In the quiet hum of servers and the invisible flow of data through fiber optic cables, a new kind of conflict is being waged, one where national borders are defended not by soldiers, but by lines of code and vigilant cybersecurity experts. For Latvia, a nation on the frontline of both NATO and the European Union, this digital battlefield is an immediate and persistent reality. As Russia intensifies its hybrid warfare tactics, the small Baltic state has become a primary target for cyber attacks designed to disrupt, destabilize, and deter. The release of the 2025 annual report from Latvia’s Constitution Protection Bureau (SAB) paints a stark picture of this escalating threat, but it also reveals a nation that is systematically fortifying its digital defenses, creating a playbook for resilience in the face of relentless aggression.
The Kremlin’s Digital Battlefield Why Latvia Is a Primary Target
Russia’s hostile cyber activities are not random acts of digital vandalism; they are a calculated component of its statecraft. These operations are strategically designed to punish nations like Latvia for their unwavering political, military, and material support for Ukraine. The core objectives are multifaceted: to disrupt essential services, generate uncertainty among the public, and ultimately deter future assistance to Kyiv. This digital pressure campaign serves as a constant, low-cost method for Moscow to project power and retaliate against Western solidarity without engaging in conventional military conflict.
This escalating cyber threat is not confined to Latvia. According to the SAB’s analysis, the security risks posed by Russia are intensifying across Europe, with sabotage and sophisticated information operations becoming commonplace tools. The frequency of these incidents remained consistently high throughout 2025, demonstrating a persistent effort to undermine the infrastructure and social cohesion of European nations. From intrusive malware campaigns to the compromise of critical network equipment, the Kremlin’s digital arsenal is being deployed to achieve strategic geopolitical goals, making cybersecurity a matter of national sovereignty.
Building a Digital Iron Dome Latvia’s Legislative Overhaul
In response to this heightened threat landscape, Latvia has embarked on a significant legislative overhaul to construct a more resilient digital infrastructure. A landmark development in 2025 was the Cabinet of Ministers’ adoption of a new regulation establishing mandatory minimum cybersecurity requirements for all critical entities. This measure, which places the Information and Communications Technology (ICT) sector under the direct supervision of the SAB, is a cornerstone of a broader legal framework designed to meet contemporary security challenges head-on. As SAB Director Egils Zviedris noted, this framework aims to create a comprehensive and proactive defense posture.
A particularly decisive element of this new regulation is the explicit ban on cooperation with partners from outside the European Union and NATO in government procurement for critical ICT resources. This “closed circle” approach is a direct countermeasure against the risk of malign foreign influence being embedded within the nation’s digital backbone. By legally mandating the exclusion of potentially compromised technology and services, Latvia is working to sever potential pathways for espionage and sabotage, ensuring that its most sensitive systems are built and maintained by trusted allies.
The Paradox of the Threat An All Time High in Attacks with Limited Impact
The year 2025 saw an unprecedented volume of cyber threats targeting Latvia, marking a multi-fold increase since Russia’s full-scale invasion of Ukraine began. However, a crucial distinction emerged from the data. The majority of these registered incidents fell into the category of conventional cybercrime, such as digital fraud and ransomware, which, while disruptive to individuals and businesses, rarely posed a direct threat to national security or the integrity of critical state functions. This surge in volume without a corresponding rise in catastrophic impact highlights the difference between widespread, opportunistic attacks and targeted, state-sponsored operations.
Despite the flood of lower-level threats, the danger from hostile state actors remains classified as “elevated,” characterized by fluctuating intensity rather than a steady climb. Remarkably, a trend that began in 2024 continued through 2025: the conspicuous absence of major hostile interference during key political events. The European Parliament elections, the Parliamentary Summit of the International Crimea Platform in Riga, and local municipal elections all proceeded without significant external cyber disruption. The SAB attributes this quiet period to the success of preemptive defensive measures and the diligent monitoring conducted by Latvia’s national Cyber Incident Response Institution, CERT.LV, which effectively neutralized threats before they could materialize.
The Unseen Vulnerability Securing the Nation’s Operational Technology
A growing area of concern highlighted in the report is the security of Operational Technology (OT) environments. OT refers to the specialized hardware and software that monitor and control physical infrastructure, including the systems that manage essential public services like energy grids, water supplies, and transportation networks. The SAB warns that as these industrial systems become increasingly connected to the internet for remote management, many lack the robust cybersecurity protocols necessary to defend against modern threats. This creates a critical vulnerability where malicious actors can use relatively simple methods to gain access and potentially disrupt services vital to the public.
This concern is not unique to Latvia but reflects a broader European trend. Data from the European Union Agency for Cybersecurity (ENISA) revealed that nearly one-fifth of all cyber-attacks in Europe specifically targeted OT environments. The potential consequences of a successful attack on these systems are severe, ranging from power outages and water contamination to transportation shutdowns. The interconnected nature of modern infrastructure means that a single breach could have cascading effects, underscoring the urgent need for critical infrastructure operators to prioritize the security of their industrial control systems.
Lessons from the Front Lines Expert Insights and Real World Intrusions
The theoretical threat to OT has been demonstrated in real-world incidents across Europe, serving as stark warnings. Russian “hacktivist” groups, often operating as state proxies, have shown both the capability and the intent to target Western industrial control systems. In one notable case, these groups exploited a weak password to access the control panel of a dam in Norway, successfully altering the water pass-through. In another repeated assault, they targeted a hydroelectric power station in Gdansk, Poland, managing to remotely access control systems, manipulate operational parameters, and ultimately force a complete shutdown of the plant.
These case studies illustrate the tangible impact of cyber-attacks on critical infrastructure. As SAB Director Egils Zviedris officially assessed, the primary goal of such intrusions is to cause short-term inconvenience, threaten infrastructure security, and sow doubt and fear among the population, all while punishing nations for their geopolitical stances. These incidents transform abstract cybersecurity warnings into concrete examples of how digital vulnerabilities can translate into physical-world consequences, reinforcing the necessity of vigilant defense.
Latvia’s Playbook for Proactive Cyber Defense
Fortunately, Latvia has thus far avoided a major OT incident, thanks in large part to a strategy of proactive and preventive monitoring. In one instance during 2025, routine security scans uncovered a critical vulnerability in the software used by a municipal service provider’s industrial control system. This software was highly susceptible to remote access attacks, but because the flaw was identified by defenders first, it was patched before it could be exploited. This success underscores the value of continuous vulnerability assessment for operators of critical infrastructure.
Beyond OT, Latvia has developed a robust strategy to counter the relentless waves of distributed denial-of-service (DDoS) attacks targeting its public institutions. These attacks are often strategically timed to coincide with nationally significant dates or major political announcements, such as when a Latvian company won an international drone procurement contract in July 2025. To combat this, the Latvian Ministry of Defence funds a centralized DDoS defense shield, operated by the Latvian State Radio and Television Centre and provided free of charge to public bodies. This centralized service acts as a national digital guardian, absorbing and neutralizing malicious traffic to ensure government services and information remain accessible to the public, even under direct assault. This comprehensive approach, combining legislative action, preemptive monitoring, and centralized defense, formed the core of Latvia’s digital resilience.
