NIS2 Directive Compliance in Lithuania

The NIS2 Directive is the European Union's updated cybersecurity framework enacted to strengthen the security of network and information systems across critical sectors. It expands on the original NIS Directive (2016/1148) with broader scope, stricter requirements, and significantly higher penalties. NIS2 applies to: (1) Essential entities in 11 sectors (energy, transport, water, health, banking, financial markets, DNS/TLD, public administration, space, chemicals, food); (2) Important operators in 7 sectors (digital services, cloud, CDN, managed security providers, social media, online marketplaces, search engines); (3) DNS service providers and critical infrastructure providers regardless of sector. The directive is applicable across all 27 EU member states.

NIS2 applies to two primary categories: (1) Essential entities are large organizations in critical sectors whose failure would significantly impact essential services. Article 2 defines essential entities by sector (Annex I) and size (≥250 employees or €50M annual turnover). Examples: energy utilities, hospitals, banks, airports, national defense networks. (2) Important entities are medium and large organizations (≥50 employees or €10M annual turnover) in sectors listed in Annex II, including digital service providers offering cloud computing, DNS, CDN, managed security, social media, or online marketplaces. Your organization must comply if it fits either category. Most commercial organizations in covered sectors do not qualify for exemptions. If you operate in critical infrastructure or provide digital services at scale, you almost certainly must comply.

NIS2 requires four main compliance areas: (1) ICT Risk Management: Implement policies, procedures, and technical measures to manage cybersecurity risks. This includes asset inventories, vulnerability management, access controls, encryption, incident response plans, and business continuity measures per Article 21 and Annex I. (2) Incident Reporting: Notify your national competent authority within 24 hours of discovering a significant incident; notify affected customers within 72 hours per Article 23. (3) Supply Chain Security: Assess third-party risks, include security clauses in vendor contracts, monitor supplier performance per Article 21. (4) Board Accountability: Senior management (board/executive level) is personally liable for approving cybersecurity measures and ensuring implementation per Article 20. Failure to meet these obligations triggers penalties up to €10M or 2% global revenue.