As of 1 September 2024, the National Cyber Security
Law (NCSL) has entered into force in Latvia, aiming to strengthen cyber
security standards in Latvia and ensure a common cyber security approach across
the European Union. Although most non-governmental organisations (NGOs) are not
directly covered by this law, there are exceptions. NGOs that perform functions
delegated by the State and are considered to be providers of important or
essential services may be subject to the requirements of the NCSL.
Unfortunately, it is not entirely clear who is
considered to be a provider of essential and critical services, so in order to
clarify whether an organisation is subject to the NCSL and falls under the
requirements below, the Civic Alliance - Latvia (CAL) invites organisations to
take this interactive test by the Ministry of Defence. More information here.
For further questions, please contact NIS2@mod.gov.lv.
If your organisation is considered a subject of the
NCSL, then:
- You are required to submit a registration form to the
National Cyber Security Centre by 1 April 2025. The questionnaire will be
available once the Cabinet of Ministers' Regulation on minimum cybersecurity
requirements, which is currently being harmonised, is approved.
- By 1 October 2025, a responsible person in the
organisation for cyber security must be identified.
- The organisation should identify its processes and
services affected by Information and Communication Technologies (ICT) as well
as ICT infrastructure and information systems.
- A catalogue of ICT resources and information systems
should be established, with data on relevant resources and information systems
entered and regularly updated.
- Cybersecurity risks should be assessed and their
potential impact on the confidentiality, integrity and availability of
information resources should be evaluated.
- Develop a cyber security policy and a cyber risk
management and ICT business continuity plan;
- Organise regular cyber hygiene training for the
organisation's employees.
- Report cyber security incidents to CERT.LV or MilCERT.
- Conduct a self-assessment and submit a self-assessment report to the competent supervisory authority by 1 October 2025.
The information has been prepared with the financial support of the Society Integration Foundation from the Latvian state budget. The Civic Alliance - Latvia is responsible for the content of the information.