Lawyer’s insights on NIS2 Directive

2025 01 07 · 7 min read

2024 marks a significant milestone in cyber security with the implementation of the Network and Information Systems Security Directive (NIS2), aimed at enhancing the European Union’s resilience against cyber threats. NIS2 introduces stricter security standards and new compliance requirements for organisations.  

So, what does this mean for businesses considered as cyber security subjects?   

Stasys Drazdauskas, a legal expert from the international law firm Sorainen, shares his insights on the topic. In this interview, we explore how companies interpret the NIS2 Directive, their challenges, and the steps they take to ensure long-term compliance.  

Preparation for the NIS2 Directive  

The NIS2 Directive, which was implemented in Lithuania this year when, on 18 October, the amendments to the Law on Cybersecurity came into force, marks an important step in enhancing cyber security across the EU. While the original NIS Directive, effective in 2016, targeted essential sectors like energy, transport, finance, healthcare, public administration, media, and water supply, NIS2 broadened its scope considerably. It now includes additional sectors such as digital services, postal and courier services, waste management, space, food production, manufacturing, chemicals, and research.   

With its expanded coverage, the NIS2 Directive applies to a broader range of cyber security subjects. This creates varying levels of preparedness and understanding among organisations.   

Discussing these challenges, S. Drazdauskas observes:   

“Although the NIS2 Directive has already entered into force, many organisations are still in the early stages of assessing how these changes will impact their operations. The level of understanding varies significantly depending on the company’s size and sector. Businesses not previously subject to cyber security requirements are now actively exploring whether they fall under the NIS2 Directive and what steps they must take to comply. Meanwhile, larger and better-resourced companies, e.g., those operating in critical infrastructure sectors, have already begun their preparations. These organisations understand that compliance with the Directive is not only a legal obligation but also crucial for ensuring business continuity and security.”   

This variation in readiness underscores the importance of early action. Organisations that delay their preparations may face significant hurdles, potentially compromising operational resilience and legal compliance.    

Challenges in implementing the NIS2 Directive   

The NIS2 Directive introduces more stringent cyber security requirements, covering risk management measures, technical and organisational safeguards, and incident response and recovery plans. For example, organisations must report significant incidents that could disrupt their services by submitting an “early warning” report in a standardised format within 24 hours. A more detailed report must be submitted within 72 hours of the initial notification, and a final analysis of the incident must be submitted no later than 30 days.   

Although NIS2 sets common standards, the compliance process is heavily influenced by the nature of the organisation’s operations and the digital solutions used.  

In terms of potential challenges in implementing the Directive’s requirements, Drazdauskas mentions:  

“NIS2 requirements are the same for all sectors. However, the particular application of the NIS2 Directive will depend more on the specifics of a company’s activities and systems used. For example, organisations that operate manufacturing or energy facilities and use automated management systems will face different security requirements compared to the challenges for companies dealing with large volumes of data or managing data warehouses.”  

The legal expert also singles out the public sector:  

“We often hear in events that the public sector will be the most challenged. In particular in the areas of health, education, local government and public administration. Many people still remember the cyber incidents in Lithuanian municipalities, which exposed the vulnerability of these areas. Public sector organisations will not only have to devote significant resources but will also have to plan and budget carefully to comply with the Directive.”   

Despite the different challenges, organisations in all sectors share the same goal – not only to meet the requirements of the Directive but also to ensure that their operations are secure in the long term.  

The transition period after entry into force of NIS2   

Following the entry into force of the NIS2 Directive, the National Cyber Security Centre (NCSC) register will play an important role in Lithuania, identifying organisations to be considered as cyber security subjects. This process aims to ensure that all companies included comply with the requirements of the NIS2 Directive.  

Legal expert comments on that by saying: 

“Organisations included in the NCSC register will have a 12-month transition period during which they will be required to fully implement the requirements of the NIS2 Directive. This will allow companies to prepare and make the necessary changes to meet all security standards. This period also gives organisations the opportunity to assess their existing security processes, implement new technologies and train their staff to ensure compliance with the Directive’s cyber security requirements. However, while this transition period provides some flexibility, organisations should pay close attention to adequate preparation as early as possible to avoid potential legal and operational disruptions in the future.”   

Drazdauskas also highlights:  

“The NCSC plans to add organisations to the register in phases to avoid congestion. It means that some companies may receive notifications earlier than others, so the lead time will vary. Imagine if all several thousand entities are listed at the same time in April. It will be difficult for the NCSC to manage the flow. It is likely that some organisations will learn of their inclusion earlier.”    

This timing is critical to avoid haste and chaos when implementing the changes. Organisations that wait until the end of the registration process risk being unprepared.  

Supply chain risks and nuances  

The NIS2 Directive highlights the importance of strengthening an organisation’s internal processes and fostering robust cooperation with external partners. Cyber security is now a two-way process, demanding coordinated efforts within an organisation and across its supply chain.  

Discussing the risks associated with cyber security entities and their supply chains, legal expert S. Drazdauskas explains:  

“If a client is a cyber security entity, it will have to require its suppliers to meet stringent security standards to safeguard its data and systems. Suppliers who have not yet begun implementing the NIS2 Directive’s requirements will face significant pressure to align with these higher standards. Conversely, suppliers already compliant with NIS2 can leverage this as a competitive advantage. Compliance enhances their credibility and trustworthiness in the market while also helping to establish long-term, secure relationships with customers who prioritise strong cyber security practices.”  

Drazdauskas also stresses the importance of continuous monitoring of the supply chain:    

“Organisations will be required to review their supply chain management processes as part of the implementation of the NIS2 Directive to ensure that all external suppliers and service providers comply with stringent cyber security requirements. It will include revising the contracts to embed the responsibility of suppliers to implement security measures.”   

S. Drazdauskas goes on to say:   

“In addition, organisations will need to implement clear policy guidelines and procedures to ensure that members of the supply chain are compliant at all times. This will be an important step towards protecting the organisation’s information assets and preventing potential threats arising from inconsistent security practices on the part of service providers.”  

This is not a one-off process. Cyber security requires constant monitoring, adaptation and continuous assessment of new risks. The NIS2 Directive marks a new milestone in cyber security, obliging organisations to meet higher standards and rethink how they operate. Compliance with this Directive is not just a formal requirement but an investment in long-term business continuity and competitive advantage.   

Thank you for the insights, Stasys! 

Let’s work together

Want to discuss potential opportunities? Pick the most suitable way to contact us.

Book a call

+370 5 2 780 400
info@ba.lt

     privacy policy