Minimum cybersecurity requirements: obligation or opportunity to strengthen defence?
As of July 2, 2025, Cabinet of Ministers Regulation No. 397 “Minimum cybersecurity requirements” is in force in Latvia. These regulations mark a significant step in the development of the cybersecurity management system and align with the national Cybersecurity Law adopted on 1 September 2024 and with the requirements of the European Union NIS2 Directive. They aim to achieve a common, efficient and up-to-date approach to cyber security, in particular in organisations providing essential or important services to the public or managing critical ICT infrastructure.
These Regulations apply to state and municipal institutions, as well as companies that provide public services or maintain essential infrastructure of information systems. An NKDL test can be used informatively to understand whether your organization qualifies as an essential or important service provider. According to the law, subjects were required to register by April 1, 2025, but if that hasn't already been done, registration must be done immediately. By October 1, 2025, these entities must appoint a Cybersecurity Manager—a designated person responsible for ensuring compliance with the regulatory requirements. Additionally, organizations must conduct a self-assessment and prepare a number of documents: cyber risk management plan, business continuity plan, ICT management arrangements and incident response plans.
Beyond documentation, the regulations define the classification of significant cyber incidents, establish reporting timelines, and set conditions for the availability, restoration, and encryption of information systems. Special emphasis is placed on improving staff competence and ensuring adherence to basic cyber hygiene principles. The Ministry of Defence has already developed forms and sample documents that are available for use. In addition, the self-assessment questionnaire will have to be re-filled once in one or three years, depending on the organisation's classification.
These requirements are not just a regulatory obligation: they reflect the growing importance of cybersecurity for the sustainability of businesses and institutions. Attacks are increasingly targeted and complex, and cyber risk can arise even from a seemingly insignificant vulnerability point - such as an outdated system or a single unauthenticated service. It's these little “holes” that can become an entry gate to the internal processes of an entire organization.
Baltic Information Technologies (BIT) works on a daily basis with companies that not only have formal compliance but also have real protection and system resilience. We help identify potential risks, create and implement necessary documentation, tailor organizational and technical processes, and ensure that cybersecurity management becomes part of day-to-day work rather than just meeting external requirements.
For companies with an already existing outsourcing agreement with BIT, IT risk analysis has always been available free of charge. Under the new regulatory framework, this practice also becomes part of formal compliance.
Our mission goes beyond regulatory checklists—we work to ensure your organization remains secure, inside and out, today and into the future.
For more detailed information or cybersecurity advice, call +371 67819981 or email support@bit.lv .