Teksta versija
LEGAL ACTS OF THE REPUBLIC OF LATVIA
home
 

Republic of Latvia

Cabinet
Regulation No. 15
Adopted 15 January 2019

Regulations Regarding the Security Incident Relevance Criteria, Reporting Procedures, and Content of Report

Issued pursuant to
Section 6, Paragraph seven of the Law
on the Security of Information Technologies

1. The Regulation prescribes the information technologies security incident (hereinafter - the security incident) relevance criteria, the reporting procedures and the content of a report.

2. The security incident has a significant impact on the continuity of the essential service, if the security incident complies with at least one of the following features:

2.1. it lasts for more than 24 hours regardless of the number of users affected;

2.2. it affects 1 up to 10 per cent (inclusive) of the users of the essential service and lasts for at least four hours;

2.3. it affects 10 up to 15 per cent (inclusive) of the users of the essential service and lasts for at least two hours;

2.4. it affects more than 15 per cent of the users of the essential service and lasts for at least one hour;

2.5. it affects at least one user of the essential service that is included in the list of large enterprises in accordance with Section 10, Paragraph two of the Energy Efficiency Law;

2.6. it affects the users of the essential service in at least one other European Union Member State and lasts for at least two hours.

3. The security incident has a significant impact on the provision of the digital service, if it lasts for more than two hours.

4. The operator of essential services or the digital service provider shall, within four hours after discovering the security incident which has significantly impacted the continuity of the essential service or the provision of the digital service or as soon as it becomes possible, submit electronically to the competent Security Incidents Response Institution the initial report where contact details of the applicant (given name and surname, position, electronic mail address and phone number) and all available information concerning the discovered security incident are specified, including the following:

4.1. the time of detecting the security incident and duration thereof;

4.2. the service affected by the security incident;

4.3. the description of the security incident;

4.4. the number of users (in percentage or figures) affected by the security incident;

4.5. the measures taken to prevent the security incident;

4.6. the European Union Member States affected by the security incident;

4.7. the estimated time for the prevention of the security incident;

4.8. the necessary support from the competent Security Incidents Response Institution;

4.9. other information relating to the security incident.

5. If the operator of essential services depends on the digital service provider that is affected by the security incident referred to in Paragraph 3 of this Regulation, in addition to the information referred to in Paragraph 4 of this Regulation it shall indicate the information on the digital service provider.

6. The competent Security Incidents Response Institution, having received the initial report referred to in Paragraph 4 of this Regulation, shall register it and inform either electronically or by phone the operator of essential services or the digital service provider of receipt of the initial report.

7. Until the date of submitting the final report referred to in Paragraph 8 of this Regulation, the operator of essential services and the digital service provider shall inform the competent Security Incidents Response Institution regarding changes in the information specified in the initial report referred to in Paragraph 4 of this Regulation.

8. The operator of essential services and the digital service provider shall, within 10 working days after preventing the security incident which has significantly impacted the continuity of the essential service or the provision of the digital service, electronically submit to the competent Security Incidents Response Institution a final report where the following is stated:

8.1. the service affected by the security incident;

8.2. the description of the security incident;

8.3. duration of the prevention of the security incident;

8.4. the number of users (in percentage or figures) affected by the security incident;

8.5. the amount of loss caused by the security incident. If it is impossible to ascertain the exact amount of loss, the overall loss shall be estimated;

8.6. potential origin and cause of the security incident;

8.7. the European Union Member States affected by the security incident;

8.8. other information relating to the security incident.

9. The reports referred to in Paragraphs 4 and 8 of this Regulation shall be sent electronically by the operator of essential services or the digital service provider to the electronic mail address of the competent Security Incidents Response Institution. If the Internet connection is not available, the operator of essential services or the digital service provider shall provide the information referred to in Paragraph 4 of this Regulation to the competent Security Incidents Response Institution by phone.

Informative Reference to the European Union Directive

This Regulation contains legal norms arising from Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

Prime Minister Māris Kučinskis

Minister for Defence Raimonds Bergmanis


Translation © 2019 Valsts valodas centrs (State Language Centre)

 
Document information
Title: Noteikumi par drošības incidenta būtiskuma kritērijiem, informēšanas kārtību un ziņojuma saturu Status:
In force
in force
Issuer: Cabinet of Ministers Type: regulation Document number: 15Adoption: 15.01.2019.Entry into force: 18.01.2019.Publication: Latvijas Vēstnesis, 12, 17.01.2019. OP number: 2019/12.2
Language:
LVEN
Related documents
  • Issued pursuant to
  • Annotation / draft legal act
  • Other related documents
304284
18.01.2019
87
0
  • Twitter
  • Facebook
  • Draugiem.lv
 
0
Latvijas Vestnesis, the official publisher
ensures legislative acts systematization
function on this site.
All Likumi.lv content is intended for information purposes.
About Likumi.lv
News archive
Useful links
For feedback
Contacts
Mobile version
Terms of service
Privacy policy
Cookies
Latvijas Vēstnesis "Everyone has the right to know about his or her rights."
Article 90 of the Constitution of the Republic of Latvia
© Official publisher "Latvijas Vēstnesis"