CRA Compliance in Latvia
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for Latvia manufacturers.
Latvia's CERT.LV, operated by the Information Technology Security Incident Response Institution, serves as both the national competent authority and national CSIRT for the CRA. Latvia has developed a capable national cybersecurity agency that combines regulatory and operational incident response functions. Latvian manufacturers in electronics, ICT products, and industrial equipment face CRA obligations as they expand into EU and international markets. Latvia's close coordination with Estonia and Lithuania in Baltic cybersecurity cooperation provides a regional support framework.
National Competent Authority (CRA)
CERT.LV
CERT.LV — Informācijas tehnoloģiju drošības incidentu novēršanas institūcija
CERT.LV is Latvia's national CSIRT and cybersecurity regulatory authority, operating under the Ministry of Defence. It serves as Latvia's CRA national competent authority and coordinates incident response across public and private sectors. CERT.LV participates in the EU CSIRTs network and Baltic cyber cooperation frameworks.
https://www.cert.lv →National CSIRT (Article 14 Reports)
CERT.LV
CERT.LV
https://www.cert.lv/en/contact
https://www.cert.lv →CRA Enforcement in Latvia
CERT.LV serves as Latvia's national competent authority and CSIRT for the CRA, combining regulatory and operational functions in a single agency. Market surveillance for physical products is coordinated with the Consumer Rights Protection Centre (PTAC) and the State Electrotechnical Inspectorate for electrical and electronic products. Latvia's Kiberdrošības likums (Cybersecurity Law), transposing NIS2, provides the legislative framework for CERT.LV's supervisory powers. Latvian manufacturers benefit from CERT.LV's combined technical expertise and regulatory mandate, creating a single point of contact for both compliance guidance and incident coordination.
Article 14 Incident Reporting for Latvian Manufacturers
Latvian manufacturers submit Article 14 notifications directly to CERT.LV through its secure reporting portal. CERT.LV operates incident response capability and participates in the EU CSIRTs network and Baltic CERT cooperation. The Article 14 obligation requires an early warning within 24 hours of detecting active exploitation and a full notification within 72 hours. Latvia's NIS2 incident reporting framework provides the operational model for CRA Article 14 notifications. Manufacturers should register with CERT.LV in advance and confirm the current Article 14 notification procedure, as Latvia may refine reporting channels through national implementing legislation.
Market Surveillance & Penalties
Market surveillance for CRA products in Latvia is coordinated between CERT.LV and PTAC (Consumer Rights Protection Centre). The full CRA penalty regime applies: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. PTAC conducts active market surveillance under EU consumer protection and product safety regulations. Latvian manufacturers should maintain CRA technical documentation in both Latvian and English and expect documentation-based surveillance in the initial years of CRA enforcement.
Support for Latvian Manufacturers
CERT.LV publishes cybersecurity guidance for Latvian businesses in Latvian and English, including sector-specific advisories and implementation recommendations. The Latvian Investment and Development Agency (LIAA) supports manufacturer capability development through innovation grants. The Latvian Information and Communications Technology Association (LIKTA) provides industry engagement on EU regulatory implementation. Latvia participates in Baltic cybersecurity cooperation with Estonia and Lithuania, creating a shared knowledge base for CRA implementation. EU Cohesion Funds and the Latvian Recovery and Resilience Plan provide investment support for manufacturer digitalisation and cybersecurity.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for CERT.LV, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free forever.
Start your free portalFrequently asked
How do I contact CERT.LV as a manufacturer with a CRA compliance question?+
CERT.LV can be contacted through cert.lv/en/contact in both Latvian and English. CERT.LV provides a single point of contact for both CRA regulatory enquiries and incident reporting. The Latvian Investment and Development Agency (LIAA) at liaa.gov.lv also provides business liaison services for EU regulatory compliance. CERT.LV engages industry through annual cybersecurity conferences and its public-private partnership forum.
Does Latvia have national-level CRA implementing legislation?+
Latvia has transposed NIS2 through the Kiberdrošības likums (Cybersecurity Law). CRA implementing measures are expected through amendments to the Kiberdrošības likums and product safety regulations under the Preču un pakalpojumu drošuma likums. The Ministry of Defence and CERT.LV are coordinating Latvia's CRA implementation, with national measures expected ahead of December 2027. Latvian manufacturers should monitor CERT.LV publications and the Latvijas Vēstnesis (official gazette) for implementing legislation.
How does Latvia's Baltic cybersecurity cooperation affect CRA implementation?+
Latvia, Estonia, and Lithuania cooperate closely on cybersecurity through bilateral agreements and the Baltic CERT cooperation framework. CERT.LV, CERT-EE, and CERT-LT share threat intelligence, coordinate incident responses, and participate in joint exercises. For CRA purposes, this cooperation means that Baltic manufacturers can benefit from aligned implementation approaches and shared guidance. Cross-border incidents affecting products sold throughout the Baltic region benefit from coordinated CSIRT response, potentially simplifying multi-country Article 14 notification scenarios.
CRA guides for neighbouring countries
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.