Cybersecurity

Information and communication technologies (ICT) have gradually permeated every sphere of society, government and economy. Their malicious use, damaging, blocking or even destruction may threaten national security and public safety, undermine public order and economic systems, and even stunt the growth of national economy. Cyberspace may easily be used to target individuals, social groups or even whole states. Safe and secure cyberspace requires users to know and respect basic cybersecurity principles. Mitigation and reduction of cyber threats and risks in Latvia depends on shared understanding and well-coordinated cybersecurity policy supported by all relevant stakeholders representing industry, government and non-governmental actors.

Comprehensive National Defence is a framework that provides clear directions to government institutions, non-governmental actors, private sector companies and general population on how to act in case of crisis. As an element of Comprehensive National Defence framework, cybersecurity has recently become especially instrumental, requiring stakeholders to improve cybersecurity governance models, deepen international cooperation and increase focus on public awareness raising efforts.

Ministry of Defence is formally responsible for formulating and delivering national cybersecurity policy. However, national cybersecurity governance model is a collaborative framework where each government institution is delegated specific responsibilities, including cybersecurity tasks, which it fulfils in conjunction with other government bodies, private sector companies or common cooperation platforms of National Information Technology Security Council. Ministry of Defence supports the work of National Information Technology Security Council and Supervisory Committee of Digital Security.

National Information Technology Security Council

National Information Technology Security Council (hereinafter the Council) operates according to Law on the Security of Information Technologies. It is responsible for coordination of policies developed in the field of information technology (IT) security. Council also oversees how various tasks and events are planned and executed. Council meetings are both held in closed (members only) and open format. Council is also responsible for reporting on the implementation of National Cybersecurity Strategy’s Action Plan for 2023 – 2026.

Cybersecurity Institutional Framework

Information Technology Security Incident Response Institution of the Republic of Latvia (CERT.LV), which is integrated into Institute of Mathematics and Computer Science of the University of Latvia and reporting directly to the Ministry of Defence according to the Law on the Security of Information Technologies, is the centre responsible for strengthening IT security. Critical IT infrastructure is monitored and coordinated by the Constitution Protection Bureau, whereas Military Computer Emergency Readiness Team or MilCERT takes care of the IT security of defence information systems. National Guard established its Cybersecurity Unit in 2013 and it is primarily tasked with providing cyber incident management and mitigation support during emergencies or threats to IT security.

Cybersecurity Strategy

National Cybersecurity Strategy 2014-2018 was the first cybersecurity policy document developed by Latvia. Strategy initially focused on development of legal framework and ICT security systems. In 2019 Cabinet of Ministers adopted the National Cybersecurity Strategy 2019-2022, but the most recent - National Cybersecurity Strategy 2023-2026 – was approved on March 2023. National Cybersecurity Strategy identifies key national cybersecurity policy areas until 2026, ensuring continuity of activities strengthening Latvia’s cybersecurity set out in the National Cybersecurity Strategy 2023-2026. It also contains a review of Latvia’s cybersecurity performance and overview of future challenges. Stakeholders play an integral role in shaping and implementation of the Strategy in a manner that contributes to safe, open, free and reliable cyberspace in Latvia.

5 strategic focus areas for 2026:

• Improved cybersecurity governance model;
• Improved cybersecurity and resilience;
• Public awareness, education and research;
• International cooperation and rule of law in cyberspace;
• Prevention and combating of cybercrime.

Cybersecurity governance reform initiated by the Ministry of Defence is aimed at creating more efficient and institutionally sound cybersecurity governance model. According to new governance model, Latvia will create a new competent authority – National Cybersecurity Centre (NCSC), which will be supported by Ministry of Defence and Constitution Protection Bureau together with CERT.LV. Legal framework will also be changed according to the new cybersecurity governance model. A new National Cybersecurity Law (NCSL) will repeal the existing Law on the Security of Information Technologies (LSIT).

Legal acts
Latvia has adopted IT safety legal framework which is periodically updated to reflect the most recent cybersecurity trends.

• Law on the Security of Information technologies (the new National Cybersecurity Law is currently under development),
• Cabinet of Ministers Regulation 100 “Procedures for the Planning and Implementation of Security Measures for the Critical Infrastructure of Information technologies” of 1 February 2011,
• Cabinet of Ministers Regulation 327 “Regulations Regarding the Information to be included in the Action Plan of a Merchant of Electronic Communications, the Control of the Implementation of Such Plan and the Procedures, by which End Users shall be Temporarily Disconnected from the Electronic Communications Network” of 26 April 2011,
• Cabinet of Ministers Regulation 422 “Procedures for the Ensuring Conformity of Information and Communication Technologies Systems to Minimum Security Requirements” of 3 August 2015
• Cabinet of Ministers Regulation 695 “By-laws of the Supervisory Committee of Digital Security” of 1 November 2016
• Cabinet of Ministers Regulation 43 “Regulations Regarding the Conditions for the Determination of Significant Disruptive Effect of a Security Incident and the Procedures by which the Status of an Operator of Essential Services and Essential Services are Granted, Reviewed and Terminated” of 15 January 2019
• Cabinet of Ministers Regulation 15 “Regulations Regarding the Security Incident Relevance Criteria, Reporting Procedures, and Content Report” of 15 January 2019
• Cabinet of Ministers  Decree 2021/1.2.1.-1 “Regarding National Information Technology Security Council” of 8 January 2021
• Cabinet of Ministers Regulation 368 “Procedures for Monitoring of Development and Abolishing of Information Systems and Supporting Information and Communication Technology Infrastructure and Services” of 4 July 2023
• Cabinet of Ministers Regulation  94 “Safety Requirements for Public Electronic Communication Networks” of 28 February 2023 

 
Cooperation and international commitments

In 2015 defence ministries of Estonia, Latvia and Lithuania signed a Memorandum of Understanding on Cybersecurity Cooperation.

In 2016, during the NATO Warsaw Summit, member states, including Latvia, declared cyberspace a new operational domain  and  signed the NATO Cyber Defence Pledge to promote resilient cyber defences across the Alliance. NATO Cyber Defence Pledge assessment, which is used in evaluation of member state cyber defence capabilities and identifying of improvements, was reviewed in 2023. Latvia joined NATO’s Virtual Cyber Incident Support Capability (VCISC) in 2023. It is a framework in which member states receive and provide mutual virtual support for mitigation efforts in response to malicious cyber activities.

In 2017 Ministry of Defence and Latvian Information and Communication Technology Association signed cybersecurity cooperation agreement.

In 2021 defence ministries of Latvia and Poland signed an agreement for development of cooperation framework and procedures for cooperation between military information technology incident response teams. 

CERT.LV and its foreign counterparts are also engaged in special cyber threat hunting operations that are designed to strengthen the information and communication technology platforms of government institutions and other critical infrastructure holders and operators. CERT.LV threat hunting operations are implemented together with Canadian, Belgian, US, EU Agency for Cybersecurity (ENISA) and other partner organisations. 

Training

Latvia has joined several international cyber crisis management training programmes, such as CyberEurope and BlueOlex. CyberEurope is a cyber incident and crisis management training aimed at improving horizontal national and international cooperation in cases of pan-European cyber crises. BlueOlex is an exercise that strives to strengthen cyber crisis coordination and communication between EU member states. Latvia also takes part in Locked Shields, Crossed Swords, a training organised by NATO CCDCOE (NATO Cooperative Cyber Defence Centre of Excellence), and NATO’s Cyber Coalition training. National level exercise NAMEJS and AMEX also contain cyber crisis management elements, while “Medus Pods” (Honeypot) is training that focuses on specific cyber crisis management dimensions.