- Cookies that enable provisioning of services you require.
- Cookies that inform NIC about your visit on the website www.nic.lv - your consent is necessary for use of these cookies.
If you or your company:
then the new requirements of the Network and Information Security Directive (hereinafter referred to as the NIS2 Directive), which is currently being implemented in Latvia, apply to you.
If you provide services in other EU member states, you must carefully monitor the national regulations of the EU member states that will implement the NIS2 Directive requirements.
On June 20, 2024, the Latvian Parliament, in its final reading, adopted and on July 4, the President of Latvia announced a new National Cybersecurity Law - Latvijas Vēstnesis (vestnesis.lv).
The purpose of the regulation is to improve the overall information and communication technology (ICT) security, resilience, and response capabilities of essential and important service providers’ to cybersecurity threats.
The law comes into force on September 1, 2024.
Additionally, it is expected that a series of related normative acts will be adopted soon, specifying detailed requirements, including for the domain name registration database, the top-level domain “.lv” registry operator, and domain name registration service providers.
The National Cybersecurity Law applies to domain name registration service providers:
In Latvia, according to the law, top-level domain registry operators and domain name system service providers who meet above mentioned criteria will be essential service providers.
Domain name registration service providers, unless they provide other services included in the list of essential or important services, have two main obligations under the new regulation:
These Cabinet regulations are expected to be issued by October 17, 2024.
If a company qualifies as an essential service provider, it must comply with a broader range of obligations covering various cybersecurity aspects:
Requirements include a wide range of security measures and risk management, such as appointing a cybersecurity manager, conducting regular risk assessments and management, planning business continuity, and implementing minimum cybersecurity requirements and cyber hygiene in the company.
Information about the appointment of a cybersecurity manager must be initially notified to the National Cybersecurity Center and the Constitution Protection Bureau by October 1, 2025, with new minimum cybersecurity requirements to be issued by April 1, 2025.
In addition to the obligation to report cyber incidents to help mitigate their impact and spread within ICT infrastructure, the law also specifies several state supported cybersecurity initiatives that will help not only to overcome the consequences of cybersecurity incidents but also to detect and prevent incidents, such as coordinated vulnerability disclosure using the cvd.cert.lv platform by CERT.LV, DNS Firewall service established by CERT.LV and NIC.LV, and other services providing protection against cyberattacks.
Companies must expect regular audits, self-assessment, and compliance checks. The initial self-assessment report must be submitted to the National Cybersecurity Center and the Constitution Protection Bureau by October 1, 2025.
The law ensures effective compliance with cybersecurity requirements and measures by holding the company’s top management accountable. For the first time, cybersecurity regulations also introduce fines and enforcement measures, which can reach up to two percent of the total net turnover of the last financial year or up to 10 million euros if this turnover exceeds 500 million euros.
Currently, domain name industry is still awaiting more detailed cybersecurity requirements from legislators. In Latvia, the Cabinet of Ministers regulation will be important to industry, as it will implement Article 28 of the NIS2 Directive. The regulation will establish the obligations of top-level domain registry operators and domain name registration service providers:
Alongside national laws of EU member states, work is already underway in European institutions to develop cybersecurity requirements for the domain name industry, and it is expected that:
In autumn 2024, the NIS Cooperation Group will provide recommendations to member states on Article 28 of the NIS2 Directive,
By October 17, 2024, the European Commission will adopt an implementing act for DNS service providers and top-level domain registry operators, setting technical and methodological requirements for measures aimed at protecting network and information systems and their physical environment from incidents, including at least:
- risk analysis and information system security policies;
- incident management;
- business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security, including security aspects affecting relationships between each entity and its direct suppliers or service providers;
- security in the acquisition, development, and maintenance of networks and information systems, including handling vulnerabilities and disclosing vulnerabilities;
- policies and procedures for assessing the effectiveness of cybersecurity risk management measures;
- basic cyber hygiene and cybersecurity training;
- policies and procedures for the use of cryptography and, where applicable, encryption;
- human resources security, access control policies, and asset management;
- where applicable, multi-factor authentication or continuous authentication solutions, secure voice, video, and text communications, and secure emergency communication systems within the entity.
The NIS2 Directive is a significant step in the European Union’s efforts to ensure a secure digital infrastructure, providing a framework to turn risks into opportunities.
For the domain name industry, compliance with the NIS2 Directive will mean improved cybersecurity practices across industry, faster response to cyber incidents, and enhanced overall resilience against cyber threats.
Although the National Cybersecurity Law imposes new obligations and requires significant investments from companies, the long-term benefits of ensuring a safer and more reliable ICT environment will be considerable.
With the law coming into force, domain name industry must actively adapt and prepare for changes in the cybersecurity field, ensuring that we collectively promote a safer digital environment for all.
The development of normative acts is still ongoing, so everyone, including domain name industry, has the opportunity to express their opinions and suggestions.