NIS2 in Latvia

1. Quick SME Applicability Snapshot in Latvia

Does NIS2 apply to SMEs in Latvia?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Latvia and, in certain cases, foreign digital providers serving the Latvian market.

SMEs should assess qualification under Latvia's national cybersecurity framework based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Latvia

Latvia transposed the Directive through the new National Cybersecurity Law (Nacionālās kiberdrošības likums), adopted by the Saeima on 20 June 2024, signed on 4 July 2024, and in force since 1 September 2024 — fully repealing and replacing the prior Information Technology Security Law (this is a new statute, not an amendment).

Secondary legislation was completed by Cabinet Regulation No. 397 on minimum cybersecurity requirements, in force since 2 July 2025.

National specifics include the mandatory appointment of a cybersecurity manager, a three-tier system classification (A enhanced / B basic / C minimal), and an annual ICT security review obligation under Article 25. The European Commission's reasoned opinion of May 2025 was resolved following the adoption of Cabinet Regulation No. 397.

3. Scope of Application in Latvia

Latvia's scope reflects Directive minimum sector categories without confirmed structural expansion.

4. Size Thresholds and SME Applicability in Latvia

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors are automatically within scope.

Small and micro enterprises may be designated if considered critical to national security, economic stability, or essential service continuity.

Latvian authorities retain formal designation powers where systemic risk justifies inclusion.

5. Entity Classification Framework in Latvia

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including inspections and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Latvia follows the Directive's two-tier supervisory structure.

6. Cybersecurity Risk Management Requirements in Latvia

Latvia's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Latvia risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and Latvian cybersecurity guidance is encouraged.

7. Management Liability and Governance in Latvia

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Latvia's framework:

• Boards are accountable for compliance oversight.
• Senior management must ensure sufficient cybersecurity competence and formally appoint a cybersecurity manager, with notification to the NCSC (deadline 1 October 2025 — passed).
• Administrative sanctions may address governance failures.
• Temporary suspension of managerial functions may be available under Directive-aligned enforcement mechanisms.

NIS2 management liability Latvia expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Latvia

9. Supervisory Authorities and Enforcement Model in Latvia

Primary supervisory authority: National Cybersecurity Centre (NCSC), with functions implemented by the Ministry of Defence in cooperation with CERT.LV; the NCSC acts as single point of contact, monitors implementation, and develops national cybersecurity policy. CERT.LV is the national CSIRT for incident response. The Constitution Protection Bureau supervises critical ICT infrastructure owners.

Latvia operates a coordinated supervisory model under the NCSC; CERT.LV handles incident response; the Constitution Protection Bureau oversees critical ICT infrastructure. The NCSC may carry out inspections, order corrective measures, issue warnings, suspend services, and impose sanctions.

Supervisory powers include:

• Requests for documentation and information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination mechanisms

The enforcement structure aligns with Directive-level cooperation requirements.

10. NIS2 Fines and Sanctions in Latvia

Latvia applies Directive-aligned administrative penalties.

Beyond financial penalties, authorities may impose additional enforcement measures:

• Public disclosure of non-compliance
• Binding instructions with deadlines
• Temporary suspension of certifications
• Temporary management bans for essential entities

11. NIS2 Supply Chain and Vendor Security in Latvia

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Latvia's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Latvia

Entities within scope must:

• Register with the National Cybersecurity Centre (NCSC); the initial registration deadline of 1 April 2025 has passed; entities acquiring in-scope status thereafter must notify the NCSC within one month. Self-assessment is available via the Ministry of Defence's online NCL test tool.
• Provide corporate identification details
• Disclose sector classification and classify all information systems into three security categories: A (enhanced), B (basic), or C (minimal).
• Maintain updated reporting contacts

Cabinet Regulation No. 397 (in force 2 July 2025) defines the minimum technical and organisational measures by system security classification. Entities must maintain an up-to-date ICT resource catalogue covering information systems, architecture, and ICT-driven products and services.

Self-identification is mandatory. The first self-assessment report was due to the NCSC by 1 October 2025 (passed). Subsequent annual ICT security reviews are required under Article 25, with formal rectification of identified deficiencies.

13. Interaction With GDPR and Other Laws in Latvia

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Latvian cybersecurity legislation

A cyber incident may trigger reporting obligations under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in Latvia are supervised by Latvian authorities for cross-border services.

Foreign digital providers offering services in Latvia may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Latvian market.

15. Implementation Timeline in Latvia

• Directive adoption: 2022
• National legislative amendments: National Cybersecurity Law adopted 20 June 2024, signed 4 July 2024; Cabinet Regulation No. 397 in force 2 July 2025.
• Entry into force: 1 September 2024 (NCL); 2 July 2025 (Cabinet Regulation No. 397).
• Commission notification: EC reasoned opinion of 7 May 2025 for incomplete secondary legislation was resolved following adoption of Cabinet Regulation No. 397.
• Compliance milestones: entity registration 1 April 2025 (passed); cybersecurity manager appointment 1 October 2025 (passed); first self-assessment report 1 October 2025 (passed); annual ICT security reviews ongoing.

Transposition is complete (1 September 2024) and secondary legislation finalised (2 July 2025). All initial milestones have passed; annual ICT security reviews are an ongoing obligation.

16. Key Takeaways for SMEs in Latvia

• Medium-sized entities in covered sectors are automatically within scope.
• Small entities may be designated if critical to national or economic stability.
• Board-level governance oversight is mandatory; entities must appoint a cybersecurity manager and notify the NCSC (deadline 1 October 2025 — passed).
• Incident reporting follows 24h / 72h / 1 month deadlines.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is required.
• All initial deadlines have passed (registration 1 April 2025; cybersecurity manager and first self-assessment 1 October 2025); classify systems as A/B/C, implement Cabinet Regulation No. 397 minimums, and maintain ongoing annual ICT security reviews.

FAQ: NIS2 Latvia SME Guide