Latvian government agrees on major cyber security update

On Tuesday, March 19, the Latvian Cabinet of Ministers approved the draft law "National Cyber ​​Security Law". The purpose of the draft law is to strengthen cyber security in Latvia, as well as to introduce the revised requirements of the European Union Network and Information Systems Security Directive (NIS2) to achieve a uniformly high level of cyber security throughout the European Union.

"Latvia has so far demonstrated strong cyber resilience. But given our strong stance against Russian aggression in Ukraine, we must be prepared to continue to be the target of Russian cyber attacks. That is why we are proactively strengthening our cyber capability and cyber security management," said Defense Minister Andris Sprūds of the draft law.  

The National Cyber ​​Security Law introduces a number of significant changes compared to the current Information Technology Law. A National Cyber ​​Security Center will be established, which will act as a single point of contact for cyber security issues and supervise the implementation of national cyber security requirements, as well as develop national cyber security policy initiatives. 

The functions of the National Cyber ​​Security Center will be implemented by the Ministry of Defense in cooperation with the structural unit CERT.LV of the Institute of Mathematics and Informatics of the University of Latvia. 

CERT.LV will be responsible for responding to cyber security incidents, monitoring the cyberspace situation and analyzing threats, ensuring the operation of the sensor network, DNS firewall and security operation centers, as well as educating the public on cyber security issues.

The bill will cover providers of essential and critical services, as well as critical infrastructure of information and communication technologies, and it sets out the criteria by which a public or private sector organization is defined as belonging to one of these groups. The bill states that public and private sector organizations that will be affected by the law will have until April 1, 2025 to determine their status and register, and to appoint a cybersecurity manager by July 1, 2025. 

Other requirements include meeting minimum cybersecurity requirements, reporting incidents and discovered vulnerabilities, developing a risk management and business continuity plan, and submitting an annual self-assessment report.

The draft law provides that the National Cyber ​​Security Center will carry out the monitoring of essential and important service providers, inspections of documents and information and communication technology infrastructure, as well as the implementation of corrective measures, while the Constiturion Protection Bureau security service (SAB) will be the institution for critical infrastructure of information and communication technologies.

Additionally, the bill envisages establishing requirements for protection against denial of service cyberattacks, determining security requirements for data centers, as well as developing 'cyber hygiene' requirements that will be applicable to state and local government institutions.

In order for the draft law "National Cyber ​​Security Law" to enter into force, it still needs to be reviewed and approved by the Saeima in three readings.

Seen a mistake?

Select text and press Ctrl+Enter to send a suggested correction to the editor

Select text and press Report a mistake to send a suggested correction to the editor

Related articles


Most important