Cybersecurity

Information and communication technologies (ICT) have gradually permeated every sphere of society, government and economy. Their malicious use, damaging, blocking or even destruction may threaten national security and public safety, undermine public order and economic systems, and even stunt the growth of national economy. Cyberspace may easily be used to target individuals, social groups or even whole states. Safe and secure cyberspace requires users to know and respect basic cybersecurity principles. Mitigation and reduction of cyber threats and risks in Latvia depends on shared understanding and well-coordinated cybersecurity policy supported by all relevant stakeholders representing industry, government and non-governmental actors.

Comprehensive National Defence is a framework that provides clear directions to government institutions, non-governmental actors, private sector companies and general population on how to act in case of crisis. As an element of Comprehensive National Defence framework, cybersecurity has recently become especially instrumental, requiring stakeholders to improve cybersecurity governance models, deepen international cooperation and increase focus on public awareness raising efforts.

Ministry of Defence is formally responsible for formulating and delivering national cybersecurity policy. However, national cybersecurity governance model is a collaborative framework where each government institution is delegated specific responsibilities, including cybersecurity tasks, which it fulfils in conjunction with other government bodies, private sector companies or common cooperation platforms of National Information Technology Security Council. Ministry of Defence supports the work of National Information Technology Security Council and Supervisory Committee of Digital Security.

On 20 June 2024, the Parliament adopted the National Cyber Security Law. Its aim is to strengthen cybersecurity in Latvia and to implement the requirements of the revised Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive), which aims to achieve a uniformly high level of cybersecurity across the European Union.

The law applies to providers of essential and important services, as well as critical infrastructure of information and communication technology. Article 20 and 21 of the law sets out criteria for defining whether a public or private sector organisation belongs to one of these groups.  

Public and private sector organisations to which the law applies, must:

• identify their status and register by 1 April 2025;
• appoint a cybersecurity manager by 1 October 2025;
• submit the first self-assessment report by 1 October 2025.

Providers of essential and important services in the public and private sectors will also be required to provide regular cybersecurity self-assessments, mandatory reporting of detected cyber threats, risk management and business continuity plans and adhere to other cybersecurity requirements.

The National Cyber Security Law establishes a new institution, the National Cyber Security Centre, starting from 1 September 2024. It will act as a point of contact for cyber security issues, monitor the implementation of national cyber security requirements and develop national cyber security policy initiatives. The functions of the Centre will be implemented by the Ministry of Defence in cooperation with CERT.LV, a unit of the Institute of Mathematics and Informatics of the University of Latvia. The critical infrastructure of information and communication technology will be supervised by The Constitution Protection Bureau.

Supervisory authorities will be entitled to carry out inspections of the subjects' documents and information and communication technology infrastructure and, where necessary, to order corrective measures to avert any deficiencies found, issue warnings, suspend services until issues are averted or impose sanctions.

The law will enter into force on 1 September 2024. The Ministry of Defence will organise information seminars for organisations representing the sectors to which the requirements of the law apply.

National Information Technology Security Council

National Information Technology Security Council (hereinafter the Council) operates according to Law on the Security of Information Technologies. It is responsible for coordination of policies developed in the field of information technology (IT) security. Council also oversees how various tasks and events are planned and executed. Council meetings are both held in closed (members only) and open format. Council is also responsible for reporting on the implementation of National Cybersecurity Strategy’s Action Plan for 2023 – 2026.

Cybersecurity Institutional Framework

Information Technology Security Incident Response Institution of the Republic of Latvia (CERT.LV), which is integrated into Institute of Mathematics and Computer Science of the University of Latvia and reporting directly to the Ministry of Defence according to the Law on the Security of Information Technologies, is the centre responsible for strengthening IT security. Critical IT infrastructure is monitored and coordinated by the Constitution Protection Bureau, whereas Military Computer Emergency Readiness Team or MilCERT takes care of the IT security of defence information systems. National Guard established its Cybersecurity Unit in 2013 and it is primarily tasked with providing cyber incident management and mitigation support during emergencies or threats to IT security.

Cybersecurity Strategy

National Cybersecurity Strategy 2014-2018 was the first cybersecurity policy document developed by Latvia. Strategy initially focused on development of legal framework and ICT security systems. In 2019 Cabinet of Ministers adopted the National Cybersecurity Strategy 2019-2022, but the most recent - National Cybersecurity Strategy 2023-2026 – was approved on March 2023. National Cybersecurity Strategy identifies key national cybersecurity policy areas until 2026, ensuring continuity of activities strengthening Latvia’s cybersecurity set out in the National Cybersecurity Strategy 2023-2026. It also contains a review of Latvia’s cybersecurity performance and overview of future challenges. Stakeholders play an integral role in shaping and implementation of the Strategy in a manner that contributes to safe, open, free and reliable cyberspace in Latvia.

5 strategic focus areas for 2026:

• Improved cybersecurity governance model;
• Improved cybersecurity and resilience;
• Public awareness, education and research;
• International cooperation and rule of law in cyberspace;
• Prevention and combating of cybercrime.

Cybersecurity governance reform initiated by the Ministry of Defence is aimed at creating more efficient and institutionally sound cybersecurity governance model. According to new governance model, Latvia will create a new competent authority – National Cybersecurity Centre (NCSC), which will be supported by Ministry of Defence and Constitution Protection Bureau together with CERT.LV. Legal framework will also be changed according to the new cybersecurity governance model. A new National Cybersecurity Law (NCSL) will repeal the existing Law on the Security of Information Technologies (LSIT).

Legal acts
Latvia has adopted IT safety legal framework which is periodically updated to reflect the most recent cybersecurity trends.

• Law on the Security of Information technologies (the new National Cybersecurity Law is currently under development),
• Cabinet of Ministers Regulation 100 “Procedures for the Planning and Implementation of Security Measures for the Critical Infrastructure of Information technologies” of 1 February 2011,
• Cabinet of Ministers Regulation 327 “Regulations Regarding the Information to be included in the Action Plan of a Merchant of Electronic Communications, the Control of the Implementation of Such Plan and the Procedures, by which End Users shall be Temporarily Disconnected from the Electronic Communications Network” of 26 April 2011,
• Cabinet of Ministers Regulation 422 “Procedures for the Ensuring Conformity of Information and Communication Technologies Systems to Minimum Security Requirements” of 3 August 2015
• Cabinet of Ministers Regulation 695 “By-laws of the Supervisory Committee of Digital Security” of 1 November 2016
• Cabinet of Ministers Regulation 43 “Regulations Regarding the Conditions for the Determination of Significant Disruptive Effect of a Security Incident and the Procedures by which the Status of an Operator of Essential Services and Essential Services are Granted, Reviewed and Terminated” of 15 January 2019
• Cabinet of Ministers Regulation 15 “Regulations Regarding the Security Incident Relevance Criteria, Reporting Procedures, and Content Report” of 15 January 2019
• Cabinet of Ministers  Decree 2021/1.2.1.-1 “Regarding National Information Technology Security Council” of 8 January 2021
• Cabinet of Ministers Regulation 368 “Procedures for Monitoring of Development and Abolishing of Information Systems and Supporting Information and Communication Technology Infrastructure and Services” of 4 July 2023
• Cabinet of Ministers Regulation  94 “Safety Requirements for Public Electronic Communication Networks” of 28 February 2023 

 
Cooperation and international commitments

In 2015 defence ministries of Estonia, Latvia and Lithuania signed a Memorandum of Understanding on Cybersecurity Cooperation.

In 2016, during the NATO Warsaw Summit, member states, including Latvia, declared cyberspace a new operational domain  and  signed the NATO Cyber Defence Pledge to promote resilient cyber defences across the Alliance. NATO Cyber Defence Pledge assessment, which is used in evaluation of member state cyber defence capabilities and identifying of improvements, was reviewed in 2023. Latvia joined NATO’s Virtual Cyber Incident Support Capability (VCISC) in 2023. It is a framework in which member states receive and provide mutual virtual support for mitigation efforts in response to malicious cyber activities.

In 2017 Ministry of Defence and Latvian Information and Communication Technology Association signed cybersecurity cooperation agreement.

In 2021 defence ministries of Latvia and Poland signed an agreement for development of cooperation framework and procedures for cooperation between military information technology incident response teams. 

CERT.LV and its foreign counterparts are also engaged in special cyber threat hunting operations that are designed to strengthen the information and communication technology platforms of government institutions and other critical infrastructure holders and operators. CERT.LV threat hunting operations are implemented together with Canadian, Belgian, US, EU Agency for Cybersecurity (ENISA) and other partner organisations. 

Training

Latvia has joined several international cyber crisis management training programmes, such as CyberEurope and BlueOlex. CyberEurope is a cyber incident and crisis management training aimed at improving horizontal national and international cooperation in cases of pan-European cyber crises. BlueOlex is an exercise that strives to strengthen cyber crisis coordination and communication between EU member states. Latvia also takes part in Locked Shields, Crossed Swords, a training organised by NATO CCDCOE (NATO Cooperative Cyber Defence Centre of Excellence), and NATO’s Cyber Coalition training. National level exercise NAMEJS and AMEX also contain cyber crisis management elements, while “Medus Pods” (Honeypot) is training that focuses on specific cyber crisis management dimensions.