A new institution, the National Cybersecurity Center (NCC), also begins operations, with its functions carried out by the Ministry of Defense in collaboration with the Institute of Mathematics and Computer Science (IMCS) of the University of Latvia, through its sub-division CERT.lv.
Compared to the existing Information Technology Law, the National Cybersecurity Law introduces several significant changes. Among them, the National Cybersecurity Center has been established, which will serve as a single contact point for cybersecurity matters, oversee the implementation of national cybersecurity requirements, and develop national cybersecurity policy initiatives.
According to its brief, the NCC "will act as a point of contact for cyber security issues, monitor the implementation of national cyber security requirements and develop national cyber security policy initiatives."
“The establishment of the National Cybersecurity Center is a significant step in strengthening Latvia’s cyber resilience. It will enable more effective monitoring of the situation in cyberspace and faster response to incidents, providing the necessary support to public and private sector organizations,” said Defense Minister Andris Sprūds.
The new law applies to providers of essential and important services, as well as critical information and communication technology infrastructure, and sets criteria to define the public and private sector organizations that belong to these groups.
To familiarize public and private sector organizations with the requirements in the National Cybersecurity Law and explain the procedures they must implement regarding cybersecurity management, the Ministry of Defense will organize nine online informational seminars in September.
The National Cybersecurity Law stipulates that public and private sector organizations affected by the law must determine their status and register by April 1, 2025, and appoint a cybersecurity manager by October 1, 2025, as well as submit the first self-assessment report. Other requirements include compliance with minimum cybersecurity standards, reporting incidents and identified vulnerabilities, and developing a risk management and business continuity plan.
The law stipulates that the National Cybersecurity Center will oversee the providers of essential and important services, conduct document and information and communication technology infrastructure inspections, and implement corrective measures, while the Constitution Protection Bureau will monitor the adherence to cybersecurity requirements for critical information and communication technology infrastructure.
The law also sets minimum cybersecurity requirements for providers of essential and important services and critical information and communication technology infrastructure, requirements for centralized protection against denial-of-service cyberattacks, as well as security requirements for data centers.
On 20 June 2024, the Parliament adopted the National Cyber Security Law. Its aim is to strengthen cybersecurity in Latvia and to implement the requirements of the revised Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive), which aims to achieve a uniformly high level of cybersecurity across the European Union.
You can find out more about Latvia's cybersecurity provisions here.
