Enacted

The NIS2 Directive is implemented in national legislation with the adoption of the National Cybersecurity Law and Cabinet of Ministers Regulations No 397 (Minimālās kiberdrošības prasības) (the “CM Cybersecurity Rules”) that further implement the requirements of NIS2 Directive.

The National Cybersecurity Law and the CM Cybersecurity Rules largely mirror the NIS2 requirements and obligations, while also introducing certain national-specific obligations.

With respect to the scope of essential and important entities under the National Cybersecurity Law compared to the entities identified in Annex I and Annex II of the NIS2 Directive, the National Cybersecurity Law also applies to:

1. to direct administrative bodies, derived public entities and other state institutions, as well as legal entities under private law that perform a task delegated by the state administration, with the exception of state security institutions;
2. all electronic communication merchants, regardless of their size, are considered as essential entities (except to electronic communications merchants who do not provide an electronic communications network and do not provide electronic communications services in the Republic of Latvia); 
3. medium and large entities providing security services; 
4. the maintainers of education information systems.   

In addition, under the National Cybersecurity Law entities must perform self-assessment, determining whether it confirms with the status of important or essential entity. If it does, entity must notify the National Cyber Security Centre of its status. The first notification of the entity’s status had to be provided to National Cyber Security Centre no later than by 1 April 2025. If entity complies with the status of important or essential entity after this date, it must notify the National Cyber Security Centre within one month and promptly, but no later than within two weeks, notify the National Cyber Security Centre of any changes to the information specified in the status . notification. If the provider of essential or important services is also the owner or holder of critical ICT infrastructure, it shall also submit a notification of its compliance with the status of an essential service provider or important service provider or of changes in the aforementioned information to the Constitution Protection Bureau. 

Furthermore, pursuant to Section 141 of the CM Cybersecurity Rules entities must carry out a self-assessment report of its compliance with the National Cyber Security Law and the CM Cybersecurity Rules. Entities that own or hold critical ICT infrastructure, or that possess or use at least one Category “A” information system, must conduct this self-assessment annually. Essential and important entities are required to conduct it once every three years, unless the National Cyber Security Centre determines otherwise. The self-assessment report must be prepared using the form set out in Annex No. 16 to the CM Cybersecurity Rules and should be  submitted by 1 October of the relevant calendar year to the National Cyber Security Centre or Constitution Protection Bureau if the entity is an owner or lawful possessor of ICT infrastructure. The first self-assessment report had to be submitted by 1 October 2025. 

• The National Cybersecurity Law came into force on 1 September 2024.
• The CM Cybersecurity Rules came into force on 2 July 2025.