New cybersecurity requirements: will they apply to NGOs?
01.10.2024

As of 1 September 2024, the National Cyber Security Law (NCSL) has entered into force in Latvia, aiming to strengthen cyber security standards in Latvia and ensure a common cyber security approach across the European Union. Although most non-governmental organisations (NGOs) are not directly covered by this law, there are exceptions. NGOs that perform functions delegated by the State and are considered to be providers of important or essential services may be subject to the requirements of the NCSL.

 

Unfortunately, it is not entirely clear who is considered to be a provider of essential and critical services, so in order to clarify whether an organisation is subject to the NCSL and falls under the requirements below, the Civic Alliance - Latvia (CAL) invites organisations to take this interactive test by the Ministry of Defence. More information here. For further questions, please contact NIS2@mod.gov.lv.


If your organisation is considered a subject of the NCSL, then:

  • You are required to submit a registration form to the National Cyber Security Centre by 1 April 2025. The questionnaire will be available once the Cabinet of Ministers' Regulation on minimum cybersecurity requirements, which is currently being harmonised, is approved.
  • By 1 October 2025, a responsible person in the organisation for cyber security must be identified.
  • The organisation should identify its processes and services affected by Information and Communication Technologies (ICT) as well as ICT infrastructure and information systems.
  • A catalogue of ICT resources and information systems should be established, with data on relevant resources and information systems entered and regularly updated.
  • Cybersecurity risks should be assessed and their potential impact on the confidentiality, integrity and availability of information resources should be evaluated.
  • Develop a cyber security policy and a cyber risk management and ICT business continuity plan;
  • Organise regular cyber hygiene training for the organisation's employees.
  • Report cyber security incidents to CERT.LV or MilCERT.
  • Conduct a self-assessment and submit a self-assessment report to the competent supervisory authority by 1 October 2025.


The information has been prepared with the financial support of the Society Integration Foundation from the Latvian state budget. The Civic Alliance - Latvia is responsible for the content of the information.

uploaded picture