DORA and Latvijas Banka: Practical Guide for Latvian Financial Entities
Latvijas Banka as the consolidated DORA competent authority for Latvia: scope, ICT incident framing, Register of Information and 2026 evidence checklist.
Short answer
Latvijas Banka is the consolidated competent authority for the Latvian financial sector since the 2023 merger of the Bank of Latvia and the Financial and Capital Market Commission (FKTK), and supervises DORA-in-scope financial entities including credit institutions, EMIs, PIs, CASPs and investment firms.
Who is the relevant competent authority?
Latvijas Banka (Bank of Latvia) is the relevant competent authority for Latvia entities falling within DORA scope.
Which financial entities are typically in scope
- Credit institutions (banks)
- Payment institutions and electronic money institutions (PIs / EMIs)
- Investment firms
- Crypto-asset service providers (CASPs) authorised under MiCA
- Insurance and reinsurance undertakings, where supervised in this jurisdiction
- Other financial entities listed in DORA Article 2
Authority and evidence map
| Entity type | Likely authority | DORA artefact | Where to verify |
|---|---|---|---|
| Banks / credit institutions | Latvijas Banka | ICT risk framework, incidents, BCDR, third-party register | Authority site |
| Payment institutions / EMIs | Latvijas Banka | Incident workflow, Register of Information, supplier evidence | Authority site |
| Investment firms / CASPs / insurers | Latvijas Banka | Entity-specific resilience and supervisory evidence pack | Check the competent authority listed below before filing |
DORA incident reporting
DORA Article 19 establishes the duty to report major ICT-related incidents. The reporting timeline and templates are set through the related EU technical standards; once an incident is classified as major, the operating cadence is:
- Initial notification — within 4 hours after classification, and no later than 24 hours after the entity becomes aware of or detects the incident.
- Intermediate report — within 72 hours of the initial notification.
- Final report — within one month of the initial notification, including root-cause analysis and remediation.
The cadence is set in EU law, but the local submission channel is set by the competent authority. Local reporting channels, templates and submission instructions should be verified on the competent authority website before filing.
Where to verify before filing
Before submitting a notification, Register of Information or supervisory response, verify the current local channel, form and language expectation on the competent authority website. For Latvia, start with Latvijas Banka.
Register of Information
DORA Article 28 requires every financial entity to maintain a Register of Information of all contractual arrangements with ICT third-party service providers, with extended content for arrangements supporting critical or important functions. Submission frequency, format and the exact local instructions are set by the competent authority. Local reporting channels, templates and submission instructions should be verified on the competent authority website before filing.
ICT third-party risk and outsourcing evidence
Article 28–30 requirements (register, contractual provisions, exit strategies, concentration analysis) sit on top of the existing outsourcing evidence stack (Latvia entities can typically reuse much of their EBA Guidelines on outsourcing arrangements work as the operating baseline). Critical-or-important-function arrangements need the full Article 30 contractual provisions and the structured register entry.
Jurisdictional nuances
- Since 1 January 2023 the former Financial and Capital Market Commission (FKTK) is part of Latvijas Banka — supervisory and macroprudential authority sit in a single body.
- Latvia is an active jurisdiction for EMI / PI authorisations; ICT third-party arrangements with payment-processing or core-banking providers are examined closely.
- MiCA is supervised by Latvijas Banka; CASP authorisation triggers DORA financial-entity status.
What not to assume
- Do not assume the same filing channel applies across all EU Member States.
- Do not assume a group-level notification replaces entity-level obligations.
- Do not assume an outsourcing register is equivalent to the DORA Register of Information.
- Do not assume TLPT applies automatically; Article 26 scope is competent-authority-led.
Evidence checklist for fintech SMBs
What a Latvia-supervised fintech SMB should keep current and inspection-ready:
- ICT risk management framework approved by the management body, with a current review date.
- Incident classification log with mapping to DORA Article 18 criteria and a timestamped decision trail.
- Register of Information for ICT third-party arrangements (Article 28), with extended content for critical-or-important functions.
- ICT third-party dependency map (provider → service → critical-or-important function).
- Business continuity and DR test evidence — last test date, scope, RTO / RPO, after-action remediation.
- Board / management-body reporting pack on ICT risk, incidents, third-party concentration and remediation.
- Supplier contract clauses meeting Article 30 (audit rights, security standards, incident support, exit support).
- Remediation tracker with owner, due date and supervisory commitment status.
How CyAdviso helps
CyAdviso runs DORA programmes for EU-licensed fintechs (EMIs, payment institutions, CASPs, investment firms) supervised by Latvijas Banka and other EU competent authorities. The output of a 90-day programme is a defensible evidence pack that the Latvijas Banka reviewer can read end to end — ICT risk framework, incident playbooks, Register of Information, third-party controls, BCDR test artefacts and a board-reporting cadence. Free DORA self-assessment or book a 15-minute call.
Related reading
- DORA National Competent Authorities — selected jurisdictions hub
- DORA Incident Reporting — 4 h / 72 h / 1 month timeline
- DORA Register of Information — complete guide
- DORA BCDR — Articles 11–12 roadmap
- DORA requirements — 2026 status check
- Comprehensive DORA guide for fintech SMBs