Home > News and events > “Minimum Cybersecurity Requirements” Come into Force

“Minimum Cybersecurity Requirements” Come into Force
August 21, 2025 News

On September 1, 2024, the Cybersecurity Law came into force in Latvia, which stipulates that the Cabinet of Ministers shall define the minimum cybersecurity requirements.

Subsequently, on July 2, 2025, Cabinet Regulation No. 397 “Minimum Cybersecurity Requirements” (hereinafter referred to as the “Requirements”) came into effect. These requirements were developed based on Article 41(1) of the NIS2 Directive, which obliges EU Member States to adopt and publish regulatory and administrative acts by October 17, 2024, to comply with the directive.

In this article, we will look at some of the requirements that are set.

Cybersecurity Manager

Providers of essential and important services, as well as state institutions, are required to appoint a cybersecurity manager by October 1, 2025, who will be responsible for complying with the regulations.

By the same date, a self-assessment questionnaire must be submitted to the National Cybersecurity Center, which service providers will use to evaluate their current compliance with the law and regulations. Based on this, the Center will conduct compliance audits and provide recommendations to improve cybersecurity. This self-assessment must be repeated regularly—every 1 to 3 years.

The appointed cybersecurity manager, reported to the National Cybersecurity Center, will serve as the primary contact person with CERT.LV in case of cyber incidents.

The requirements also define eligibility criteria for cybersecurity managers. Besides professional qualifications, a manager must not have been affiliated with the USSR, Latvian SSR, or any foreign intelligence, security, or counterintelligence service, nor with any organization banned by Latvian law or court decisions.

Cybersecurity Management Documentation

The cybersecurity documentation must include:

  • Cybersecurity policy;
  • Catalog of information and communication technology resources and information system;
  • Cyber risk management and information and communication technology continuity plan;
  • Cyber incident log.

The cybersecurity policy must include general information about the organization, its services, processes potentially affected by cyber threats, and its cybersecurity structure—identifying responsible persons, units, and cooperation partners.

The catalog must list all information and communication technology resources and systems owned or managed by the organization that are exposed to cyber risks.

Organizations must maintain a cyber risk and continuity plan, and may create multiple tailored plans based on their operational specifics (e.g., for national information systems or data centers). These plans must:

  • Define processes for identifying cyber incidents, near misses, and vulnerabilities;
  • Detail response and mitigation procedures;
  • Clarify roles of employees and service providers;
  • Include a communication plan for notifying competent authorities and affected parties.

Other Obligations

Organizations must create backup copies of all their information systems, ensuring these backups include all data necessary for full restoration—data, executable code, support software, scripts, scheduled tasks, OS commands, and executables.

They must also train employees and officials who use information and communication technology resources on cybersecurity matters. Training content and format must match their qualifications and job functions. Content must be reviewed and updated at least annually or in response to changing threats.

It is prohibited to enter into information and communication technology service agreements with legal entities registered in Russia, Belarus, or countries recognized as supporting terrorism by the European Parliament or Latvian Parliament.

Finally, requirements are specified for auditors to be included in the Cybersecurity Supervision Committee’s list. Legal entity auditors must be registered in NATO, EU, EFTA, or IP4 countries, with boards comprised of citizens from those regions. Individual auditors must also be citizens of those countries.

At the request of the National Cybersecurity Centre or the Constitutional Protection Office, the organisation shall block a user’s access to the electronic communications network for no longer than five days if the user significantly threatens the rights of other users or the security of the electronic communications network, information system or service. Upon receipt of a request to close access, the organisation shall immediately disconnect the user from the electronic communications network and perform the actions determined by the National Cybersecurity Center or the Constitutional Protection Bureau (for example, redirect requests for the user’s IP address or domain name to the website specified in the request to close access).

main Team members

Armands Rasa
Armands Rasa
Partner
Anete Boze
Anete Bože
Associate

Other

News & Events More

WIDEN releases New Corporate and Tax Data Sheet for the Baltic Countries

Tax Law / Corporate and M&A
Newly released Corporate and Tax Data Sheet for the Baltic Countries, a comprehe...
READ MORE

Latvia Tightens Criminal Liability for Sanctions Violations

On 10 June 2025 Latvia completed the transposition of Directive (EU) 2024/1226 b...
READ MORE

Catch up on Baltic legal insights. Stay informed with our newsletter.

© 2025 Widen Legal. All rights reserved

widen logo