Almost every public awareness campaign on national security emphasizes the individual responsibility of citizens to prepare for crises — such as maintaining essential supplies or assembling a 72-hour emergency kit. This requirement is logical: like other nations implementing a comprehensive defence model, Latvia must engage the entire population in resilience and civil preparedness. In practice, individuals are expected to be self-sufficient for at least 72 hours, and ideally seven to ten days, until assistance arrives.

However, if these expectations are placed on residents, an important question arises: Are similar requirements in place for businesses and institutions?

Could companies maintain core operations for three to seven days in the event of a direct national security crisis — in other words, could they survive for 72 hours relying solely on internal capacity? Some organizations, especially those classified as part of critical infrastructure, likely could. They are already requested to develop business continuity plans to operate during all emergencies.

This approach — common in the Nordic model of crisis governance — is centered on the principle of continuity of critical functions, based on the planning assumption that if essential services such as electricity, communications, internet access, and water supply are maintained, then the private sector will adapt and continue to function. This proved largely true during the COVID-19 pandemic and is observable in wartime Ukraine today.

A separate — and strategic — question is whether continuity and preparedness requirements are consistent, or at least harmonized, across all critical infrastructure operators. Do subcontractors and service providers that support critical infrastructure face the same expectations of 72-hour operational self-sufficiency?

This issue is particularly acute given that most critical infrastructure providers rely on outsourced services — such as security, IT support, or technical maintenance. The resilience of these external partners may ultimately determine whether essential public needs can be met during a disruption.

The situation becomes even more complex when such subcontractors hold simultaneous service contracts with dozens or even hundreds of clients. What happens when all clients demand service at the same time, such as in the case of a hybrid threat scenario?

For example, it is worth asking whether a private security services company would be able to deploy sufficient personnel to hundreds of locations simultaneously in the event of a large-scale disruption. Similarly, can an IT provider realistically deliver timely cyber incident response to dozens of clients at once during a widespread cyberattack, such as those triggered by malware events like WannaCry or NotPetya? The same concern applies to backup power supply agreements: if all contracted clients request emergency generator support simultaneously, would the supplier have the capacity to meet demand — as was tested during the energy shortages experienced in Spain and Portugal?

These questions highlight the interdependency risk at the heart of modern crisis resilience — and the urgent need to extend continuity planning and resilience standards to the full supply chain.

There is currently no clear guidance on how private sector businesses that are not formally classified as critical infrastructure should prepare for crises. These companies are not legally required to comply with statutory business continuity planning mandates. Yet many of their services are vital to the population, such as ensuring uninterrupted access to pharmaceutical care via community pharmacies.

For example: How many days should pharmacies be expected to maintain their operations during a crisis? What kind of public compensation mechanism would be necessary, given that business owners must justify investments in stockpiling and resilience?

At the national level, are there any effective backup systems if E-Health or other essential medical data platforms were to remain offline for an extended period? A paper prescription, in this case, would be insufficient — a pharmacist cannot verify a patient’s eligibility or calculate the government-reimbursed co-payment without access to E-Health. Thus, the oft-repeated recommendation that people stock up on three months’ worth of prescription medications may be impractical: most physicians do not prescribe that far in advance, and many patients cannot afford to buy and store large quantities of medications.

The ability of any organization to remain resilient during a crisis depends on proactive investment and long-term procurement decisions made in peacetime. Secure and resilient local supply chains, or sourcing from trusted foreign suppliers in allied countries, is significantly more expensive than relying on riskier alternatives. Transitioning to a “just-in-case” model, building stockpiles, and investing in backup capacity increases capital expenditure, locks up liquidity, and creates ongoing costs related to storage, inventory renewal, and regulatory compliance.

Likewise, secure software and IT hardware sourced from NATO or EU countries often come at a higher cost than potentially insecure solutions developed outside those regions.

These are just some of the real-world costs borne by organizations seeking to invest in crisis resilience. Business strategists often point out that resilience is inherently at odds with efficiency — because it demands payment for redundant capacity, secure logistics, and strategic reserves that may never be used.

That’s why it is unlikely that most private-sector leaders will make such investments without public backing or available compensatory mechanisms.

Of course, most companies would prefer to remain operational during a crisis, as this would provide a clear competitive advantage. The real question is: what is the price of preparedness — and how much can a business afford to invest in continuity and reserves if such actions are neither required nor supported by the state? Ultimately, business leaders must strike a balance between risk preparedness and cost efficiency.

A valuable national stress test this year was the preparatory work related to Latvia’s potential disconnection from the BRELL power grid. This prompted companies to review and update crisis plans, and to test the availability and functionality of diesel generators.

Similar principles apply to other sectors: regular stress testing of critical infrastructure is increasingly a regulatory expectation, requiring organizations to evaluate the consequences of different disruption scenarios and demonstrate readiness under realistic conditions.

For most organizations, stress testing remains a voluntary exercise, often limited to the institutional memory or crisis experience of senior or mid-level management, and typically tied to sector-specific incidents rather than structured, anticipatory planning.

The new EU Preparedness Strategy outlines a detailed action plan focused on the continuity of critical functions and private sector engagement. Some measures are expected to establish baseline preparedness criteria for essential services, while others may introduce requirements to maintain stockpiles of critical equipment and materials. The strategy also envisions mechanisms for rapid access to critical goods and services, and the protection of key production lines.

However, the implementation of this strategy will take years, while the resilience of Latvia’s private sector is needed now — more urgently than ever.

The aim of this article is to bring renewed attention to the question of organizational readiness in the face of increasingly complex threats. Much has already been accomplished, and further efforts are planned. But time is unforgiving. We are, whether we acknowledge it or not, in a generalized hybrid war environment, in which private companies registered in NATO or EU member states may become targets simply because of their location or affiliations.

Another critical dimension of Latvian resilience is the security of supply chains. Every global disruption — such as the recent clashes between India and Pakistan — has the potential to escalate and leave Europe cut off from essential medicines or raw materials for an indefinite period. In such a volatile landscape, preparedness culture is not possible without a shift in the collaboration culture — one that meaningfully includes the private sector in national security planning, and provides equitable compensation mechanisms for business investments in continuity.

There is reason for cautious optimism. Multiple initiatives are already contributing to the strengthening of organizational resilience in Latvia. Through interbank cooperation, a critical ATM network has been established, and work is underway to develop solutions that enable offline payments. For the first time, Latvia’s national fuel reserves are fully stored within its own territory, rather than dispersed across storage facilities in other EU countries. In parallel, various sectors are taking steps to self-organize and enhance their crisis response capabilities. A notable example comes from the pharmacy sector, where professional bodies have initiated crisis preparedness training for pharmacists and distributed practical guides on public action during national security threats.

The key challenge now is to ensure that these promising but fragmented efforts evolve into coordinated, methodical, and system-wide preparedness frameworks — ultimately forming a national resilience ecosystem capable of responding to a broad spectrum of threats.

 

About the Author

Vitālijs Rakstiņš

Researcher at Rīga Stradiņš University and a recognized expert in the field of societal resilience and national security. He is the author of three books — The Resistance Handbook, Diaries of the Information War, and Digital Detoxification — and co-author of the pharmacy sector’s resilience manual Action in Case of a National Threat.