Enacted

The NIS2 Directive is implemented in national legislation with the adoption of the National Cybersecurity Law (Nacionālais kiberdrošības likums).

In addition to the National Cybersecurity Law, separate Cabinet of Minister regulations shall be adopted, which will further implement the requirements of the NIS2 Directive. Most importantly, the Cabinet of Ministers Rules on Minimum Cybersecurity Requirements which implements Art. 21 of the NIS2 shall be adopted (not yet adopted).

• The National Cybersecurity Law closely mirrors NIS2 requirements and obligations.
• Under the national law organizations must perform a self-assessment to determine whether it confirms the status of important or essential entity and must notify the supervisory authority if it confirms by 1 April 2025. In addition to essential and important entities, the national law implementing NIS2 also applies to owners/holders of critical infrastructure of information technologies.
• Subject scope extends also to direct and intermediate administrative bodies and other state institutions (except for state security institutions), all electronic communication merchants are considered essential entities, medium and large entities providing security services as well, regardless of the size of the entity, the maintainers of educational information systems are considered as important entities.
• The subjects will have to submit to the competent authority a self-assessment report, which indicates whether the entity complies with the statutory requirements and provides explanations for any non-compliance with the national law. The first self-assessment report will have to be submitted by October 1, 2025.

The National Cybersecurity Law came into force on 1 September 2024.

The Cabinet of Ministers Rules on Minimum Cybersecurity Requirements are expected to be adopted in March-April 2025.