NIS2 Latvia Compliance: Mandatory Cybersecurity Manager, CERT.LV Reporting, and Entity Registration
Latvia’s digital economy punches well above its 1.9 million population. With 7,060 ICT companies, over 43,000 technology workers, and a sector generating 6.7% of GDP, Riga has built itself into one of the Baltic region’s most significant technology hubs — and that concentration of digital services companies brings the NIS2 Directive into direct contact with thousands of Latvian organisations. Latvia’s National Cybersecurity Law entered force on 1 September 2024, transposing NIS2 through a single, unified statute. Unlike countries that spread transposition across dozens of existing laws, Latvia wrote a clean framework: one law, a new supervisory body, and a mandatory cybersecurity manager requirement the EU directive itself never imposed.
For organisations operating in Latvia, compliance is no longer optional — and every major deadline has now passed. This guide covers the authority structure, scope criteria, Latvia’s specific go-beyonds, the registration process, and what your organisation needs to have in place.
Latvia’s National Cybersecurity Law: NIS2 Transposition in One Statute
The Saeima — Latvia’s parliament — adopted the National Cybersecurity Law (Nacionālās kiberdrošības likums) on 20 June 2024. Signed in Riga on 4 July, the law entered into force on 1 September 2024, making Latvia one of the first EU member states to complete primary NIS2 transposition ahead of the October 2024 EU deadline.
Latvia chose a “minimum implementation” approach — the law stays close to NIS2’s text without adding sweeping national extras, with one deliberate expansion: the research sector. Latvia optionally brought research institutions into scope, a permitted extension the directive allows.
One important caveat applies. While primary legislation entered force in September 2024, secondary legislation — Cabinet of Ministers Regulations No. 397 defining minimum cybersecurity technical requirements — did not enter force until 2 July 2025. The European Commission issued a reasoned opinion to Latvia on 7 May 2025 for failing to notify full transposition. As of early 2026, the infringement proceedings remain formally open.
For most compliance obligations — registration, cybersecurity manager appointment, self-assessment submission — the primary law controls. Cabinet Regulation No. 397 matters most when designing the specific technical security measures your organisation must implement.
Three Authorities, One Framework: Who Supervises What
Latvia distributes NIS2 oversight across three institutions. Misrouting a registration or incident report to the wrong body creates unnecessary delays and potential compliance risk.
| Authority | Role | Handles |
|---|---|---|
| National Cyber Security Centre (NCSC) | Competent authority and point of contact | Entity supervision, registration, self-assessment review, compliance audits |
| CERT.LV | National CSIRT and CVD coordinator | Incident notifications (24h/72h/30-day), early warnings, vulnerability coordination |
| Constitution Protection Bureau | Critical ICT infrastructure supervisor | Critical state information systems, government ICT security oversight |
The National Cyber Security Centre (NCSC) is the primary competent authority established on 1 September 2024 alongside the law. The NCSC operates within the Ministry of Defence, with functions implemented in cooperation with CERT.LV. This is where your organisation registers, submits self-assessments, and directs compliance queries. The designated contact is NIS2@mod.gov.lv.
CERT.LV, operated under the Institute of Mathematics and Informatics of the University of Latvia, is the national CSIRT. It receives your incident reports — the 24-hour early warning, the 72-hour notification, and the 30-day final report — and coordinates vulnerability disclosures under the Cybersecurity Law’s five-day rule. CERT.LV has operated Latvia’s cyber incident response function since before NIS2; the new law formalises its role as national CVD coordinator.
The Constitution Protection Bureau (Satversmes aizsardzības birojs) supervises cybersecurity for critical ICT infrastructure — primarily information systems that underpin state functions. If your organisation provides services directly supporting government operations, the Constitution Protection Bureau is your primary supervisory contact, not the NCSC.
For most private-sector entities, the practical relationship runs through the NCSC for compliance and registration, and CERT.LV for incident reporting and vulnerability coordination.
Scope: Who Must Comply in Latvia
Latvia’s Cybersecurity Law maps closely to NIS2’s sector framework but applies three rules that expand scope meaningfully beyond the EU baseline. An entity falls under the law if it:
- Provides services in a designated sector (Articles 20–21 of the law)
- Meets the medium-enterprise size threshold (50+ FTE or turnover exceeding €10 million) — unless a special rule applies
- Is registered in Latvia — with one exception: electronic communications providers are in scope based on where they operate, not where they are registered
Designated sectors follow NIS2’s two-tier structure. Essential entities include energy (electricity, gas, oil, hydrogen, district heating, LNG), transport, banking, financial market infrastructure, health, water, digital infrastructure, ICT service management, public administration, and space. Important entities include postal services, waste management, chemicals, food, manufacturing, and research — the last being Latvia’s deliberate sector addition beyond the EU baseline.
Three scope-widening rules unique to Latvia extend coverage beyond the EU minimum:
- All electronic communications providers are classified as essential entities regardless of size. A telecom startup of five employees is fully in scope, with no size-threshold exemption.
- Single-provider rule: if your organisation is the sole provider of an essential or important service in a given territory, it is automatically classified regardless of size.
- Municipality rule: municipalities with more than 50,000 inhabitants are in scope as public administration entities.
These expansions explain why Latvia estimates 6,000–8,000 organisations now covered, compared to roughly 1,000 under the previous NIS1 framework — a six-to-eightfold increase. To understand the general EU-level scope framework that Latvia’s law builds on, see who must comply with NIS2.
What Latvia Adds Beyond NIS2: Four Obligations the Directive Never Required
Latvia’s minimum-implementation approach does not mean a light-touch law. Four obligations go beyond what NIS2 itself mandates — and they are the additions most organisations discover only after they have already mapped their compliance against the EU directive directly.
1. Mandatory cybersecurity manager
Every in-scope entity must appoint a cybersecurity manager — a named individual responsible for implementing and overseeing the organisation’s cybersecurity measures. NIS2 requires management bodies to approve security measures and take responsibility for compliance; it does not mandate a dedicated named role. Latvia’s law does. The cybersecurity manager must complete specialised cybersecurity training, conduct annual security reviews, and serves as the formal interface between the organisation and supervisory authorities. The appointment and the manager’s identity must be formally notified to the NCSC by 1 October 2025.
2. Annual self-assessment reports
Latvia requires annual self-assessment reports submitted to the supervisory authority — not a one-time gap assessment but an ongoing annual obligation. The first submission deadline was 1 October 2025; subsequent reports are due annually from that date. Authorities can additionally conduct or order independent external compliance audits beyond the self-assessments.
3. Five-working-day vulnerability disclosure
When a vulnerability is discovered in your systems, Latvia requires disclosure to the competent cyber incident response authority within five working days of discovery. NIS2 mandates a coordinated vulnerability disclosure (CVD) framework in principle but does not impose this specific window. CERT.LV serves as Latvia’s CVD coordinator and is the recipient of these disclosures.
4. Government data centre SOC requirement
Data centres hosting government information systems may be required — following supervisory assessment — to install a Security Operations Centre. This is a conditional rather than universal obligation, but it represents a materially higher requirement than the technical measures prescribed under NIS2 Article 21 alone.
The Registration Process: How to Notify the NCSC
Registration deadline was 1 April 2025. If your organisation has not yet registered, it is in breach. The process requires formally notifying the NCSC of your status as an essential or important entity.
Step 1 — Determine your status: Use the Ministry of Defence’s interactive eligibility test at mod.gov.lv/lv/nkdl-tests. The test is currently available in Latvian only. International organisations without Latvian-speaking compliance staff should engage a local legal advisor to complete the assessment correctly.
Step 2 — Complete the registration form: Provide your organisation’s identification details, contact information, provider status designation (essential or important), operational sectors using NACE codes, geographic scope of operations, IP address ranges in use, and the identity of your designated cybersecurity contact person.
Step 3 — Sign electronically: The completed form must carry a valid electronic signature before submission.
Step 4 — Submit via official channels: Send the signed form to the official e-address of “Aizsardzības ministrija Nacionālais kiberdrošības centrs” (the Ministry of Defence National Cyber Security Centre). For questions and submission guidance: NIS2@mod.gov.lv.
Incident Reporting to CERT.LV: The 24/72/30 Framework
Latvia’s incident reporting ladder follows NIS2 Article 23’s structure, with one Latvia-specific addition for vulnerability disclosures.
| Stage | Deadline | What to Report |
|---|---|---|
| Early warning | Within 24 hours of detection | Acknowledge incident; indicate if malicious action is suspected |
| Initial notification | Within 72 hours | Impact assessment, initial mitigation steps taken |
| Final report | Within 30 days | Root cause analysis, full impact assessment, cross-border implications, resolution outcome |
| Vulnerability disclosure (Latvia-specific) | Within 5 working days of discovery | Report discovered vulnerability to CERT.LV as national CVD coordinator |
All incident reports go to CERT.LV. For significant incidents with supervisory implications, the NCSC must also be notified. Failure to report a qualifying incident within the required windows is itself a breach subject to penalties — including the same administrative fines that apply to underlying security failures.
Penalties and Personal Liability
Latvia adopts NIS2’s penalty structure without national modification at the corporate level:
| Entity Type | Maximum Fine |
|---|---|
| Essential entities | €10 million or 2% of global annual turnover (whichever is higher) |
| Important entities | €7 million or 1.4% of global annual turnover (whichever is higher) |
| Critical ICT infrastructure operators | €10 million or 2% of global annual turnover |
| Public bodies | No monetary fines; mandatory corrective orders and public disclosure of failures |
Beyond corporate fines, the Cybersecurity Law makes personal liability explicit. Board members and legal representatives who contribute to significant compliance failures through negligence can be disqualified from management positions for up to three years. This mirrors NIS2’s management accountability intent but Latvia’s mandatory cybersecurity manager role compounds the exposure — there is now a named individual who carries personal accountability for implementation oversight.
Supervisory authorities may also issue warnings, order corrective measures, suspend service provision until deficiencies are resolved, and mandate public disclosure of compliance failures. For organisations serving enterprise customers, the reputational consequences of public disclosure often exceed the financial penalties themselves.
Latvia’s Energy Sector and ICT Profile Under NIS2
The BRELL desynchronisation: energy infrastructure under heightened scrutiny
On 8 February 2025, Latvia, Estonia, and Lithuania permanently disconnected from the BRELL electricity ring — the Soviet-era interconnected grid linking Baltic energy systems to Russia and Belarus. Latvia isolated its electricity system for approximately 24 hours, then completed synchronisation with the Continental European power grid by 9 February. The timeline was accelerated from a planned 2026 exit following Russia’s 2022 invasion of Ukraine, with the Ministry of Defence reinforcing monitoring of Baltic energy infrastructure throughout the transition.
The desynchronisation elevated energy infrastructure cybersecurity to a political and operational priority months before the October 2025 NIS2 compliance deadlines. Latvia’s Cybersecurity Law classifies electricity, gas, oil, hydrogen, district heating, and LNG operators as essential entities — meaning the energy operators now managing an independently synchronised grid carry full NIS2 obligations, including €10 million penalty exposure for compliance failures.
Why Latvia’s scope is disproportionately large
Latvia’s ICT sector generates 6.7% of GDP, employs over 43,000 people across 7,060 companies, and produced an ICT services trade surplus of €764 million in 2023 — significant for a nation of under two million people. Latvia ranks first among OECD countries for mobile data usage per capita, and 342 telecommunications companies are active across the market. Under the Cybersecurity Law’s rule that all electronic communications providers are essential entities regardless of size, each of those telecoms operators enters full NIS2 scope. That single rule, applied to Latvia’s dense digital services market, accounts for a large share of the estimated 6,000–8,000 in-scope organisations — roughly six times the NIS1 total.
Compliance Status: Where Latvian Entities Must Stand
All major deadlines under Latvia’s Cybersecurity Law are now past. For organisations assessing their position as of mid-2026:
| Obligation | Deadline | If Not Completed |
|---|---|---|
| Scope assessment via NCSC eligibility test | Before 1 April 2025 | Complete immediately; necessary prerequisite for registration |
| Registration with NCSC | 1 April 2025 | Active breach — engage legal counsel and register without further delay |
| Cybersecurity manager appointment and NCSC notification | 1 October 2025 | Active breach — appoint and notify the NCSC |
| First annual self-assessment report | 1 October 2025 | Active breach — submit immediately |
| Technical measures (Cabinet Regulation No. 397) | 2 July 2025 onward | Non-compliance with minimum cybersecurity requirements |
| Incident reporting procedures to CERT.LV | Ongoing from 1 Sep 2024 | Each unreported qualifying incident is a separate breach |
| 5-day vulnerability disclosure process | Ongoing | Document the process and ensure it is operationally active |
Frequently Asked Questions
Does Latvia’s Cybersecurity Law apply to subsidiaries of foreign companies?
Yes, in most cases. The law applies to entities registered in Latvia that operate in a designated sector and meet the size threshold. A subsidiary incorporated under Latvian law is in scope on those terms. Electronic communications providers are in scope based on where they operate, not where they are registered — making foreign telecoms operators active in Latvia subject to the law regardless of registration location. Foreign parent companies not directly providing services in Latvia are not subject to Latvian registration.
The eligibility test is in Latvian only. What should international organisations do?
The Ministry of Defence’s online eligibility test (mod.gov.lv/lv/nkdl-tests) is currently available in Latvian only — a practical barrier for international compliance teams. Engage a Latvian-qualified legal or compliance advisor to complete the test and interpret the output. The NCSC accepts compliance queries at NIS2@mod.gov.lv and can assist with classification questions.
Can the mandatory cybersecurity manager be an external consultant?
The law requires a named individual responsible for implementing and overseeing cybersecurity measures, who must complete specialist training. The law does not explicitly prohibit an external consultant in this role, but the individual must be formally identifiable, notified to the NCSC, and available to supervisory authorities. Contracts with external consultants should reflect the personal accountability dimension of the role explicitly.
What is the practical difference between CERT.LV and the NCSC?
CERT.LV is Latvia’s national CSIRT — it handles your incident notifications (24h/72h/30-day ladder), early warnings, and the five-day vulnerability disclosures. The NCSC is the competent authority — it supervises compliance, manages entity registration, reviews self-assessments, and conducts or orders audits. Both operate in coordination under the Ministry of Defence. In practice: incident and vulnerability reports go to CERT.LV; registration and compliance matters go to the NCSC via NIS2@mod.gov.lv.
Key Takeaways
- Latvia’s National Cybersecurity Law entered force 1 September 2024, implementing NIS2 through a single statute with a minimum-implementation approach
- Three bodies govern compliance: the NCSC (competent authority), CERT.LV (national CSIRT and CVD coordinator), and the Constitution Protection Bureau (critical ICT infrastructure)
- 6,000–8,000 organisations are estimated in scope — all electronic communications providers are essential entities regardless of size
- Latvia adds four obligations beyond NIS2: mandatory cybersecurity manager, annual self-assessment, five-day vulnerability disclosure, and potential SOC requirement for government data centres
- All deadlines — registration (April 2025), manager appointment (October 2025), first self-assessment (October 2025) — have passed; late entities are in active breach
- Penalties reach €10 million or 2% of global turnover for essential entities; directors face personal disqualification for up to three years
- The February 2025 BRELL desynchronisation elevated energy sector cybersecurity from a regulatory obligation to a geopolitical priority for Latvia’s grid operators
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- Ministry of Defence Latvia. Cybersecurity — Latvia’s National Cybersecurity Law. https://www.mod.gov.lv/en/cybersecurity
- Ministry of Defence Latvia. Register with the National Cyber Security Centre. https://www.mod.gov.lv/en/cybersecurity/register-national-cyber-security-centre
- COBALT. Summary of Latvia’s New National Cyber Security Law. September 2024.
- Copla. NIS2 Directive Regulations and Implementation in Latvia.
- Advisera. Overview of Latvia’s Cybersecurity Law: How Did It Transpose NIS2?
- Eversheds Sutherland. Latvia — EU NIS2 Directive.
- WIDEN Legal. From Bronze Night to NIS2: How the Baltics Are Implementing the EU’s New Cybersecurity Regime.
- Baltic Times. Baltic countries to disconnect from Russian power grid and join Europe this weekend. https://www.baltictimes.com/baltic_countries_to_disconnect_from_russian_power_grid_and_join_europe_this_weekend/
- Latvian Investment and Development Agency. Information and Communications Technology Industry. 2023 data.
- Latvia.eu. ICT Sector.
