Unpacking DORA Reporting at the Bank of Latvia: Your Ultimate Guide to Digital Resilience!

The Pre-DORA Landscape in Latvia

Before the advent of DORA, Latvia’s financial sector operated under a fragmented regulatory environment. A “patchwork of inconsistent standards” existed across various EU member states, leading to potential gaps and inefficiencies in digital operational resilience. While the Financial and Capital Market Commission (FKTK), which has since been integrated into Latvijas Banka, previously oversaw certain aspects of risk management, a unified, comprehensive EU-wide framework for digital resilience was conspicuously absent. In Latvia, as in many other nations, the rapid pace of digitalisation has significantly increased reliance on complex digital systems and exposed the sector to more sophisticated cyber threats. This escalating digital dependency, coupled with evolving cyber risks, underscores the urgent need for a robust, harmonised regulatory solution.

Latvijas Banka’s Crucial Role in DORA Implementation

Understanding DORA Reporting at the Bank of Latvia

Latvijas Banka, the central bank of Latvia, has been designated as the competent authority responsible for the implementation and supervision of DORA within the country. This central role positions Latvijas Banka as the primary guide for the financial sector, ensuring adherence to the new regulations and supervising compliance efforts. In fact, making DORA compliance a key supervisory priority for 2025 highlights its significance. A notable shift for financial entities in Latvia is the new requirement to report major ICT-related incidents directly to Latvijas Banka, streamlining the incident response process. Complementing the EU-wide regulation, Latvia proactively enacted its own national legislation: the “Law on the Resilience of Digital Operations in the Financial Market and the Use of Artificial Intelligence,” which came into effect on October 1, 2025. This national law aligns with and builds upon DORA, introducing specific mandates for ICT risk management, business continuity planning, AI compliance, and ICT incident reporting tailored to the Latvian context.

DORA’s Five Pillars: A Framework for Resilience

DORA is meticulously structured around five interconnected pillars, forming a comprehensive framework for digital operational resilience:

1. ICT Risk Management

Financial entities are mandated to establish and maintain a robust, comprehensive, and well-documented ICT risk management framework. This framework must be seamlessly integrated into the entity’s overall risk management strategy. Key requirements include the protection of critical ICT assets, regular annual reviews of the ICT risk management framework, and, for larger entities, conducting internal ICT risk audits. Adherence to specific Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), particularly concerning the maintenance of ICT outsourcing registers, is also crucial. Ultimately, the management body of the financial entity holds the ultimate responsibility for ICT risk management and must ensure its members are sufficiently informed about evolving ICT risks.

2. Incident Reporting

DORA imposes strict timelines for reporting major ICT-related incidents to the competent authorities. Financial entities must provide an initial notification within 4 hours of classifying the incident or within 24 hours of detecting it, whichever comes first. This is followed by an intermediate report within 72 hours of the initial notification, and a final report no later than one month after the intermediate report. The classification criteria for major incidents and standardised reporting templates are provided by the European Supervisory Authorities (ESAs) and, in Latvia, by Latvijas Banka. Direct reporting to Latvijas Banka is to be conducted via the dedicated email address: dora@bank.lv.

3. Stress-Testing

An annual testing and exercising program is a fundamental requirement under DORA. This program must encompass a range of tests, including vulnerability assessments and penetration testing, which must be conducted at least annually. For “significant” financial entities, a more advanced form of testing, Threat-Led Penetration Testing (TLPT), is required, typically every three years. TLPT involves testing live production systems and necessitates the engagement of highly qualified and accredited testers. Developing and implementing comprehensive remediation plans for all identified issues is a critical component of this pillar.

4. Third-Party Risk Management

Chapter V of DORA (Articles 28-44) sets out stringent requirements for managing risks associated with third-party ICT service providers. This involves developing and implementing robust policies, conducting thorough risk analyses, and ensuring that contractual agreements with these providers include specific clauses related to service quality, security, and continuity. Financial entities must also maintain an up-to-date Register of Information (RoI) for all ICT third-party arrangements. Importantly, Critical ICT Third-Party Providers (CTPPs) will be subject to EU-wide oversight, although financial institutions will continue to bear ultimate accountability for their outsourcing arrangements.

5. Information Sharing

DORA actively encourages voluntary information-sharing arrangements among financial entities concerning cyber threats and vulnerabilities. The aim is to bolster collective cyber defences and enhance the overall resilience of the financial sector. However, this encouragement is balanced by strict provisions to protect data privacy and confidentiality, ensuring that sensitive information is shared securely and responsibly.

Challenges and Controversies in DORA Implementation

Despite the clear benefits of enhanced digital resilience, the path to DORA compliance is fraught with challenges, particularly for smaller fintechs and payment firms. These entities often grapple with limited resources, making the substantial investments required in new infrastructure, advanced technology, and specialised cybersecurity and operational resilience skills a significant hurdle. Furthermore, the mandate for board members to possess enhanced ICT resilience expertise adds another layer of complexity. A survey conducted in March 2025 revealed that only a small percentage (4%) of firms were fully implementing DORA, with many indicating plans to change their ICT service providers due to compliance concerns. Adding to the implementation complexities, the European Commission launched infringement procedures in March 2025 against Latvia and several other member states for failing to fully transpose the DORA Directive into national law, suggesting potential delays or ambiguities in domestic legal frameworks. The scarcity of specialised talent in cybersecurity and operational resilience further exacerbates these challenges, leading to high demand for skilled professionals.

The Future Outlook for Digital Resilience in Latvia

Latvia remains steadfast in its commitment to achieving digital operational resilience across its financial sector. Ongoing collaboration between Latvijas Banka and financial institutions is key to navigating the evolving regulatory landscape. The European Supervisory Authorities (ESAs) are expected to continue issuing updated technical standards and guidance, which will shape the future implementation of DORA. Latvia’s national law on digital resilience and the use of artificial intelligence further solidifies its dedication to a secure and robust digital future. Ultimately, DORA aims to foster a more stable, integrated, and secure financial ecosystem throughout the European Union.

Next Steps for Organisations Under DORA

To effectively navigate the DORA compliance journey, organisations are strongly advised to:

• Deeply review their ICT risk management framework against all five pillars of DORA, identifying any gaps and planning for remediation.
• Implement robust testing programs, including annual vulnerability assessments and penetration tests, and refine incident reporting procedures to meet DORA’s strict timelines.
• Proactively engage with third-party ICT service providers, meticulously scrutinise existing and new contracts for DORA compliance, and develop clear exit strategies where necessary.
• Closely monitor official updates and guidance issued by Latvijas Banka and the ESAs to ensure ongoing adherence to evolving requirements.

This comprehensive approach will not only ensure compliance but also significantly enhance the organisation’s overall digital operational resilience. The journey toward full DORA compliance is an ongoing process that requires continuous attention and adaptation to safeguard the integrity of the financial system.