Lithuania

(a) What is the NIS2 implementation status?

Ministry of National Defence of the Republic of Lithuania has already started preparations. Currently, the provisions of the NIS2 Directive and their compliance with legal acts are being evaluated and discussed with related institutions of the Republic of Lithuania. In May 2023 together with the responsible ministries, the first phase of identification and classification of essential and important entities was started. During this phase a list of essential and important entities and entities providing domain name registration services was drawn up.

In December 2023, the Lithuanian Parliament adopted certain amendments to the Law on Cybersecurity. Although the amendments do not transpose the NIS2 Directive, they created legal prerequisites for the further consolidation of Lithuanian cybersecurity and safety legislation and the improvement of legal regulation in order to ensure the integrity of the cybersecurity policy and create legal conditions for the successful transfer of the NIS2 Directive into the national legal system.

(b) What is the envisaged NIS2 implementation timeline?

Ministry of National Defence of the Republic of Lithuania plans to transpose the provisions of the NIS2 Directive into national law by 17 October 2024 at the latest (21 months of entry into force of NIS2).

(c) What does the NIS2 mean for other national cybersecurity legislation?

It should be noted that during the transposition of the NIS2 Directive into national law, additional or stricter provisions may be established in national legal acts. It has been preliminarily established that due to the entry into force of the NIS2 Directive it may be necessary to make changes in 11 legal acts and include other institutions (according to the competencies of electronic communications, personal data protection, crisis management, financial sector, etc.).

(d) Who will be the supervisory authority and how are they preparing the market?

As for now, the aspect of the supervisory authority is still being a part of a decision phase and an object of discussions conducted by the Ministry of National Defence of the Republic of Lithuania. The final decision may be made by January 2024.

(e) What should you be doing/on the lookout for?

As NIS2 has a broader focus, it applies to a wider variety of organizations. This Directive is especially important for companies that offer digital services or are connected to vital EU infrastructure. NIS2 Directive includes a list of 10 key elements that all companies must address or implement as measures, including incident management, supply chain security, vulnerability management and disclosure, use of cryptography and, where appropriate, encryption.

When it comes to incident reporting, the right balance between the need to report incidents promptly to prevent potential spread of incidents and the need to provide comprehensive reporting shall be ensured. The Directive provides for a multi-step approach to incident reporting. Affected companies shall submit an early warning to the CSIRT or competent national authority within 24 hours of first becoming aware of the incident, which would also enable them to request assistance (guidance or operational advice on the implementation of possible risk mitigation measures) if they so request. After an early warning, an incident report should be submitted within 72 hours of becoming aware of the incident and a final report no later than one month later.

It is important to:

• Assess Cybersecurity Risks
• Implement Risk Management Measures
• Establish Incident Reporting
• Ensure Regulatory Compliance
• Educate and Raise Awareness