Aptauja ilgs līdz 23. oktobrim.
The Saeima1 has adopted and Law on the Security of Information TechnologiesSection 1. Purpose of This Law (1) The purpose of this Law is to improve the security of information technologies, laying down the most important requirements in order to guarantee the receipt of such essential services, in the supply of which such technologies are used. (2) The security of information technologies shall be guarded in such a way that it is possible to make early forecasts and to prevent, as well as to overcome danger to such security and eliminate the consequences thereof. (3) Within the meaning of this Law information technologies are technologies, which perform electronic processing of information, including creation, deletion, storage, display or forwarding, for execution of the tasks provided for such technologies. Section 2. Application of this Law (1) This Law shall apply to State and local government authorities, as well as merchants and other legal persons governed by private law (hereinafter - legal persons governed by private law). (2) This Law shall not apply to the content of the information transmitted in electronic communications networks (for example, to the content of services of an information society and to audiovisual productions). Section 3. Critical Infrastructure of Information Technologies (1) The critical infrastructure of information technologies is an infrastructure, which is approved by the Cabinet in accordance with the National Security Law. (2) The critical infrastructure of information technologies shall be defended in order to provide the performance of the basic functions essential to the State and society. Moreover, the integrity, availability and confidentiality of the critical infrastructure of information technologies shall be ensured. (3) The procedures for the planning and implementation of security measures for the critical infrastructure of information technologies shall be stipulated by the Cabinet. Section 3.1 Basic Service Provider, Digital Service Provider and Representative of the Digital Service Provider (1) A basic service provider shall be a State or local government institution or a legal person governed by private law which is engaged in economic activity in the Republic of Latvia and provides the following: 1) financial services within the meaning of the Credit Institution Law and financial market infrastructure services, drinking water supply or distribution services, Internet exchange point services, domain name system services, top level domain name register services, and services in energy, transport or health sector in any European Union Member State; 2) services the provision of which depends on information technologies; 3) services the provision of which may be excessively interfered with by an information technologies security incident. (2) A digital service provider shall be a legal person governed by private law which complies with one of the following criteria: 1) is engaged in economic activity in the Republic of Latvia and provides online trading, online search engine or cloud computing services (hereinafter - the digital service) in any European Union Member State; 2) is engaged in economic activity outside the European Union and provides the digital service in the Republic of Latvia through an authorised representative. (3) A representative of the digital service provider may be a natural person or a legal person governed by private law which is engaged in economic activity in the Republic of Latvia. The representative of the digital service provider shall be subject to the obligations and rights of the digital service provider specified in this Law. (4) Paragraphs one, two, and three of this Section shall not apply to an electronic communications merchant and a trusted certification service provider. Paragraphs two and three of this Section shall not apply to a legal person governed by private law whose number of employees does not exceed 50 persons and whose annual turnover or balance sheet total does not exceed EUR 10 million. (5) The ministry responsible for the area of drinking water supply or distribution services, the area of Internet exchange point services, the area of domain name system services, the area of top level domain name register services, and energy, transport and health sectors (hereinafter - the ministry responsible for the area and sector) shall take a decision to grant, review, and terminate the status of a basic service provider and a basic service. Contesting and appeal of such decision shall not suspend the operation thereof. (6) The Cabinet shall determine the conditions for the determination of an excessive interference of an information technologies security incident, the procedures for requesting information from legal persons governed by private law, as well as the conditions for the granting, review and termination of the status of a basic service provider and a basic service, and the procedures for informing the Digital Security Supervisory Committee regarding basic services and providers thereof. [11 October 2018] Section 4. Information Technologies Security Incidents Response Institutions (1) The Information Technologies Security Incidents Response Institutions (hereinafter - the Security Incidents Response Institutions) shall promote the security of information technologies in the Republic of Latvia. The tasks of the Security Incidents Response Institutions shall be performed by: 1) the Military Intelligence and Security Service with regard to the Ministry of Defence, institutions subordinate thereto, and the National Armed Forces; 2) the Institute of Mathematics and Computer Science of the University of Latvia with regard to the State and local government institutions (except for those specified in Clause 1 of this Paragraph), as well as legal persons governed by private law. (2) The Institute of Mathematics and Computer Science of the University of Latvia shall perform the tasks assigned thereto and exercise the rights under subordination of the Ministry of Defence in accordance with the laws and regulations, the provisions of the delegation contract, and the funds allocated from the State budget. Upon taking administrative decisions the Institute of Mathematics and Computer Science of the University of Latvia shall conform to the requirements of the State Administration Structure Law. (3) Persons are employed in the Security Incidents Response Institutions within the framework of the service or legal employment relationship, provided that they are entitled to receive a special permit for access to an official secret and comply with other requirements brought forward in laws and regulations. (4) The Security Incidents Response Institutions shall perform the tasks specified in this Law according to the resources allocated to them from the State budget, and such institutions do not have the right to request any payment for the activities performed. (5) State and local government institutions and legal persons governed by private law have an obligation to cooperate with the Security Incidents Response Institutions, providing them with the necessary information and meeting the legitimate requirements thereof. (6) In case of danger to the State the Cabinet may take a decision to transfer the tasks, rights and resources assigned to the Institute of Mathematics and Computer Science of the University of Latvia to the National Armed Forces. (7) Contestation or appeal of administrative acts issued for exercising of the rights specified in this Law for the prevention of direct danger to the State security or the security of information technologies shall not suspend the operation of such acts. It shall not apply to administrative acts regarding the imposition of administrative punishments. [15 June 2017] Section 4.1 Cooperation between the Security Incidents Response Institutions (1) The Military Intelligence and Security Service shall provide information to the Institute of Mathematics and Computer Science of the University of Latvia in order for it to ensure the performance of the tasks specified in Section 5, Paragraph one, Clauses 1 and 3 of this Law, as well as other information at its disposal regarding any information technologies security incidents within the competence of the Institute of Mathematics and Computer Science of the University of Latvia. (2) The Institute of Mathematics and Computer Science of the University of Latvia shall provide the Military Intelligence and Security Service with the information at its disposal regarding any information technologies security incidents in the Ministry of Defence, institutions subordinate thereto, and the National Armed Forces. (3) The Security Incidents Response Institutions shall exchange information on a regular basis regarding topicality in the area of information technologies security incidents. [15 June 2017] Section 5. Tasks and Rights of the Security Incidents Response Institutions (1) The Institute of Mathematics and Computer Science of the University of Latvia: 1) shall maintain a unified representation of activities in progress in the electronic information space; 2) shall provide support for the prevention of an information technologies security incident or co-ordinate the prevention thereof; 3) shall maintain, in a publicly accessible way, recommendations regarding the prevention of the current risks of information technologies, drawn up according to the current threats; 4) shall conduct research work, organise educational measures, training and instruction in the field of the security of information technologies; 5) shall provide support to State authorities in the protection of State security, as well as detection (investigation) of criminal offences and other violations of the law in the field of information technologies, conforming to the restrictions specified in the laws and regulations regarding data processing; 6) shall supervise how the State and local government institutions, basic service providers, digital service providers, and electronic communications merchants fulfil the obligations specified in this Law; 7) shall co-operate with internationally recognised information technologies security incidents response institutions (teams); 71) shall inform the Ministry of Defence regarding the security incident referred to in Section 6, Paragraph 2.1 of this Law which has a significant impact on the continuity of the basic service, and inform the competent authority of another European Union Member State regarding the security incident which has a significant impact on the continuity of the basic service in the particular Member State. Within the meaning of this Law the competent authority of a European Union Member State is an institution selected by the European Union Member State which is responsible for the information technologies security of the basic service provider and the digital service provider in the particular Member State, and supervises the operation thereof; 72) shall inform the Ministry of Defence regarding the security incident referred to in Section 6, Paragraph 2.1 of this Law which has a significant impact on the provision of a digital service, and inform the competent authorities of other European Union Member States if such security incident has a significant impact on the provision of a digital service in at least two European Union Member States; 73) shall inform the Digital Security Supervisory Committee regarding the established non-conformity of the requirements for information technologies security of the basic service provider or the digital service provider with the laws and regulations regarding the requirements for information technologies security, and regarding any detected cases when the basic service provider or the digital service provider has failed to report a security incident in accordance with Section 6, Paragraph seven of this Law; 74) may ask the Ministry of Defence to send information to points of contact of other European Union Member States regarding the security incident referred to in Section 6, Paragraph 2.1 of this Law which has a significant impact on the continuity of the basic service or the provision of the digital service in the particular Member State. Within the meaning of this Law a point of contact of a European Union Member State is an institution selected by the European Union Member State which is responsible for the information technologies security of the basic service provider and the digital service provider in the particular Member State, and coordinates cooperation, ensuring cross-border cooperation with other Member States, the Cooperation Group established by the Directive on security of network and information systems (hereinafter - the NIS Cooperation Group), and the network of Computer Security Incident Response Teams (hereinafter - the NIS CSIRT network); 75) shall cooperate with the NIS CSIRT network; 8) shall fulfil other obligations specified in laws and regulations. (11) The Military Intelligence and Security Service shall perform the tasks specified in Paragraph one, Clauses 2, 4, 5, 6, 7, 7.1, 7.2, 7.3, 7.4, 7.5, and 8 of this Law. (2) The Security Incidents Response Institutions are entitled to: 1) request and receive from State and local government institutions and legal persons governed by private law the information regarding the security requirements for information technologies (including networks and information systems) and technical information regarding an information technologies security incident that has occurred or is occurring (information regarding the scope of the incident, malicious software files that have caused the incident, description of vulnerabilities, technical measures taken for the prevention of the incident, information regarding activities performed by persons doing harm or other technical information, including IP addresses); 2) obtain from State and local government authorities and legal persons governed by private law, upon mutual agreement, online data flow; 3) carry out testing of the critical infrastructure of information technologies; 4) take decisions (also issue administrative acts) in order to ensure the fulfilment of the obligations specified in this Law for State and local government institutions, as well as legal persons governed by private law. [5 February 2015; 15 June 2017; 11 October 2018] Section 5.1 Tasks of the Ministry of Defence The Ministry of Defence shall: 1) cooperate with the points of contact of other European Union Member States, including, upon request of the Security Incidents Response Institution, send them information regarding the security incidents referred to in Section 6, Paragraph 2.1 of this Law which have a significant impact on the continuity of the basic service or the provision of the digital service in the particular Member State; 2) cooperate with the NIS Cooperation Group and once a year provide it with a report on the information received with regard to the security incidents referred to in Section 6, Paragraph 2.1 of this Law (including indicate the number of reports and the character of security incidents), as well as reports provided by the competent authorities of other European Union Member States; 3) inform the European Commission regarding the approval of the National Cyber Security Strategy not later than three months after approval thereof. [11 October 2018] Section 6. Actions in the Event of an Information Technologies Security Incident (1) An information technologies security incident (hereinafter - the security incident) is a harmful event or offence as a result of which the integrity, availability, or confidentiality of information technologies is endangered. (2) In case of the security incident a State or local government institution, the owner or lawful possessor of the critical infrastructure of information technologies shall perform all the activities necessary for the prevention thereof (particularly fulfil the recommendations of the Security Incidents Response Institution regarding the preferable initial action in case of the security incident), as well as immediately inform the competent Security Incidents Response Institution thereof. The Security Incidents Response Institution shall come to an agreement with the applicant of the security incident regarding the provision of support in prevention of the security incident. (21) In case of the security incident which has a significant impact on the continuity of the basic service or the provision of the digital service, the basic service provider and the digital service provider shall immediately perform all the activities necessary for the prevention thereof (particularly fulfil the recommendations of the Security Incidents Response Institution regarding the preferable initial action in case of the security incident), as well as in the cases and in accordance with the procedures laid down in Paragraph seven of this Section immediately inform the competent Security Incidents Response Institution regarding the security incident which has a significant impact on the continuity of the basic service or the provision of the digital service. The competent Security Incidents Response Institution shall agree with the basic service provider or the digital service provider on the provision of support for the prevention of the security incident. The competent Security Incidents Response Institution may, after consulting with the basic service provider or the digital service provider, inform the public or request that this is done by the relevant basic service provider or the digital service provider, if the disclosure of the security incident may handle or prevent this incident or is otherwise in the public interest. (22) Paragraph 2.1 of this Section shall not be applied by a credit institution within the meaning of Section 1, Paragraph two, Clause 1 of the Credit Institution Law, a point of sale within the meaning of Section 1, Paragraph one, Clause 77 of the Financial Instrument Market Law, and a central counterparty (CCP) within the meaning of Article 2(1) of Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (Text with EEA relevance). (3) In case of the security incident legal persons governed by private law to whom the obligations specified in Paragraphs two and 2.1 of this Section are not applicable shall perform all the activities necessary for the prevention thereof and may, upon their own initiative, inform the competent Security Incidents Response Institution regarding the incident. The Security Incidents Response Institution shall come to an agreement with the applicant of the security incident regarding the provision of support in prevention of the security incident. (4) Having detected a security incident which causes threat to national security, the Security Incidents Response Institution shall inform the Minister for Transport, the Minister for Defence, the minister responsible for the sector, and the competent State security institution thereof, as well as submit proposals for the necessary actions, but, having detected a security incident which has a significant impact on the continuity of electronic communications networks or electronic communications service, shall inform the Public Utilities Commission and may inform the State administrative institutions of the European Union Member States and the European Network and Information Security Agency. The Security Incidents Response Institution may inform the public or require the relevant electronic communications merchants to do so, if it is of the opinion that disclosure of the breach is in the public interest. (5) The competent Security Incidents Response Institution has the right to request that the maintainer of the ".lv" top level domain name register and the electronic numbering system deactivates the ".lv" domain name if this domain name is involved in a security incident which causes significant threat to the security of information systems or electronic communications network, and it is impossible to prevent the security incident otherwise. (6) The competent Security Incidents Response Institution shall indicate in its request to deactivate the ".lv" domain name the reason for request and the duration of deactivation of the domain name which does not exceed five days, and, if necessary, any other actions which are to be carried out by the maintainer of the ".lv" top level domain name register and the electronic numbering system (for example, redirection of a data flow to the infrastructure of the competent Security Incidents Response Institution). (7) The Cabinet shall determine the criteria for the relevance of the security incident, the procedures for reporting thereof, and the content of the report. [1 November 2012; 5 February 2015; 15 June 2017; 11 October 2018] Section 6.1 Action in Case of Detecting an Information Technologies Security Vulnerability (1) An information technologies security vulnerability (hereinafter - the security vulnerability) is an essential systemic weakness caused intentionally or unintentionally during establishment, maintenance, or modification of an information system or electronic communications network as a result of which the integrity, accessibility, or confidentiality of information technologies may be endangered. (2) Having detected a security vulnerability, the State or local government institution, the owner or lawful possessor of the critical infrastructure of information technologies shall, within 90 days, carry out all the actions necessary for elimination thereof, as well as immediately inform the competent Security Incidents Response Institution regarding the established fact. (3) Having detected a security vulnerability, the competent Security Incidents Response Institution shall immediately inform the owner or lawful possessor of the information system or electronic communications network regarding the fact. The State or local government institution, the owner or lawful possessor of the critical infrastructure of information technologies shall, within the time period stipulated by the competent Security Incidents Response Institution, but not later than within 90 days from the moment of informing, carry out all the actions necessary for elimination of the security vulnerability. [5 February 2015; 15 June 2017] Section 7. Processing of Personal Data (1) The Security Incidents Response Institution has the right to receive and process personal data in order to substantiate or exclude suspicions regarding a security incident or to prevent it, if it is not possible to anonymise personal data and at least one of the following conditions exists: 1) malicious software may contain personal data; 2) personal data is being transmitted, using malicious software; 3) personal data may provide essential information regarding malicious software. (2) If a security incident is detected, processing of personal data shall be allowed in order to provide protection from malicious software or the consequences caused thereby, as well as to detect other malicious software and ensure protection against it. (3) The Security Incidents Response Institution shall be allowed to transfer processed personal data to the institutions (units) referred to in Section 5, Paragraph one, Clauses 5 and 7 of this Law in order to recognise and prevent activities of such malicious software which may cause or causes threats to the national or public security. (31) The Security Incidents Response Institution may transfer the processed and unprocessed personal data to the National Guard to the extent and in the manner that allow to recognise and prevent activities of such malicious software which may cause or causes threats to the national or public security, if the National Guard is involved in the provision of support to the competent Security Incidents Response Institution in accordance with the National Guard Law. (4) The Security Incidents Response Institution shall be allowed to perform processing of personal data which is not related to the prevention of such incident due to which such data was obtained, only if it prepares and sends the State Data Inspectorate a description of the planned processing and protection of personal data. The Security Incidents Response Institution shall, by 20 January of the following year, prepare and submit to the State Data Inspectorate a report on the processing of personal data performed during the previous year. [15 June 2017] Section 8. Management of the Security of Information Technologies (1) Management of the security of information technologies of State and local government institutions, the owners or lawful possessors of the critical infrastructure of information technologies, the basic service providers, and the digital service providers shall be ensured by the head of each relevant institution. (2) The head of a State or local government institution, a basic service provider, and a digital service provider shall appoint the responsible person who implements management of the security of information technologies in the relevant institution (hereinafter in this Section - the responsible person). The competent Security Incidents Response Institution shall, not later than within five working days, be informed regarding appointing of the responsible person. (21) An owner or lawful possessor of the critical infrastructure of information technologies, as well as a legal person governed by private law who is the basic service provider or the digital service provider shall ensure management of the security of information technologies and appoint the responsible person who implements management of the security of information technologies in the relevant enterprise, and inform the competent Security Incidents Response Institution regarding appointing of the responsible person not later than within five working days. (3) In addition to the obligations specified in other legal acts the responsible person has the following duties: 1) to organise the management of the security of information technologies of the authority; 2) not less than once a year to perform examination of the security of information technologies and according to the results thereof organise elimination of the deficiencies detected; 3) at least once a year to attend training organised by the Security Incidents Response Institution in matters of the security of information technologies; 4) not less than once a year to instruct the staff of the authority on matters of the security of information technologies. (4) [11 October 2018] (5) The Cabinet shall determine the minimum security requirements for information and communication technologies, and the procedures by which the State and local government institutions, the owners or lawful possessors of the critical infrastructure of information technologies ensure conformity of information and communication technologies systems with the minimum security requirements. (6) The Cabinet shall impose the security requirements for information technologies on legal persons governed by private law who are basic service providers and digital service providers. (7) The requirements of this Section imposed on the basic service provider shall not apply to a credit institution within the meaning of Section 1, Paragraph two, Clause 1 of the Credit Institution Law, a point of sale within the meaning of Section 1, Paragraph one, Clause 77 of the Financial Instrument Market Law, and a central counterparty (CCP) within the meaning of Article 2(1) of Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (Text with EEA relevance). [5 February 2015; 15 June 2017; 11 October 2018] Section 8.1 Supervisory Institution of the Basic Service Provider and the Digital Service Provider (1) The Cabinet shall determine the supervisory institution of the basic service provider and the digital service provider (hereinafter - the supervisory institution), and determine the procedures for organising operation thereof. (2) The supervisory institution shall: 1) collect information submitted by ministries supervising the relevant sector regarding the identified basic service providers and basic services, and make a list of them; 2) every two years submit information to the European Commission regarding the procedures for identifying basic service providers, the number of identified basic service providers, and the list of basic services; 3) receive information from the Security Incidents Response Institution regarding the established non-conformity and security incidents. (3) After receipt of the information from the Security Incidents Response Institution regarding the established non-conformity or security incidents, the supervisory institution is entitled to carry out one or several of the following activities: 1) to propose that the basic service provider or the digital service provider remedies, within the set deadline, the established non-conformity with the security requirements stipulated by the Cabinet in accordance with Section 8, Paragraph six of this Law; 2) to take a decision under which the basic service provider or the digital service provider referred to in Section 6, Paragraph 2.1 is imposed an obligation to eliminate the security incident, including to follow the recommendations of the Security Incidents Response Institution. [11 October 2018] Section 9. Security of Public Electronic Communications Networks (1) Electronic communications merchants have the following obligations: 1) if the relevant merchant provides a public electronic communications network - to ensure the integrity of the network, thus achieving continuity of supply of services, as well as to draw up an action plan for ensuring continuous operation of the electronic communications network, indicating therein the technical and organisational measures to appropriately manage the risks posed to security of the network and the provision of services; 2) to notify the competent Security Incidents Response Institution regarding a security incident which has a significant impact on the continuity of electronic communications networks or electronic communications service; 3) upon request of the competent Security Incidents Response Institution to provide it with the information necessary for evaluation of security and integrity of services and network, including a documented security policy; 4) upon request of the competent Security Incidents Response Institution, if essential breaches of security or integrity have been established, to organise a security audit that is carried out by a qualified body governed by public law which has been coordinated with the competent Security Incidents Response Institution and is independent from the parties involved. The competent Security Incidents Response Institution shall be informed regarding the audit results. Audit costs shall be covered and breaches established in the audit shall be eliminated by an electronic communications merchant; 5) upon request of the competent Security Incidents Response Institution to disconnect the end user from the electronic communications network for a short period of time, but not longer than for 24 hours, if the end user significantly endangers the rights of other users or the information system, or the security of the electronic communications network. Upon requesting carrying out of such activity, the competent Security Incidents Response Institution shall indicate the reason for the request. (2) The Cabinet shall determine the information to be included in the action plan for the provision of continuous operation of the electronic communications network, the procedures for control of the implementation of such plan, and the procedures by which end users shall be temporarily disconnected from the electronic communications network. (3) The Cabinet shall determine the criteria for the relevance of the security incident. [15 June 2017; 11 October 2018] Section 10. National Council for the Security of Information Technologies In order to co-ordinate the drawing up of the policy related to the security of information technologies, as well as the planning and carrying out of the relevant tasks and measures, the Prime Minister shall establish a National Council for the Security of Information Technologies the operation of which shall be ensured by the leading State administrative institution in the national defence sector. [6 November 2013] Section 11. National Cyber Security Strategy (1) The National Cyber Security Strategy shall determine the basic principles, objectives, and strategic priorities of cyber security policy-making, including security objectives, policies, and regulatory measures of electronic communications networks and information systems, to achieve and preserve a high level of security of electronic communications networks and information systems which applies to basic service providers, basic services, digital service providers, and digital services. (2) The Ministry of Defence shall ensure that the National Cyber Security Strategy is developed every four years. The National Cyber Security Strategy shall be approved by the Cabinet. [11 October 2018] Transitional Provisions1. Section 9 of this Law shall come into force on 1 May 2011. 2. The Cabinet shall issue the regulations provided for in Section 3, Paragraph three of this Law by 1 February 2011. 3. The Cabinet shall issue the regulations provided for in Section 9, Paragraph two of this Law by 1 May 2011. 4. The Prime Minister shall establish the National Council for the Security of Information Technologies specified in Section 10 of this Law by 1 February 2011. 5. The Cabinet shall issue the regulations provided for in Section 8, Paragraph five of this Law by 15 March 2015. [5 February 2015] 6. The Cabinet shall, by 1 January 2019, make amendments to the Cabinet Regulation No. 327 of 26 April 2011, Regulations Regarding the Information to be Included in the Action Plan of a Merchant of Electronic Communications, the Control of the Implementation of Such Plan and the Procedures by Which End Users shall be Temporarily Disconnected from the Electronic Communications Network, in accordance with Section 9, Paragraph three of this Law. [11 October 2018] 7. The supervisory institution shall submit to the European Commission the information referred to in Section 8.1, Paragraph two, Clause 2 of this Law for the first time by 9 November 2018. [11 October 2018] 8. The Cabinet shall approve the National Cyber Security Strategy by 1 January 2019. [11 October 2018] Informative Reference to European Union Directives[11 October 2018] This Law contains norms arising from: 1) Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and 2009/20/EC on the authorisation of electronic communications networks and services (Text with EEA relevance); 2) Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. This Law shall come into force on 1 February 2011. This Law was adopted by the Saeima on 28 October 2010. President V. Zatlers Riga, 10 November 2010
1 The Parliament of the Republic of Latvia Translation © 2019 Valsts valodas centrs (State Language Centre) |
Document information
Title: Informācijas tehnoloģiju drošības likums
Status:
No longer in force
Language: Related documents
|