NIS 2 Status in Latvia
What the directive requires, how Latvia transposes it, and where the National Cyber Security Centre and CERT.LV sit in the picture.
Overview
The NIS 2 Directive is the EU layer. It binds every member state, Latvia included, with a single minimum level for essential and important entities. Latvia has to carry that level into Latvian law and run supervision underneath it.
Latvia transposes NIS 2 through the National Cybersecurity Law (Nacionālās kiberdrošības likums), available in English on likumi.lv. The law builds on existing structures around CERT.LV and adds a dedicated National Cyber Security Centre (NCSC) under the Ministry of Defence as the lead supervisor for essential and important entities.
Latvia did not meet the 17 October 2024 EU transposition deadline in full. The European Commission sent a reasoned opinion for incomplete transposition on 7 May 2025, according to the Commission's Latvia country page. Operational structures (NCSC, CERT.LV, sectoral authorities) are in place, while parts of the secondary regulation are still being completed.
EU Directive
Directive (EU) 2022/2555 (NIS 2)
The EU-wide cybersecurity directive. It fixes the obligations every member state has to transpose, including the size and sector test for essential and important entities.
EU Implementing Act
Implementing Regulation (EU) 2024/2690
Technical and methodological measures for digital infrastructure providers. Directly applicable in Latvia, no national transposition needed.
Latvian transposition
National Cybersecurity Law (Nacionālās kiberdrošības likums)
Latvia's NIS 2 transposition law. Published on likumi.lv with an English translation. Secondary regulations (Cabinet of Ministers rules) carry the operational detail. The European Commission's reasoned opinion of 7 May 2025 indicates that full transposition was not yet complete.
National Cybersecurity Law
Brings the NIS 2 obligations into Latvian law. Defines essential and important entity categories, supervisory powers, incident reporting duties, and sanctions. Cabinet of Ministers regulations fill in operational detail (sector thresholds, registration data, reporting forms).
NCSC and CERT.LV under the Ministry of Defence
The National Cyber Security Centre (NCSC) is the lead supervisor for essential and important entities and acts as the single point of contact at EU level. CERT.LV is the national CSIRT and handles incident response. Both sit under the Ministry of Defence. The Constitution Protection Bureau (SAB) supervises critical ICT infrastructure as a separate track.
Registration and reporting
Entities must notify the competent authority of their status within a fixed window after they determine they fall in scope (the law sets a one-month notification window on the English likumi.lv text; check the current Cabinet of Ministers regulation for the live deadline). Significant incidents follow the directive: early warning within 24 hours, notification within 72 hours, final report within one month.
In Latvia, Latvian law applies
Activities on Latvian territory follow the Latvian transposition. A German managing director with a Latvian subsidiary reads the National Cybersecurity Law for that subsidiary, not the BSIG. The directive-level obligations are the same. Procedure, authority and sanctions sit in Latvian law.
Latvia cannot drop below the EU floor
The directive is minimum harmonisation. Latvia can go stricter, and historically has stricter rules around state ICT systems and critical infrastructure. Latvia cannot fall below the directive, not on duties for essential and important entities, not on reporting timelines, and not on management body liability.
National Cyber Security Centre (NCSC)
Lead competent authority for NIS 2 essential and important entities. Sits under the Ministry of Defence and acts as Latvia's single point of contact at EU level. Issues guidance, takes registration data and runs supervision. Critical ICT infrastructure is supervised by the Constitution Protection Bureau (SAB) as a parallel track.
CERT.LV
Latvia's national CSIRT under the Ministry of Defence. Receives incident notifications, coordinates response and runs coordinated vulnerability disclosure. Operates on the legal basis of the National Cybersecurity Law. Not the supervisor: enforcement and sanctions sit with the NCSC and SAB.
ENISA
The EU cybersecurity agency. Publishes guidance, runs the European vulnerability database and coordinates across borders. No supervision over Latvian entities. That sits with the NCSC and CERT.LV.
Latvia did the same as Germany, so it must be late too.
Latvia is in a different position. Latvia adopted a National Cybersecurity Law and stood up the NCSC and CERT.LV, but the European Commission still sent a reasoned opinion on 7 May 2025 for incomplete transposition. Germany has not adopted its NIS 2 transposition law at all. The Latvian text is in force, the gap is in secondary regulation and full notification to the Commission.
There is no Latvian registration mechanism yet, so we can wait.
The duty to notify the competent authority of essential or important entity status sits in the National Cybersecurity Law itself. The English likumi.lv text gives a one-month notification window from the moment an entity determines it falls in scope. Cabinet of Ministers regulations define the live channel and forms. Waiting for a perfect portal does not pause the legal duty.
Only entities in our sector get supervised.
Latvia splits supervision: the NCSC supervises NIS 2 essential and important entities across sectors, while the Constitution Protection Bureau supervises critical ICT infrastructure. Sectoral regulators keep their role where they had one (for example in finance under DORA). The same entity can sit under more than one supervisor depending on what it operates.
Most Latvian mid-market operators we meet still treat NIS 2 as something the Ministry of Defence handles for them through CERT.LV. CERT.LV is the friendly face, but it is not the supervisor. Enforcement and sanctions sit with the NCSC for general essential and important entities, and with the SAB for critical ICT infrastructure. Management bodies of those entities are personally accountable for approving risk management and getting their own training, under the directive level.
The practical step is the same as anywhere in the EU: test applicability against the directive, notify the competent authority within the one-month window, run the four continuous duties (keep registration data current, incident notification, supply chain risk, oversight by the management body) and document the minimum. CERT.LV remains the partner for incident handling, not the place that decides whether you are in scope.
We build the NIS 2 obligation register on the EU layer, not on a single national transposition. The same checklist fits a Latvian subsidiary under the National Cybersecurity Law, a German parent under the BSIG, and a French sister under Ordonnance n° 2024-1093. The article references switch per country, the duties in substance do not.
For the Latvian scope you start with the applicability check, then the one-month registration window, then incident notification through CERT.LV, supply chain clauses and management body sign-off. Where the NCSC or CERT.LV publishes sector guidance we link to it. We do not copy it.
- Directive (EU) 2022/2555 (NIS 2), EUR-Lex
- Implementing Regulation (EU) 2024/2690, EUR-Lex
- National Cybersecurity Law (Nacionālās kiberdrošības likums), likumi.lv (English translation)
- European Commission, NIS 2 country page for Latvia (digital-strategy.ec.europa.eu)
- European Commission reasoned opinion of 7 May 2025 on incomplete transposition
- CERT.LV, official site (cert.lv), Ministry of Defence
- National Cyber Security Centre, Ministry of Defence of the Republic of Latvia