On Thursday, 20 June, the Saeima adopted in the final reading the draft National Cyber Security Law in order to significantly strengthen cybersecurity in Latvia. It aims to improve cybersecurity in Latvia, as well as introduces stricter security requirements for state, local government institutions and enterprises. This law will also implement European Union (EU) requirements for a high common level network and information system security across the EU.

The new law will significantly improve the shortcomings of the outdated and insufficient Information Technology Security Law. In the current geopolitical situation, it is very important that not only supervisory measures will be stricter in the future, but also cybersecurity incident reporting requirements will become more serious, previously emphasised Raimonds Bergmanis, Chair of the Defence, Internal Affairs and Corruption Prevention Committee responsible for the draft law.

Latvia is currently in second place in the EU after Poland in terms of cyber-attacks, and, for example, in 2022, 16 percent of all Russian cyber-attacks were directed against Latvia, the Ministry of Defence previously said. One of the objectives of this law is to improve cybersecurity measures so that cyber threats can be predicted, prevented and managed in a timely manner, as well as to eliminate their consequences, ensuring continuous confidentiality, integrity and availability of services.

The new law provides for the establishment of a National Cybersecurity Centre. It will be the central authority to manage and oversee the cybersecurity of our country, as well as to cooperate with other countries in this area. It will be staffed by the Ministry of Defence and Cert.lv.

The new law will significantly expand the range of entities that will be providers of essential or important services and will be subject to the requirements of the law. These entities will be supervised by the National Cybersecurity Centre. In its turn, the Constitution Protection Bureau will control how the owners and legal possessors of the critical infrastructure of information and communication technologies fulfil their obligations. In total, this will apply to around 2 000 entities. The law also provides for penalties for non-compliance with the established requirements, which could amount to as much as €10 million.

The essential and important service providers covered by the draft law cover a wide range of sectors of public interest, including energy, transport, banks, financial market infrastructure, health and other areas. These services play an essential role in the public interest and it is important that their providers comply with information and communication technology security and cybersecurity requirements, and report cybersecurity incidents. The draft law provides that such entities will have to register with the National Cybersecurity Centre by 1 April of the following year.

In order to promote the availability of critical services in crisis situations, the draft law envisages the establishment of a single national internet traffic exchange point. It is necessary to maintain it, for example, in order to ensure the operation of the Internet and the exchange of data flows in Latvia in case of disconnection from the World Wide Web.

Coordinated vulnerability identification is also enshrined in the law, which would allow using the expertise of security researchers in a controlled manner in order to identify the ‘weak spots’ of information and communication technology resources, the Ministry of Defence emphasised.

The number, scale, complexity, frequency and impact of cyber incidents are increasing and pose a significant threat to the functioning of network and information systems. As a result, cyber incidents can hamper the pursuit of economic activities in the internal market, cause financial losses, undermine user confidence and cause major damage to the EU economy and society. Cybersecurity preparedness is therefore now more important than ever for the proper functioning of the internal market. In addition, the development of information and communication technologies both in Latvia and abroad has reached an unprecedented speed and volume, as highlighted by the authors of the draft law.

The new law will enter into force on 1 September.

Saeima Press Service