Latvia’s financial market and broader digital economy continue to evolve through innovative banking services, a growing fintech community, and a move toward e-governance. In this landscape, the European Union’s Digital Operational Resilience Act (DORA) arrives to standardize how organizations manage ICT risks, respond to incidents, and oversee third-party providers.
Because DORA holds special significance for the financial sector, Latvian banks, insurers, and IT service providers must align with its requirements to remain competitive and compliant in the European market. This post explores how DORA is taking shape in Latvia, whether its implementation differs from other EU nations, and how existing Latvian regulations already embrace aspects of operational resilience. I’ll also offer a brief list of potential DORA auditors based in Latvia.
Why DORA matters in Latvia
Although DORA primarily targets financial entities—banks, payment providers, insurance companies—it also requires that third-party vendors or IT partners supporting these institutions adhere to higher standards. In Latvia, the Financial and Capital Market Commission (Finanšu un kapitāla tirgus komisija, FKTK) supervises the financial sector, ensuring that local entities already follow certain risk management protocols.
DORA builds on these foundations by creating EU-wide rules around ICT governance, mandatory incident reporting, and more rigorous vendor due diligence. Given Latvia’s openness to cross-border financial services, compliance with DORA is critical for businesses aiming to grow within the EU.
Is the process different from other EU member states?
All EU member states, including Latvia, must adopt and apply DORA. The primary difference often lies in how each country’s supervisory bodies integrate these new rules with their existing frameworks. In Latvia, the FKTK is likely to issue additional guidance or clarifications on DORA, potentially defining specific local thresholds for incident severity or detailing particular reporting procedures. Because Latvia has a centralized financial regulator, it may manage the transition to DORA more efficiently compared with jurisdictions that have multiple overlapping authorities.
Companies operating in various EU countries should be mindful of potential minor variations in each regulator’s approach, such as the classification of incidents, the precise timeline for notification, or the categorization of critical third parties.
Latvia’s existing regulations aligning with DORA
Before DORA, Latvia already had measures in place to address cybersecurity and operational resilience. Below is a brief overview of local regulations that complement DORA’s goals:
| Latvian regulation or measure | Focus area | How it aligns with DORA |
| FKTK regulations on operational risk and outsourcing | Requires banks and financial entities to maintain internal controls, vendor oversight, and ICT security | Echoes DORA’s approach to structured risk management, third-party governance, and robust incident response |
| Latvian implementation of the NIS Directive | Sets obligations for operators of essential services (including some financial services) | Mirrors DORA’s emphasis on mandatory cyber incident reporting and continuous monitoring of ICT threats |
| Personal Data Processing Law (aligned with GDPR) | Maintains strong data privacy and breach notification rules | Complements DORA’s requirement to safeguard sensitive information and notify authorities of major breaches |
Because of these existing guidelines, many Latvian financial institutions already have some level of ICT governance in place. However, DORA’s EU-wide scope—especially around standardized incident reporting—may require them to refine or unify processes for consistent compliance across multiple markets.
Impact beyond finance
While banks, investment firms, and insurers form the direct audience for DORA, any organization that handles crucial data or systems on their behalf can also be held to DORA-driven standards. This includes cloud providers, software development firms, and even specialized consultancies.
As Latvia expands its digital economy—particularly in fintech and IT services—DORA’s heightened focus on cyber resilience and robust vendor oversight can influence broader operational norms. In practice, a single breach at a non-financial third party can prompt mandatory reporting for a regulated client, effectively drawing the third party into DORA’s compliance ecosystem.
List of DORA auditors in Latvia
DORA does not publish an official registry of auditors, but several firms in Latvia specialize in regulatory compliance, ICT risk management, and cybersecurity. Below is a concise list of potential partners:
| Firm | Primary expertise | Additional notes |
| Deloitte Latvia | Cyber risk, operational resilience, regulatory audits | Part of a global network with local expertise in Latvian financial regulations |
| KPMG Baltics (Latvia) | ICT governance, compliance reviews, financial sector risk management | Known for advising banks and insurers on EU directives and risk controls |
| PwC Latvia | Cybersecurity, data privacy, incident management, governance & risk | Offers tailored services for both established and emerging financial entities |
| EY Latvia | IT audits, digital transformation, cross-border compliance | Experienced in guiding multinational institutions through EU regulations |
| BDO Latvia | Internal controls, process optimization, operational risk advisory | Often works with mid-market financial institutions and tech providers |
| DPA (Latvia-based firm) | Data protection, cybersecurity consulting, and managed security services | Specializes in GDPR-related measures and can adapt them to DORA-like frameworks |
When selecting an auditor or consultancy, Latvian businesses should consider a firm’s familiarity with FKTK standards, local market nuances, and broader EU directives, ensuring a smooth path to DORA compliance.
Fostering resilience across sectors
Latvia’s strong commitment to digital innovation and cross-border financial services makes DORA a timely and influential framework. By standardizing how organizations track, manage, and respond to cyber threats and operational disruptions, DORA not only raises the bar for the financial industry but also encourages best practices across the wider tech ecosystem. For Latvian companies, early alignment with DORA can enhance trust among international partners, streamline oversight by regulators, and solidify the country’s reputation as a forward-thinking player in Europe’s evolving digital marketplace.
