21
Thu, Nov
45 New Articles

Summary of Latvia’s New National Cyber Security Law

Latvia
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

On 1 September 2024, the National Cyber Security Law came into force, replacing the Law on the Security of Information Technologies. 

The new law aims to enhance and bolster cybersecurity in Latvia, implementing in 2022 revised EU Network and Information Security Directive or “NIS2”, which aims to achieve a uniformly high level of cybersecurity across the European Union (EU). The law will considerably expand the sectors required to adhere to cybersecurity regulations. This expansion of regulated subjects will ensure a consistent level of cybersecurity across different sectors in Latvia and between the public and private sectors. The National Cyber Security Law will apply to providers of essential and important services, as well as critical information and communication technology (ICT) infrastructure.

Providers of essential and important services will encompass state and local institutions, along with medium and large enterprises operating in one of the sectors stipulated in the law, such as ICT, digital services, electronic communications, public media, energy, transport, water, food, medicine and pharmaceuticals, manufacturing, financial services, postal services, education, science, and security. Alongside, organisations whose disruption could significantly impact public security, state security, public health or pose a substantial systemic risk, especially in sectors where such disruption could have a cross-border effect, will also be categorised as essential service providers. As before, the institutions and businesses eligible for the ICT critical infrastructure list will be approved by the Cabinet of Ministers.

The new requirements will entail several obligations, including:

  • registration by 1 April 2025;
  • appointment of a Cyber Security Manager by 1 October 2025;
  • submission of a self-assessment report by 1 October 2025;
  • compliance with minimum cybersecurity requirements;
  • reporting of cybersecurity incidents.

In instances of significant non-compliance, the competent authorities will have the authority to impose substantial fines.

By Indrikis Liepa, Partner, and Agnese Gerharde, Senior Associate, Cobalt

Cobalt at a Glance

COBALT is a closely integrated alliance of top-tier law offices across the Baltics, uniting more than 250 attorneys and support staff. During 25 years of experience, we have become a strategic partner to our clients in handling both daily matters and complex large–scale transactions and disputes.

The firm’s broad spectrum of expertise and established position as the market leader gives a comprehensive basis for providing full-service business law advice.

Top international and regional businesses, financial institutions, state and local governments, and the region’s most promising start-ups are among our clients. We offer leading-edge solutions in key industry sectors: Consumer Products, Trade & Distribution, Real Estate & Construction, Pharmaceuticals & Healthcare, Energy & Utilities, Communications, Media & Technologies, Financial Services, Transport & Logistics.

COBALT has been named Baltic Law Firm of the Year 7 times receiving Chambers Europe, IFLR, The Lawyer and Mergermarket awards, and we are regularly listed amongst the top-performing M&A legal advisors in the Bloomberg, Refinitiv and Mergermarket deal tables. Recognized as the No.1 Lithuanian law firm in the Prospera Law Firm Review 2021 and No. 1 law firm in Latvia in 2022, 2020, 2019, and 2018 client satisfaction surveys. We were recognized as a Baltic-wide Law Firm of the Year at the 2022 Chambers Europe Awards ceremony and named the Baltic States Tax Firm of the Year and Pro Bono Firm of the Year at the annual ITR EMEA Tax Awards 2021 ceremony. 

More information on COBALT can be found at www.cobalt.legal.