Navigating NIS2 Implementation in the Baltics: Insights from Legal Expert

2025 08 26 · 6 min read

The EU’s NIS2 directive, aimed at strengthening cyber security across critical and important sectors, is reshaping compliance requirements for organisations throughout Europe. But in the Baltic region, implementation is progressing at a very different speed.

Lithuania has already transposed NIS2 into its national Cyber security Law, while Latvia is still refining its legislation, and Estonia has yet to adopt it. This fragmented rollout creates both legal and operational challenges, especially for companies working across borders. We sat down to talk to Raimondas Andrijauskas, Legal Expert at the law firm WALLESS.

‘Lithuanian businesses are already adapting, while in Latvia there’s a tendency to wait for final rules, and in Estonia some requirements don’t even exist yet,’ notes Raimondas Andrijauskas. ‘That means a company fully compliant in one country could still be exposed through suppliers in a less-prepared jurisdiction.’

Cross-border Risks and Supply Chain Vulnerabilities 

NIS2 does not just target the organisations it directly covers – its impact extends throughout the supply chain. Entities within scope must assess and manage third-party risk, often passing the same security obligations on to their suppliers via contracts.

‘Even if you’re not directly covered by NIS2, you may still have to meet equivalent standards to keep working with certain clients. We already see suppliers voluntarily implementing measures simply because their customers demand it’, Andrijauskas explains. 

This interconnectedness means that a Latvian or Estonian supplier without formal obligations could become the weak link for a Lithuanian business that has invested heavily in NIS2 compliance. 

Different Interpretations, Similar Goals 

While the core requirements align with international information security standards such as ISO/IEC 27001, there are national variations. Estonia’s draft law, for example, proposes mandatory ISO certification for healthcare providers. Lithuania has introduced transitional periods of up to two years for organisations to fully comply – with the first year dedicated to meeting organisational requirements, such as policies, procedures, and designated responsibilities, and the second year focused on implementing technical safeguards.

In Estonia and Latvia, these timelines have not even started; the two-year compliance window will begin only once NIS2 is transposed into national law. These differences matter for businesses operating regionally. ‘If your main clients are in Lithuania but your company is in Estonia, don’t wait for your national rules to be finalised. Adopt recognised international standards now – it’s the safest way to meet varying expectations and reduce legal exposure’, advises Andrijauskas.

NIS2 Compliance Goes Beyond Paperwork 

While the core requirements align with international information security standards such as ISO/IEC 27001, there are national variations. Estonia’s draft law, for example, proposes mandatory ISO certification for healthcare providers. Lithuania has introduced transitional periods of up to two years for organisations to fully comply – with the first year dedicated to organisational requirements such as policies, procedures, and designated responsibilities, and the second year focused on implementing technical safeguards. 

In Estonia and Latvia, these timelines have not even started; the two-year compliance window will begin only once NIS2 is transposed into national law. This gap creates a potentially false sense of security. As Andrijauskas warns, NIS2 obligations can still be enforced if a serious cyber incident occurs before national rules are finalised. In such cases, supervisory authorities will launch an investigation to assess whether the organisation was adequately prepared. 

‘If a post-incident review finds you were unprepared – lacking documented procedures, implementation records, or technical safeguards – the consequences can be severe’, he notes. ‘We are talking about significant fines and, in some cases, personal liability for directors’. 

These differences matter for businesses operating regionally. ‘If your main clients are in Lithuania but your company is in Estonia, don’t wait for your national rules to be finalised. Adopt recognised international standards now – it’s the safest way to meet varying expectations and reduce legal exposure’, advises Andrijauskas. 

Enforcement and Liability 

At present, supervisory bodies in the Baltics are at different stages of readiness. Lithuania’s National Cyber Security Centre has long-standing experience but has recently limited proactive document reviews. Latvia’s authority was only set up in September 2024, while Estonia’s is still forming its cyber security division.

Enforcement, therefore, is likely to focus on post-incident investigations rather than routine inspections – at least initially. This does not reduce the stakes: the NIS2 Directive introduces significant fines and makes company directors personally responsible for compliance. In Europe, similar regimes have already led to both corporate and personal penalties.

NIS2 Directive Applicability to SMEs 

The NIS2 Directive generally applies to organisations with more than 50 employees or an annual turnover above €10 million. However, Raimondas Andrijauskas notes that the scope is not set in stone. National supervisory authorities, such as Lithuania’s National Cyber Security Centre, can extend NIS2 obligations to smaller entities if they play a critical role in the security of essential services. This means that even micro or small companies – if they operate in sensitive sectors or provide crucial services to larger regulated entities – could find themselves subject to the same requirements. 

‘This is where some businesses get caught by surprise’, says Andrijauskas. ‘You might think you’re ‘too small’ for NIS2, but if you’re an important cog in the supply chain, you could still be invited – formally – to comply’. Such an invitation is not optional; once issued, the organisation is expected to meet all relevant requirements, from appointing a security officer to implementing technical and organisational safeguards. 

Importantly, the cost argument alone is unlikely to exempt companies that meet the size or turnover criteria. NIS2 obligations are the same whether compliance is inexpensive or demands substantial investment. As Andrijauskas points out, ‘Yes, the requirements are costly but the fines for non-compliance, or the loss of business after an incident, can be far more damaging’. With transitional periods offering some breathing room, he advises businesses – large or small – to begin preparing early rather than risk scrambling to meet obligations under pressure. 

Do Not Wait to Act 

The uneven pace of NIS2 implementation in the Baltics may tempt some companies to delay preparation – but that is a risky strategy. The NIS2 Directive’s obligations can be enforced even before national laws are finalised, and contractual requirements from clients can arrive much sooner. ‘The cost of preparation is significant, but the cost of non-compliance – in fines, lost business, and reputational damage – can be far higher’, summarises Andrijauskas. 

Thank you for the interview, Raimondas!