"Latvia has so far demonstrated strong cyber resilience. But given our strong stance against Russian aggression in Ukraine, we must be prepared to continue to be the target of Russian cyber attacks. That is why we are proactively strengthening our cyber capability and cyber security management," said Defense Minister Andris Sprūds of the draft law.
The National Cyber Security Law introduces a number of significant changes compared to the current Information Technology Law. A National Cyber Security Center will be established, which will act as a single point of contact for cyber security issues and supervise the implementation of national cyber security requirements, as well as develop national cyber security policy initiatives.
The functions of the National Cyber Security Center will be implemented by the Ministry of Defense in cooperation with the structural unit CERT.LV of the Institute of Mathematics and Informatics of the University of Latvia.
CERT.LV will be responsible for responding to cyber security incidents, monitoring the cyberspace situation and analyzing threats, ensuring the operation of the sensor network, DNS firewall and security operation centers, as well as educating the public on cyber security issues.
The bill will cover providers of essential and critical services, as well as critical infrastructure of information and communication technologies, and it sets out the criteria by which a public or private sector organization is defined as belonging to one of these groups. The bill states that public and private sector organizations that will be affected by the law will have until April 1, 2025 to determine their status and register, and to appoint a cybersecurity manager by July 1, 2025.
Other requirements include meeting minimum cybersecurity requirements, reporting incidents and discovered vulnerabilities, developing a risk management and business continuity plan, and submitting an annual self-assessment report.
The draft law provides that the National Cyber Security Center will carry out the monitoring of essential and important service providers, inspections of documents and information and communication technology infrastructure, as well as the implementation of corrective measures, while the Constiturion Protection Bureau security service (SAB) will be the institution for critical infrastructure of information and communication technologies.
Additionally, the bill envisages establishing requirements for protection against denial of service cyberattacks, determining security requirements for data centers, as well as developing 'cyber hygiene' requirements that will be applicable to state and local government institutions.
In order for the draft law "National Cyber Security Law" to enter into force, it still needs to be reviewed and approved by the Saeima in three readings.