ABSTRACT
On 7 June 2022, the Latvian government adopted a report titled “On Improving National Cybersecurity Governance”, marking the start of the most extensive modernisation of cybersecurity governance in the country’s history. This modernisation effort carries profound implications as it encompasses new sectors and introduces a semi-centralised cybersecurity governance model centred around the newly established National Cybersecurity Centre. It also expands institutional mandates, a novel regulatory framework outlining minimum cybersecurity requirements for different entities, and enforcement mechanisms. However, the implementation is challenging and primarily influenced by the path dependency of the previous governmental actions. The roots of Latvia’s cybersecurity governance span over two decades, witnessing significant transformations driven by both legal changes at the national and EU levels, notably with the implementation of the NIS (Network and Information Systems) and NIS2 directives, as well as technological advancements, along the evolution of the cyber-threat landscape, and global trends like the adoption of zero-trust principles and increased concerns about supply chain security. Thus, this chapter aims to research the question: what are the critical factors shaping Latvian cybersecurity governance? This chapter identifies and reveals path dependency factors by exploring institutional and legal evolution. While mapping the processes within the cyber ecosystem, Latvia’s digital and security policy will be exposed in search of a better governance model. Finally, the policy coordination perspective is essential for this chapter to contribute to ongoing cybersecurity policy design and implementation discussions, aiming to overcome harmful path dependency and create reliable future scenarios.
