12 March 2026 Update - The transposition of NIS 2 in Latvia
On the one hand, Latvia adopted a new National Cybersecurity Law (Nacionālās kiberdrošības likums), which is in force and expressly states that it contains legal norms deriving from Directive (EU) 2022/2555.
On the other hand, the European Commission’s Latvia page still states that on 7 May 2025 the Commission sent Latvia a reasoned opinion for failure to notify full transposition.
The correct legal description is that Latvia has enacted a substantial national NIS 2 implementation framework, but the EU-level transposition file was still not treated as fully complete by the Commission at least as of that status update.
The main Latvian legislative instrument is the National Cybersecurity Law. The official text shows that the law was adopted by the Saeima on 20 June 2024, signed in Riga on 4 July 2024, and entered into force on 1 September 2024.
The same official text also states, in its informative reference to EU directives, that the law includes legal norms deriving from Directive (EU) 2022/2555, the NIS 2 Directive. From the standpoint of domestic legislation, this is a strong indicator that Latvia chose to implement NIS 2 through a new, central statute rather than through a purely fragmented sector-by-sector amendment model.
That legislative step is a major milestone. Latvia opted for a structural reorganisation of its cybersecurity regime. The official text shows that the law creates a broad institutional architecture, including a National Cybersecurity Centre, regulates cyber incident prevention institutions, and establishes coordination structures such as the National Cybersecurity Council. This suggests that Latvia’s response to NIS 2 was conceived as a comprehensive governance statute.
The Latvian text contains specific transitional dates. For example, information on the designation of a subject’s cybersecurity manager must be notified for the first time by 1 October 2025, the self-assessment report referred to in the law must likewise first be submitted by 1 October 2025, and certain provisions of Article 34 apply from 1 July 2025.
The law also provides that certain financial sector essential service providers, where DORA applies, must follow the relevant sectoral requirements by 17 January 2025 in specified areas such as risk management and incident reporting. These dates show that Latvia built a phased implementation mechanism into the statute itself.
Latvia had already developed a national cyber policy framework around this reform. Its Cybersecurity Strategy 2023–2026 was approved in March 2023 and explicitly contemplated the development of a supervision system for NIS 2 subjects with the National Cybersecurity Centre as the leading authority.
In EU law, there is a difference between a Member State having enacted a statute that is plainly intended to implement a directive and the Commission being satisfied that full transposition measures have been notified and that the national framework covers the directive in a complete manner. The Commission’s public wording for Latvia does not specify exactly which elements were considered not fully notified. It would therefore be unsafe to assert more than the official position itself.
Nacionālās kiberdrošības likums
EU - Transposition, Member States