What is AI regulation in Latvia?
AI regulation: countries and regions
AI regulation in Latvia is mainly the EU AI Act, which applies directly, rather than a standalone Latvian AI code. Latvia's national layer mostly assigns authorities and builds support structures. The Ministry of Economy handles notifying authority functions, the Consumer Rights Protection Centre is the single national contact point, the Ombudsman has a fundamental rights protection role, and the Data State Inspectorate oversees prohibited practices and some high-risk areas. Latvia has also created an AI Centre and a national testing sandbox.
What this means
If you are building or using AI in Latvia, start with the EU AI Act. It is the main legal framework, and Latvia does not have a single broad domestic AI statute that replaces it. The Latvian layer is mostly about which authority you deal with, how supervision is split by sector, and how national institutions support testing and governance.
That means a company in Latvia often needs to think in two tracks at once: the EU AI Act for system duties, and Latvian rules for regulators, finance, public sector governance and data protection where relevant. Latvia has also set up an AI Centre and a special regulatory environment for testing certain systems under official oversight.
Why it matters
For founders, buyers and governance leads, Latvia is not a single regulator market. The answer to "what do we need to do?" depends on the use case, whether personal data is involved, whether you are in a supervised sector such as finance, and whether the system falls into an AI Act category that triggers extra controls. Getting the authority map wrong can delay launch, procurement, testing or incident handling. Getting it right makes it easier to plan documentation, human oversight, vendor terms, impact assessments and regulator engagement early.
How it works
The main rulebook is the EU AI Act
Latvia regulates AI primarily through the directly applicable EU AI Act. The core rules on prohibited practices, transparency, general-purpose AI models and high-risk systems do not come from a separate Latvian AI code. Latvia's main domestic task is to allocate authorities, give them powers, and fit the AI Act into sector supervision and public law.
The EU timetable is staged, and some dates for later high-risk duties are still being adjusted at Union level. For organisations in Latvia, the durable point is that the Union level framework is the starting point, while Latvian rules tell you who supervises what.
Latvia uses a multi authority supervision model
The Cabinet's February 2025 implementation protocol set a split model. The Ministry of Economy performs the notifying authority role, the Consumer Rights Protection Centre serves as the single contact point, and the listed market surveillance authorities act as competent authorities in their sectors.
This means Latvia does not funnel AI issues through one specialist AI regulator. Consumer, health, transport, education, security and other authorities all stay in play. The Data State Inspectorate has a specific role for prohibited AI practices and for certain high-risk uses tied to law enforcement, border management, justice and democratic processes. The Ombudsman Office also has a fundamental rights role, with powers to access AI documentation and ask the relevant market surveillance authority to organise technical testing when a file is not enough.
The AI Centre adds a national sandbox layer
Separate from enforcement, Latvia created an AI Centre by law in 2025. It is a foundation designed to build the national AI ecosystem, coordinate projects and organise a special regulatory environment for AI development and testing.
That environment is not a free pass. Applicants must describe the AI system, explain the public interest case, assess whether it may be high-risk or prohibited, specify needed data, and propose minimisation, anonymisation or pseudonymisation where personal data is involved. The centre works with competent institutions and can issue administrative acts setting the testing conditions.
Sector specific Latvian law can add extra duties
The EU AI Act is not the whole picture. If an AI system processes personal data, GDPR and Latvian data protection law still matter. In finance, Latvia has gone further than a simple authority allocation by adopting a dedicated law on digital operational resilience and the use of AI in the financial market. That law applies AI use requirements to covered financial entities and gives the Bank of Latvia supervisory powers in that area.
AI sits inside a wider digital policy agenda
Latvia's wider digital policy is framed by its Digital Transformation Guidelines 2021 to 2027, rather than by a standalone AI ministry or code. Those guidelines treat AI as part of a broader digital programme that includes sandboxing, smart public services and other digital transformation measures. That helps explain the Latvian approach: combine EU compliance, sector supervision and practical state capacity for testing and adoption.
Examples
A Latvian bank introducing an AI credit, fraud or risk tool cannot treat the AI Act as an abstract Brussels issue. Latvia's 2025 financial market law says the AI use requirements in Regulation 2024/1689 apply to covered financial entities, and the Bank of Latvia supervises those requirements. A finance team therefore needs both EU AI Act analysis and domestic supervisory readiness.
A public body or company wanting to test a new AI system in Latvia's special regulatory environment has to file a structured application with the AI Centre. The file must cover the system description, a risk self assessment, the public interest basis, the expected duration, the data needed and proposals for minimisation, anonymisation or pseudonymisation. The centre then sends the project to the competent institutions, which report on the rules that would apply after the system is placed on the market or put into use.
An authority dealing with policing, border control, justice or democratic processes cannot assume ordinary consumer sector supervision. Latvia gave the Data State Inspectorate specific market surveillance responsibility for prohibited practices and for several high-risk areas, and the Ombudsman can demand documentation and ask the relevant authority to organise technical testing where the file is incomplete.
Common misunderstandings
Misconception: Latvia has its own broad AI Act that replaces the EU rules. Correction: the main rulebook is the EU AI Act, while Latvia mainly assigns authorities and adds some sector specific law.
Misconception: The AI Centre is Latvia's main AI enforcement regulator. Correction: the centre supports ecosystem building and testing, but supervision is split across market surveillance and sector authorities.
Misconception: There is one Latvian AI regulator for every issue. Correction: Latvia uses a multi authority model, so the relevant body depends on the sector and use case.
Misconception: If you buy AI from a vendor, only the vendor has legal risk. Correction: deployers in Latvia can still carry duties under the AI Act, sector law, data protection law and public sector governance rules.
Misconception: GDPR stops mattering once the AI Act applies. Correction: if the system uses personal data, data protection law remains part of the legal stack.
Risks and boundaries
This is a practical overview, not legal advice. The confirmed position is that Latvia now has an identified AI Act authority map, an AI Centre law, sandbox rules, Ombudsman powers linked to AI documentation and testing, and a finance specific AI law.
The limits are equally important. Latvia still does not have one single consolidated domestic AI enforcement code. Some of the enforcement detail is spread across Cabinet decisions, sector laws and institutional powers. At the same time, the EU timetable for some later high-risk duties is still moving at Union level, so exact dates for every obligation are not purely a Latvia question. Organisations should also expect sector specific law to add extra rules on top of the AI Act.
What to do next
Map every AI use case against the EU AI Act and record your role, such as provider, deployer, importer or distributor. Identify the Latvian authority early rather than late. If you need a general national entry point, start with the Consumer Rights Protection Centre, but expect the real supervisor to depend on sector.
Do not separate AI governance from data governance. If personal data is involved, line up GDPR work in parallel. If you operate in finance, build a Bank of Latvia lens into your programme. If you want to test a novel system, see whether the AI Centre's special regulatory environment is realistic for your case and prepare a serious evidence pack, not just a product pitch. Keep watching EU level timing changes and any further Latvian amendments.
FAQs
Does Latvia have its own general AI Act?
No. The main rulebook is the EU AI Act. Latvia's own measures mostly allocate authorities, create support structures and add some sector specific rules, especially in finance.
Who is the first contact point for AI Act questions in Latvia?
The Consumer Rights Protection Centre is the national single contact point, but the actual supervising authority depends on the sector and use case.
Is the AI Centre Latvia's AI regulator?
Not in the main enforcement sense. The AI Centre is an ecosystem and sandbox body, while supervision is split across market surveillance and sector authorities.
What role does the Ministry of Economy have?
It performs the notifying authority function for conformity assessment bodies in Latvia's AI Act setup.
Does the Data State Inspectorate only deal with privacy?
No. In Latvia's AI Act architecture it also has specific market surveillance responsibility for prohibited practices and some high-risk uses linked to law enforcement, border management, justice and democratic processes.
Are banks treated differently?
Yes. Latvia adopted a separate financial market law that applies AI use requirements to covered financial entities and gives the Bank of Latvia supervisory powers in that area.
Can we test an AI system in a sandbox in Latvia?
Yes, potentially. Latvia's AI Centre can organise a special regulatory environment, but you must file a structured application and meet the conditions set with the competent institutions.
Do public bodies in Latvia get a free pass if they buy AI from a vendor?
No. Public bodies still need to assess their own legal role, data protection, human oversight and, where applicable, high-risk duties and impact assessment work.