NIS2 and domain names

Do you provide DNS-related services? The new cybersecurity requirements also apply to you!

If you or your company:

  • offer to clients the registration of domain names in any top-level domain, or,
  • ensure the operation of any top-level domain, or,
  • provide publicly available recursive domain name resolution services to internet end-users or authoritative domain name resolution services for third-party use (this does not apply to root name servers),

then the new requirements of the Network and Information Security Directive (hereinafter referred to as the NIS2 Directive), which is currently being implemented in Latvia, apply to you.

If you provide services in other EU member states, you must carefully monitor the national regulations of the EU member states that will implement the NIS2 Directive requirements.

NIS2 in Latvia

On June 20, 2024, the Latvian Parliament, in its final reading, adopted and on July 4, the President of Latvia announced a new National Cybersecurity Law - Latvijas Vēstnesis (

The purpose of the regulation is to improve the overall information and communication technology (ICT) security, resilience, and response capabilities of essential and important service providers’ to cybersecurity threats.

The law comes into force on September 1, 2024.

Additionally, it is expected that a series of related normative acts will be adopted soon, specifying detailed requirements, including for the domain name registration database, the top-level domain “.lv” registry operator, and domain name registration service providers.

To whom does the new law apply?

The National Cybersecurity Law applies to domain name registration service providers:

  1. who meet the status of a domain name registration service provider, and
  2. whose cybersecurity-related decisions are made in Latvia or who have the largest number of employees in Latvia.

In Latvia, according to the law, top-level domain registry operators and domain name system service providers who meet above mentioned criteria will be essential service providers.

Requirements for domain name registration service providers

Domain name registration service providers, unless they provide other services included in the list of essential or important services, have two main obligations under the new regulation:

  • register with the National Cybersecurity Center by April 1, 2025, or if the status is acquired after this date, submit the notification within a month, and
  • comply with the requirements to be specified in the Cabinet of Ministers regulation Requirements for the Domain Name Registration Database Applicable to the Top-Level Domain “.lv” Registry Operator and Domain Name Registration Service Providers.

These Cabinet regulations are expected to be issued by October 17, 2024.

What should service providers do?

If a company qualifies as an essential service provider, it must comply with a broader range of obligations covering various cybersecurity aspects:

1. Cybersecurity management

Requirements include a wide range of security measures and risk management, such as appointing a cybersecurity manager, conducting regular risk assessments and management, planning business continuity, and implementing minimum cybersecurity requirements and cyber hygiene in the company.

Information about the appointment of a cybersecurity manager must be initially notified to the National Cybersecurity Center and the Constitution Protection Bureau by October 1, 2025, with new minimum cybersecurity requirements to be issued by April 1, 2025.

2. Incident reporting and action

In addition to the obligation to report cyber incidents to help mitigate their impact and spread within ICT infrastructure, the law also specifies several state supported cybersecurity initiatives that will help not only to overcome the consequences of cybersecurity incidents but also to detect and prevent incidents, such as coordinated vulnerability disclosure using the platform by CERT.LV, DNS Firewall service established by CERT.LV and NIC.LV, and other services providing protection against cyberattacks.

3. Responsibility and supervision

Companies must expect regular audits, self-assessment, and compliance checks. The initial self-assessment report must be submitted to the National Cybersecurity Center and the Constitution Protection Bureau by October 1, 2025.

The law ensures effective compliance with cybersecurity requirements and measures by holding the company’s top management accountable. For the first time, cybersecurity regulations also introduce fines and enforcement measures, which can reach up to two percent of the total net turnover of the last financial year or up to 10 million euros if this turnover exceeds 500 million euros.

What else to expect?

Currently, domain name industry is still awaiting more detailed cybersecurity requirements from legislators. In Latvia, the Cabinet of Ministers regulation will be important to industry, as it will implement Article 28 of the NIS2 Directive. The regulation will establish the obligations of top-level domain registry operators and domain name registration service providers:

  • to collect certain categories of data and guarantee their integrity and availability,
  • to develop policies and procedures for the accurate and complete collection and maintenance of domain name registration data, as well as for the prevention and correction of inaccurate registration data in accordance with data protection laws,
  • to adopt and implement reasonable procedures for domain name registration data verification,
  • to make publicly available domain name registration data that are not personal data,
  • to ensure legitimate access requestors’ access to registration data and timely accessibility,
  • to cooperate to avoid multiple data collection.

Alongside national laws of EU member states, work is already underway in European institutions to develop cybersecurity requirements for the domain name industry, and it is expected that:

  • In autumn 2024, the NIS Cooperation Group will provide recommendations to member states on Article 28 of the NIS2 Directive,

  • By October 17, 2024, the European Commission will adopt an implementing act for DNS service providers and top-level domain registry operators, setting technical and methodological requirements for measures aimed at protecting network and information systems and their physical environment from incidents, including at least:

     - risk analysis and information system security policies;    
     - incident management;    
     - business continuity, such as backup management and disaster recovery, and crisis management;   
     - supply chain security, including security aspects affecting relationships between each entity and its direct suppliers or service providers;     
     - security in the acquisition, development, and maintenance of networks and information systems, including handling vulnerabilities and disclosing vulnerabilities;    
     - policies and procedures for assessing the effectiveness of cybersecurity risk management measures;    
     - basic cyber hygiene and cybersecurity training;     
     - policies and procedures for the use of cryptography and, where applicable, encryption;    
     - human resources security, access control policies, and asset management;      
     - where applicable, multi-factor authentication or continuous authentication solutions, secure voice, video, and text communications, and secure emergency communication systems within the entity.    

Expected impact

The NIS2 Directive is a significant step in the European Union’s efforts to ensure a secure digital infrastructure, providing a framework to turn risks into opportunities.

For the domain name industry, compliance with the NIS2 Directive will mean improved cybersecurity practices across industry, faster response to cyber incidents, and enhanced overall resilience against cyber threats.

Although the National Cybersecurity Law imposes new obligations and requires significant investments from companies, the long-term benefits of ensuring a safer and more reliable ICT environment will be considerable.

With the law coming into force, domain name industry must actively adapt and prepare for changes in the cybersecurity field, ensuring that we collectively promote a safer digital environment for all.

Participate in the public consultation

The development of normative acts is still ongoing, so everyone, including domain name industry, has the opportunity to express their opinions and suggestions.

  • On June 27, the European Commission launched a consultation process lasting until July 25 on the NIS2 implementing act “Cybersecurity Risk Management and Reporting Obligation for Digital Infrastructure Providers and ICT Service Managers.” Provide your opinion here: European Commission Consultation
  • On July 3, the Regulations on Minimum Cybersecurity Requirements (22-TA-3183) were published on the Latvian Legal Acts Drafts Public Portal, and their public consultation began, lasting until July 17. Draft project and public consultation information available here