Let’s work together
Want to discuss potential opportunities? Pick the most suitable way to contact us.
Book a call+370 5 2 780 400
info@ba.lt
A complete guide for the NIS2 Directive
2024 01 02 · 10 min readIn 2024, European organisations will intensify their focus on cyber security as the NIS2 Directive becomes law in Europe. With the compliance deadline set for Q4 2024, we are here to provide a thorough understanding of the NIS2 Directive, so your organisation gets ready on time.
In this blog post, we go through the key aspects of the NIS2 Directive, its significance, compliance requirements, impacted sectors and entities, and what actions every organisation can take.
What is the NIS2 Directive?
The NIS2 Directive, short for “Network and Information Security Directive,” is a legislative framework introduced by the European Union to bolster cyber security measures across member states.
It became a law in 2024. Therefore, entities that fall under the NIS2 purview need to align with its requirements until Q4 2024, as each member state transposes it into national law by October 17, 2024.
Why was the NIS2 Directive initiated?
The NIS Directive was adopted on July 6, 2016, with official approval by the European Parliament and the Council of the European Union on that date. The directive aimed to establish a standard level of cyber security preparedness across European Union member states.
Originating from the challenges faced by the initial NIS Directive, the NIS2 Directive was proposed in 2020 and enacted on January 16, 2023. It serves as a continuation and expansion of its predecessor, aiming to rectify deficiencies. NIS2 focuses on enhancing the security of networks and information systems by obligating operators of critical infrastructure and essential services to implement security measures and report incidents to relevant authorities. Compared to NIS, NIS2 widens its scope, covering more organisations and sectors EU-wide. It emphasises improved supply chain security, simplified reporting obligations, and the enforcement of stringent measures and sanctions throughout Europe.
How do you prepare for the NIS2 Directive?
As the NIS2 Directive deadline approaches, applicable organisations must take steps to prepare for compliance. This includes:
- Check if your organisation comes under the directive and identify the affected units;
- Review current security measures, update security policies, and strategise for NIS2 compliance;
- Integrate new security measures and ensure incident reporting obligations extend to the supply chain;
- Collaborate with an IT partner who can help you prepare for NIS2 Directive compliance by adopting needed security measures.
Unsure where to begin with NIS2 Directive compliance? Book a consultation with our cyber security experts for guidance.
What aspects of organisations does the NIS2 Directive cover?
Aiming to strengthen the EU’s ability to tackle existing and future cyber threats, the NIS2 Directive brings new rules for organisations in several key areas. The main requirement areas include:
- Risk management. Organisations need to take steps to follow the new rules by minimising cyber risks. This includes handling incidents, strengthening supply chain security, improving network security, controlling access better, and using encryption;
- Corporate accountability. Organisations’ management must oversee, approve, and get training on cyber security measures while dealing with cyber risks. If there are breaches, leaders might face penalties, including potential liability and a temporary ban from leadership roles;
- Reporting obligations. Essential entities must set up processes to quickly report security incidents significantly affecting services or recipients. NIS2 sets specific deadlines for notifications;
- Business continuity. NIS2 requires entities to plan how to keep things going during major cyber incidents. This plan should include recovery systems, emergency procedures, and forming a crisis response team.
NIS2 Directive in the Baltic Region
NIS2 in Lithuania
In Lithuania, the National Cyber Security Centre (Nacionalinis kibernetinio saugumo centras) under the Ministry of National Defence is responsible for overseeing the implementation of the NIS2 Directive. Lithuanian entities classified as essential or important should align with the compliance measures outlined by the NCSC.
NIS2 in Latvia
Latvia’s Ministry of Defence (Aizsardzības ministrija), through its cybersecurity arm, ensures national compliance with the NIS2 Directive. Latvian organisations falling under the Directive must adhere to updated risk management and incident reporting frameworks established by national authorities.
NIS2 in Estonia
Estonia’s National Cyber Security Centre (Riiklik Küberturvalisuse Keskus), part of the Information System Authority (Riigi Infosüsteemi Amet), handles the implementation and supervision of NIS2 compliance across Estonian institutions and enterprises. Entities should ensure they are familiar with RIA’s security guidance and reporting obligations.
In what sectors does the NIS 2 Directive apply?
In 2018, the NIS Directive marked seven essential sectors vital for the EU’s stability. Later, in 2023, the NIS 2 Directive expanded to eight more important sectors. Let us explore the impacted sectors below.
7 original sectors of essential entities:
- Energy. With its critical infrastructure status, the energy sector is highly vulnerable to cyberattacks under the NIS2 Directive. Specific requirements are imposed to safeguard networks and information systems;
- Health. This sector, comprising public and private healthcare providers, medical equipment manufacturers, and insurance services, plays a pivotal role in EU society and the economy;
- Transport. The transport sector, covering urban public transportation, rural roads, and inter-regional air travel, is foundational to modern society. The NIS2 Directive mandates measures to protect against potential cyber threats;
- Finance. The finance sector, including banks, investment firms, and insurance companies, is crucial to the EU economy. Specific requirements under the NIS2 Directive aim to enhance cyber security resilience;
- Water supply. This sector’s disruption could have severe consequences, leading to its categorisation under the NIS2 Directive. Protective measures are emphasised to ensure uninterrupted services;
- Digital infrastructure. Encompassing telecom, DNS, TLD, data centres, trust services, and cloud services, this sector faces increasing cyber threats. The NIS2 Directive addresses the vulnerability of digital technologies, particularly data centres;
- Public administration. The public administration sector is crucial to EU society, providing critical services such as social services and public safety. The NIS2 Directive emphasises securing systems against potential cyber threats.
8 added sectors of important entities:
- Digital providers. Search engines, online markets, and social networks are vital in the digital age. Aligned with the NIS2 Directive’s cyber security focus, these platforms play a crucial role in secure online interactions;
- Postal services. The postal sector faces growing cyber threats due to increased reliance on digital systems. Protective actions are essential for directive-compliant cyber security resilience;
- Waste management. As an essential entity under the NIS2 Directive, the waste management sector encounters cyber threats, necessitating protective measures for critical operations and directive-aligned cyber security;
- Space. This sector requires safeguarding against cyber threats to protect sensitive data and critical systems, aligning with the directive’s cyber security objectives;
- Foods. The food sector faces growing vulnerability to cyber threats in a digitised environment. The directive emphasises the need for protective measures to ensure cyber security;
- Manufacturing. The manufacturing sector faces heightened cyber security risks. Directive-aligned protective measures are crucial to address potential consequences and enhance security, in line with the NIS2 Directive;
- Chemicals. This sector must implement protective measures to mitigate cyber threats, emphasising the directive’s commitment to sector-specific cyber security;
- Research. The NIS2 Directive highlights protective measures to safeguard valuable data and critical systems in the research sector, contributing to directive-aligned security practices.
What about the entities outside the EU?
According to Article 26 (Jurisdiction and Territoriality), if a non-EU entity provides services within the EU but is not based in the EU, it must appoint a representative within the EU. This representative should be located in one of the Member States where the services are offered.
The entity will be subject to the jurisdiction of the Member State where the representative is established. If there is no representative, any Member State where the entity offers services can take legal actions against it for violating the NIS2 Directive.
What is common between NIS2 Directive and DORA?
The relationship between the NIS2 Directive and the Digital Operational Resilience Act (DORA) lies in their collective efforts to enhance cyber security within the European Union, albeit with different focal points. NIS2 aims to standardise cyber security across sectors critical to societal functioning, emphasising supply chain security. On the other hand, DORA specifically targets the financial sector, focusing on bolstering the operational resilience of digital systems. While the NIS2 Directive outlines predefined financial penalties for non-compliance, DORA delegates the assessment of sanctions to member states.
Additionally, compliance requirements differ. NIS2 mandates a security audit every two years, while DORA has more strict demands, including a threat-based test every three years and an annual resilience testing program. Despite their unique goals, both directives contribute to making digital systems more secure in the EU.
Timeline for the NIS2 Directive compliance
The NIS2 Directive sets several crucial deadlines for compliance. These deadlines, ranging from adoption and application to periodic reviews, outline the timeline for implementing and assessing the directive’s measures.
Key NIS2 Directive deadlines:
- October 17, 2024. Member States must adopt and publish measures for NIS2 Directive compliance. Moreover, the Commission adopts implementing acts, specifying technical requirements for various service providers;
- October 18, 2024. Application of the adopted measures begins. Also, the Repeal of Directive (EU) 2016/1148 (the NIS Directive) becomes effective;
- July 17, 2024, and every 18 months after that. EU-CyCLONe submits reports assessing its work to the European Parliament and the Council.
- January 17, 2025. The Cooperation Group establishes the methodology and organisational aspects of peer reviews;
- April 17, 2025. Member States establish a list of essential and important entities, including domain name registration service providers;
- April 17, 2025, and every 2 years thereafter. Competent authorities notify the Commission and the Cooperation Group of essential and important entities for each sector;
- October 17, 2027, and every 36 months after that. The Commission reviews the functioning of the Directive, reporting to the European Parliament and the Council.
NIS2 in 2025: What’s Next in the Baltics?
As of 2025, the NIS2 Directive is in full effect, with compliance deadlines already passed in late 2024. By now, organisations across Lithuania, Latvia, and Estonia should have identified whether they fall under the “essential” or “important” categories and implemented the required cyber security measures. National authorities have also submitted their initial lists of regulated entities and are expected to begin auditing, monitoring, and enforcing compliance throughout the year. For organisations that are late to comply, 2025 is a critical year to catch up – from establishing incident reporting procedures to securing the supply chain and ensuring top management is trained and accountable. Regular updates from national cyber security centres and the EU Cooperation Group will guide how enforcement and sector-specific obligations evolve going forward.
Have additional questions about the NIS2 Directive? Do not hesitate to contact our IT consultants today.
What are the penalties for not complying with NIS2?
The NIS2 Directive outlines clear penalties for essential and important entities that do not comply. Penalties can be imposed for things like not meeting security requirements or failing to report incidents. These penalties include:
- Non-monetary remedies;
- Administrative fines;
- Criminal sanctions.
The fines will differ based on the Member State. Still, the NIS2 Directive sets a minimum list of administrative sanctions for violating cyber security risk management and reporting obligations.
Non-monetary penalties
As the NIS2 Directive becomes law, national supervisory authorities can enforce non-monetary measures. These include issuing compliance orders, providing binding instructions, ordering the implementation of security audits, and issuing threat notifications to entities’ customers.
Administrative fines
For the essential entities, encompassing public and private companies in sectors like transport, finance, energy, water, space, health, public administration, and digital infrastructure, authorities can levy a maximum administrative fine of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.
For important entities, which cover public and private companies in sectors such as foods, digital providers, chemicals, postal services, waste management, research, and manufacturing, authorities can impose a maximum fine of at least €7,000,000 or 1.4% of the global annual revenue, whichever is higher.
Criminal sanctions
Easing the burden on IT departments and redefining the landscape of cyber security responsibility, the NIS2 Directive presents measures (criminal sanctions) that make top management directly accountable for significant lapses in security.
Particularly, if proven negligence occurs after a cyber incident, NIS2 empowers Member State authorities to hold organisation managers personally responsible. This involves publicising compliance breaches, issuing statements pinpointing the individuals responsible and the nature of the violation, and, for essential entities, potentially imposing a temporary ban on an individual holding a management role for repeated violations. These measures ensure that C-level management faces responsibility and deter negligence in managing cyber risks.
While organisations tackle NIS2 Directive compliance, having actionable guidance can ease the process. Let us handle your compliance so you can focus on your business.
Reserve your consultation today, and we will take care of the rest.
FAQ
Who is affected by NIS2 in Lithuania, Latvia, and Estonia?
NIS2 applies to public and private entities deemed essential or important, including critical infrastructure operators, digital service providers, and public administration bodies. Each country defines its own list of affected entities based on the Directive.
What are the main requirements of NIS2 for organisations in the Baltics?
The core requirements include implementing risk management practices, reporting significant cyber incidents, ensuring business continuity, and holding top management accountable for cyber security practices.
When does NIS2 come into force in Lithuania, Latvia, and Estonia?
The Directive must be transposed into national law by October 17, 2024, and enforcement begins the following day, October 18, 2024.
How can organisations in the Baltics check if they are classified as essential or neccessary under NIS2?
Each national authority will publish a list of entities based on the Directive. Organisations can consult their local authority or seek guidance from IT compliance consultants.
Do small and medium-sized enterprises (SMEs) fall under NIS2?
In most cases, SMEs are exempt unless they provide services in critical sectors (like health, digital infrastructure, or finance) or are deemed vital due to their impact on public safety or the economy.
Is appointing a representative mandatory for non-EU companies operating in the Baltics?
Yes. According to NIS2, non-EU entities offering services within the EU must appoint a representative in a member state where the services are offered – this applies to all three Baltic countries.
Latest news
-
Unlocking AI-Powered Productivity: Windsurf in Progress OpenEdge Development
2025 04 15Explore how Windsurf AI can support Progress OpenEdge ABL development. See real examples, benefits, and limitations of using Windsurf for error handling, code generation, and productivity gains.
More -
Six common open banking mistakes to avoid
2025 03 31Discover the most common open banking mistakes banks in the EU and US make, from poor API design to weak security.
More -
Develop smarter in Progress OpenEdge Coding with VS Code templates and snippets
2025 03 10Discover how VS Code templates and snippets can streamline Progress OpenEdge development. Learn how to set them up and optimise your workflow!
More