What is NIS2 and does it apply to my company?
NIS2 (EU Directive 2022/2555) is the European Union's updated cybersecurity law for network and information systems. It replaces the older NIS1 directive and greatly widens the range of organisations that must manage cyber risk, report incidents and prove they are protected. This article explains what NIS2 is and gives you a practical way to decide whether it applies to your company.
What NIS2 actually requires
A directive is not applied directly. Each member state writes it into national law. In Latvia that law is the National Cybersecurity Law (Nacionalais kiberdrosibas likums, NKDL), adopted on 20 June 2024 and in force since 1 September 2024. The technical baseline sits in Cabinet Regulation No. 397 "Minimum Cybersecurity Requirements", in force since 2 July 2025. The supervising authority is the National Cybersecurity Centre (Nacionalais kiberdrosibas centrs).
If you are in scope, you must:
- Register with the National Cybersecurity Centre and appoint a cybersecurity manager (a named responsible person).
- Apply risk management measures: access control, network segmentation, backups, patching, a Firewall and logging, multi-factor authentication, encryption, business continuity and supply-chain checks.
- Report significant incidents on the NIS2 timeline: an early warning within 24 hours, a full notification within 72 hours, and a final report within one month.
- Submit a periodic self-assessment report and keep evidence that measures are actually in place.
Management is accountable. Board members can be held personally liable for failing to oversee cyber risk, and they are expected to complete training.
Does it apply to you? A three-step check
1. Check your sector
High-criticality sectors (essential): energy, transport, banking and financial market infrastructure, healthcare, drinking and waste water, digital infrastructure (DNS, TLD registries, data centres, cloud, CDN), ICT service management, public administration and space. Other critical sectors (important): postal and courier services, waste management, chemicals, food production and distribution, manufacturing (medical devices, electronics, machinery, vehicles), digital providers (online marketplaces, search engines, social networks) and research.
2. Check your size
As a rule you are in scope if you are at least a medium-sized enterprise: 50 or more employees, OR annual turnover or balance sheet above 10 million euro. Large companies (250+ employees, or turnover above 50 million euro) in high-criticality sectors are usually "essential"; medium companies, and large companies in the other critical sectors, are usually "important".
3. Check the special cases
Size does not save you in some cases. DNS providers, TLD registries, certain telecom and trust-service providers, and public administration are in scope regardless of size. Latvia also treats a company as essential, whatever its size, if it is the sole provider of an activity critical to a sector.
Key Latvian deadlines
- Registration with the National Cybersecurity Centre: from 1 April 2025.
- Appoint a cybersecurity manager and file the first self-assessment: by 1 October 2025.
- Self-assessment thereafter: yearly for ICT critical infrastructure and category A systems, every three years for other entities.
If you are not in scope
Even if NIS2 does not cover you directly, your larger customers will pass its supply-chain requirements down to you through contracts. Implementing the same baseline (MFA, backups, patching, logging, an incident plan) is the fastest way to stay a viable supplier.
Practical takeaway
Do not guess. Confirm your sector and size against the National Cybersecurity Law, and if there is any doubt, complete the self-assessment on the National Cybersecurity Centre portal, which returns a clear in-scope or out-of-scope result. Non-compliance can cost up to 10 million euro or 2 percent of global turnover for essential entities, so decide early and appoint your cybersecurity manager now.