The ultimate guide to NIS2 in the Baltics: Lithuania, Latvia & Estonia

What is the NIS2 Directive?

The NIS2 Directive, short for Network and Information Security Directive, is a legislative framework introduced by the European Union to bolster cyber security measures across member states.

It became law in 2024. Therefore, entities that fall under the NIS2 purview need to align with its requirements, as each member state has transposed it into national law.

Why was the NIS2 Directive initiated?

The NIS Directive was adopted on July 6, 2016, with official approval by the European Parliament and the Council of the European Union on that date. The Directive aimed to establish a standard level of cyber security preparedness across European Union member states.

Originating from the challenges faced by the initial NIS Directive, the NIS2 Directive was proposed in 2020 and enacted on January 16, 2023. It serves as a continuation and expansion of its predecessor, aiming to rectify deficiencies. NIS2 focuses on enhancing the security of networks and information systems by obligating operators of critical infrastructure and essential services to implement security measures and report incidents to relevant authorities. Compared to NIS, NIS2 widens its scope, covering more organisations and sectors EU-wide. It emphasises improved supply chain security, simplified reporting obligations, and the enforcement of stringent measures and sanctions throughout Europe.

How do you prepare for the NIS2 Directive?

Applicable organisations must take steps to ensure compliance. This includes:

• Check if your organisation comes under the Directive and identify the affected units.
• Review current security measures, update security policies, and strategies for NIS2 compliance.
• Integrate new security measures and ensure incident reporting obligations extend to the supply chain.
• Collaborate with an IT partner who can help you prepare for NIS2 Directive compliance by adopting needed security measures.

Unsure where to begin with NIS2 Directive compliance? Book a consultation with our cyber security experts for guidance.

What aspects of organisations does the NIS2 Directive cover?

Aiming to strengthen the EU's ability to tackle existing and future cyber threats, the NIS2 Directive brings new rules for organisations in several key areas. The main requirement areas include:

• ‍Risk management. Organisations need to take steps to follow the new rules by minimising cyber risks. This includes handling incidents, strengthening supply chain security, improving network security, controlling access better, and using encryption. ‍
• Corporate accountability. Organisations' management must oversee, approve, and get training on cyber security measures while dealing with cyber risks. If there are breaches, leaders might face penalties, including potential liability and a temporary ban from leadership roles. ‍
• Reporting obligations. Essential entities must set up processes to quickly report security incidents significantly affecting services or recipients. NIS2 sets specific deadlines for notifications. ‍
• Business continuity. NIS2 requires entities to plan how to keep things going during major cyber incidents. This plan should include recovery systems, emergency procedures, and forming a crisis response team.

NIS2 Directive in the Baltic Region

NIS2 in Lithuania

In Lithuania, the National Cyber Security Centre (Nacionalinis kibernetinio saugumo centras) under the Ministry of National Defence is responsible for overseeing the implementation of the NIS2 Directive. Lithuanian entities classified as essential or important should align with the compliance measures outlined by the NCSC.

NIS2 in Latvia

Latvia's Ministry of Defence (Aizsardzības ministrija), through its cybersecurity arm, ensures national compliance with the NIS2 Directive. Latvian organisations falling under the Directive must adhere to updated risk management and incident reporting frameworks established by national authorities.

NIS2 in Estonia

Estonia's National Cyber Security Centre (Riiklik Küberturvalisuse Keskus), part of the Information System Authority (Riigi Infosüsteemi Amet), handles the implementation and supervision of NIS2 compliance across Estonian institutions and enterprises. Entities should ensure they are familiar with RIA's security guidance and reporting obligations.

In what sectors does the NIS2 Directive apply?

In 2018, the NIS Directive marked seven essential sectors vital for the EU's stability. Later, in 2023, the NIS2 Directive expanded to eight more important sectors. Let us explore the impacted sectors below.

7 original sectors of essential entities:

• ‍Energy. With its critical infrastructure status, the energy sector is highly vulnerable to cyberattacks under the NIS2 Directive. Specific requirements are imposed to safeguard networks and information systems. ‍
• Health. This sector, comprising public and private healthcare providers, medical equipment manufacturers, and insurance services, plays a pivotal role in EU society and the economy. ‍
• Transport. The transport sector, covering urban public transportation, rural roads, and inter-regional air travel, is foundational to modern society. The NIS2 Directive mandates measures to protect against potential cyber threats. ‍
• Finance. The finance sector, including banks, investment firms, and insurance companies, is crucial to the EU economy. Specific requirements under the NIS2 Directive aim to enhance cyber security resilience. ‍
• Water supply. This sector's disruption could have severe consequences, leading to its categorisation under the NIS2 Directive. Protective measures are emphasised to ensure uninterrupted services. ‍
• Digital infrastructure. Encompassing telecom, DNS, TLD, data centers, trust services, and cloud services, this sector faces increasing cyber threats. The NIS2 Directive addresses the vulnerability of digital technologies, particularly data centers. ‍
• Public administration. The public administration sector is crucial to EU society, providing critical services such as social services and public safety. The NIS2 Directive emphasises securing systems against potential cyber threats.

8 added sectors of important entities:

• ‍Digital providers. Search engines, online markets, and social networks are vital in the digital age. Aligned with the NIS2 Directive's cyber security focus, these platforms play a crucial role in secure online interactions. ‍
• Postal services. The postal sector faces growing cyber threats due to increased reliance on digital systems. Protective actions are essential for Directive-compliant cyber security resilience.
• ‍Waste management. As an essential entity under the NIS2 Directive, the waste management sector encounters cyber threats, necessitating protective measures for critical operations and Directive-aligned cyber security.
• ‍Space. This sector requires safeguarding against cyber threats to protect sensitive data and critical systems, aligning with the Directive's cyber security objectives.
• ‍Foods. The food sector faces growing vulnerability to cyber threats in a digitised environment. The Directive emphasises the need for protective measures to ensure cyber security.
• ‍Manufacturing. The manufacturing sector faces heightened cyber security risks. Directive-aligned protective measures are crucial to address potential consequences and enhance security, in line with the NIS2 Directive.
• ‍Chemicals. This sector must implement protective measures to mitigate cyber threats, emphasising the Directive's commitment to sector-specific cyber security.
• ‍Research. The NIS2 Directive highlights protective measures to safeguard valuable data and critical systems in the research sector, contributing to Directive-aligned security practices.

What about the entities outside the EU?

According to Article 26 (Jurisdiction and Territoriality), if a non-EU entity provides services within the EU but is not based in the EU, it must appoint a representative within the EU. This representative should be located in one of the Member States where the services are offered.

The entity will be subject to the jurisdiction of the Member State where the representative is established. If there is no representative, any Member State where the entity offers services can take legal actions against it for violating the NIS2 Directive.

What is common between NIS2 Directive and DORA?

The relationship between the NIS2 Directive and the Digital Operational Resilience Act (DORA) lies in their collective efforts to enhance cyber security within the European Union, albeit with different focal points. NIS2 aims to standardise cyber security across sectors critical to societal functioning, emphasising supply chain security. On the other hand, DORA specifically targets the financial sector, focusing on bolstering the operational resilience of digital systems. While the NIS2 Directive outlines predefined financial penalties for non-compliance, DORA delegates the assessment of sanctions to member states.

Additionally, compliance requirements differ. NIS2 mandates a security audit every two years, while DORA has more strict demands, including a threat-based test every three years and an annual resilience testing program. Despite their unique goals, both Directives contribute to making digital systems more secure in the EU.

NIS2 Directive compliance: Key milestones and ongoing requirements

The NIS2 Directive established several crucial compliance milestones. Understanding these deadlines and requirements is essential for maintaining compliance:

Key NIS2 Directive milestones:

• ‍October 17, 2024. Member States adopted and published measures for NIS2 Directive compliance. The Commission adopted implementing acts, specifying technical requirements for various service providers.
• ‍October 18, 2024. Application of the adopted measures began. The Repeal of Directive (EU) 2016/1148 (the NIS Directive) became effective.

Ongoing requirements:

EU-CyCLONe submits reports assessing its work to the European Parliament and the Council every 18 months.

Competent authorities notify the Commission and the Cooperation Group of essential and important entities for each sector every two years.

The Commission reviews the functioning of the Directive every 36 months, reporting to the European Parliament and the Council.

NIS2 in 2025 and beyond: What's Next in the Baltics?

The NIS2 Directive is now in full effect, with compliance requirements actively enforced. Organisations across Lithuania, Latvia, and Estonia should have identified whether they fall under the "essential" or "important" categories and implemented the required cyber security measures. National authorities have submitted their lists of regulated entities and are actively auditing, monitoring, and enforcing compliance.

For organisations working to achieve full compliance, establishing incident reporting procedures, securing the supply chain, and ensuring top management is trained and accountable remain critical priorities. Regular updates from national cyber security centers and the EU Cooperation Group continue to guide how enforcement and sector-specific obligations evolve.

Have additional questions about the NIS2 Directive? Do not hesitate to contact our IT consultants today.

What are the penalties for not complying with NIS2?

The NIS2 Directive outlines clear penalties for essential and important entities that do not comply. Penalties can be imposed for things like not meeting security requirements or failing to report incidents. These penalties include:

• Non-monetary remedies
• Administrative fines
• Criminal sanctions

The fines differ based on the Member State. Still, the NIS2 Directive sets a minimum list of administrative sanctions for violating cyber security risk management and reporting obligations.

Non-monetary penalties

National supervisory authorities can enforce non-monetary measures. These include issuing compliance orders, providing binding instructions, ordering the implementation of security audits, and issuing threat notifications to entities' customers.

Administrative fines

For the essential entities, encompassing public and private companies in sectors like transport, finance, energy, water, space, health, public administration, and digital infrastructure, authorities can levy a maximum administrative fine of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.

For important entities, which cover public and private companies in sectors such as foods, digital providers, chemicals, postal services, waste management, research, and manufacturing, authorities can impose a maximum fine of at least €7,000,000 or 1.4% of the global annual revenue, whichever is higher.

Criminal sanctions

Easing the burden on IT departments and redefining the landscape of cyber security responsibility, the NIS2 Directive presents measures (criminal sanctions) that make top management directly accountable for significant lapses in security.

Particularly, if proven negligence occurs after a cyber incident, NIS2 empowers Member State authorities to hold organisation managers personally responsible. This involves publicising compliance breaches, issuing statements pinpointing the individuals responsible and the nature of the violation, and, for essential entities, potentially imposing a temporary ban on an individual holding a management role for repeated violations. These measures ensure that C-level management faces responsibility and deter negligence in managing cyber risks.

While organisations tackle NIS2 Directive compliance, having actionable guidance can ease the process. Let us handle your compliance so you can focus on your business.

Reserve your consultation today, and we will take care of the rest.

‍