Regulations Regarding the Conditions for the Determination of Significant Disruptive Effect of a Security Incident and the Procedures by which the Status of an Operator of Essential Services and Essential Services are Granted, Reviewed, and Terminated

Issued pursuant to
Section 3.¹, Paragraph six of the Law
on the Security of Information Technologies

1. The Regulation prescribes:

1.1. the conditions for the determination of significant disruptive effect of an information technologies security incident (hereinafter - the security incident);

1.2. the procedures for requesting information from legal persons governed by private law;

1.3. the conditions for granting, review, and termination of the status of the operator of essential services and essential services;

1.4. the procedures by which the Supervisory Committee of Digital Security is informed of essential services and operators thereof.

2. The security incident can cause a significant disruptive effect on the drinking water supply or distribution service, if at least one of the following conditions exists:

2.1. the service provider is the only provider of such service in the territory of the Republic of Latvia;

2.2. the service provider is the only provider of such service in any of the planning regions of Latvia;

2.3. the service provider holds the dominant market share among merchants registered in Latvia;

2.4. the service provider provides the service to at least 10 000 users;

2.5. the service provider provides the service to an in-patient medical treatment institution which does not have any alternative water supply options.

3. The security incident can cause a significant disruptive effect on the Internet exchange point service, domain name system service, top level domain name register service, if at least one of the following conditions exists:

3.1. the service provider is the only provider of such service in the territory of the Republic of Latvia;

3.2. the service provider is the only provider of such service in any of the planning regions of Latvia;

3.3. the service provider holds the dominant market share among merchants registered in Latvia.

4. The security incident can cause a significant disruptive effect on a service in the energy sector, if at least one of the following conditions exists:

4.1. the service provider is the only provider of such service in the territory of the Republic of Latvia;

4.2. the service provider is the only provider of such service in any of the planning regions of Latvia;

4.3. the service provider holds the dominant market share among merchants registered in Latvia;

4.4. the actual capacity installed by the service provider exceeds 50 megawatts;

4.5. the service provider owns heat supply networks with a length of at least 100 km;

4.6. the service provider provides the service to at least 10 000 users.

5. The security incident can cause a significant disruptive effect on a service in the transport sector, if at least one of the following conditions exists:

5.1. the service provider is the only provider of such service in the territory of the Republic of Latvia;

5.2. the service provider holds the dominant market share among merchants registered in Latvia;

5.3. the service provider administers TEN-T Core Network infrastructure.

6. The security incident can cause a significant disruptive effect on a service in the health sector, if at least one of the following conditions exists:

6.1. the service provider is the only provider of such service in the territory of the Republic of Latvia and impacts the provision of emergency medical assistance;

6.2. the service provider ensures emergency medical assistance in at least eight in-patient health care profiles.

7. The ministry responsible for an area of drinking water supply or distribution, an area of Internet exchange point services, an area of domain name system and top level domain name register services, and sectors of energy, transport, and health (hereinafter - the responsible ministry) shall request from legal persons governed by private law all necessary information to identify the operator of essential services in order to determine the significant disruptive effect of the security incident on the provision of services in the course of granting or reviewing the status of the operator of essential services or essential services.

8. The information referred to in Paragraph 7 of this Regulation shall be provided by the legal person governed by private law within one month from the date of receipt of the request.

9. If in the course of granting or reviewing the status of the operator of essential services or essential services the responsible ministry establishes that the service provider provides the service also in another European Union Member State, prior to taking the decision on granting or maintaining the status of the operator of essential services, it shall communicate with the contact point of the respective European Union Member State (an institution selected by a European Union Member State which is responsible for the information technologies security of the operators of essential services and digital service providers in the specific Member State, and coordinates cooperation by ensuring cross-border cooperation with other Member States, the Cooperation Group established by the Directive on security of network and information systems, and the network of Computer Security Incident Response Teams).

10. At least once every two years and in the case referred to in Paragraph 12 of this Regulation, the responsible ministry shall assess the compliance of the service provider and the services provided by it with the field or area referred to in Section 3.¹, Paragraph one, Clause 1 of the Law on the Security of Information Technologies and also the criteria referred to in Section 3.¹, Paragraph one of this Law and the conditions for the significant disruptive effect of the security incident referred to in this Regulation, and shall take the decision on granting, maintaining or terminating the status of the operator of essential services or essential services.

11. The responsible ministry shall, in accordance with the procedures prescribed in the Administrative Procedure Law, notify the decision referred to in Paragraph 10 of this Regulation to the Supervisory Committee of Digital Security and the operator of essential services to which the relevant status has been granted, maintained or terminated.

12. The service provider to which the status of the operator of essential services has been granted has the right to approach the responsible ministry with the request to review the status in the event of any changes and the operator of essential services or the service provided by it no longer conforms to the criteria referred to in Section 3.¹, Paragraph one of the Law on the Security of Information Technologies and the conditions for the significant disruptive effect of the security incident on the provision of the service referred to in this Regulation.

13. The responsible ministry shall assess the operator of essential services and the conformity of the services provided by it with the criteria referred to in Section 3.¹, Paragraph one of the Law on the Security of Information Technologies and the conditions for the significant disruptive effect of the security incident referred to in this Regulation for the first time by 31 January 2019 and shall take the decision on granting the status of the operator of essential services and essential services.

Informative Reference to the European Union Directive

This Regulation contains legal norms arising from Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

Prime Minister Māris Kučinskis

Minister for Defence Raimonds Bergmanis

Translation © 2019 Valsts valodas centrs (State Language Centre)