | Appoint certified cybersecurity manager; submit compliance self-assessment to NCSC | All essential and important entities |
| Ongoing | 24-hour early warning + 72-hour initial notification + 30-day final report to CERT.LV for significant incidents | All essential and important entities |
For the full NIS2 compliance framework across all obligations — not only Latvia-specific requirements — see our NIS2 compliance checklist.
Frequently Asked Questions
Does Latvia set a minimum fine, or only a maximum ceiling?
Latvia sets only a ceiling — no statutory minimum fine floor. The NCSC determines the specific fine amount within the Article 34 ceiling based on the severity and duration of the violation, whether it was intentional or negligent, any prior enforcement history, and the entity’s cooperation during the investigation. This differs from Bulgaria, which added statutory minimum floors of €25,000 (essential) and €12,500 (important) on top of the NIS2 maximums.
Which body receives mandatory incident notifications — NCSC or CERT.LV?
Mandatory incident reports go to CERT.LV, Latvia’s Cyber Incident Response Institution, which acts as the designated point of contact for significant cybersecurity incidents. CERT.LV handles response coordination and escalates to the NCSC where enforcement follow-up is warranted. The NCSC is the sanctions and supervisory authority; CERT.LV is the incident response function. Sending reports to the wrong body does not constitute compliance with the 24-hour or 72-hour notification requirement.
Is the cybersecurity manager required to be an in-house employee?
Latvia’s law does not explicitly require an in-house employee, but the role carries obligations — primary contact with CERT.LV, annual ICT security review, recognised certification — that make nominal outsourcing problematic. A contracted cybersecurity manager who cannot respond rapidly to NCSC or CERT.LV contact during an active incident creates a structural gap in the entity’s response chain. Entities outsourcing the role should ensure a service-level agreement that guarantees certification, documented accountability, and availability during incidents.
Can an entity still face enforcement if it was the victim of a cyberattack?
Yes. Latvia’s enforcement framework focuses on whether appropriate security measures were in place before the incident, not on the cause of the attack. An entity with documented Cabinet Regulation No. 397 compliance, an appointed and certified cybersecurity manager, and timely incident reporting is in a defensible position. An entity with missing documentation, no cybersecurity manager, and a late notification faces enforcement action regardless of whether the breach was externally caused — the “was not intending to cause harm” argument does not map onto the negligence standard.
My company is established in another EU member state but has operations in Latvia. Does Latvia’s NCSC have jurisdiction?
Under NIS2 Directive Article 26, jurisdiction generally follows the member state where the entity is established — typically where main administration or the EU representative office is located. However, Latvia’s NCSC may exercise oversight over services delivered within Latvia, particularly where the entity qualifies under Latvian sector-specific rules (such as the all-essential classification for electronic communications providers). Cross-border jurisdiction questions require analysis by qualified legal counsel and should be resolved before the October 2025 cybersecurity manager deadline.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- NIS 2 Directive Article 34 — General conditions for imposing administrative fines — NIS-2-Directive.com
- NIS2 Transposition in Latvia — NIS-2-Directive.com
- Latvia’s Cybersecurity Law vs NIS2 — Advisera
- Summary of Latvia’s New National Cyber Security Law — COBALT Legal
- NIS2 Directive Regulations in Latvia — Copla
- NIS2 in the Baltic States — WIDEN Legal
- Minimum Cybersecurity Requirements Come Into Force — WIDEN Legal
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
