Lawyer’s insights on NIS2 Directive
2024 marks a significant milestone in cyber security with the implementation of the Network and Information Systems Security Directive (NIS2), aimed at enhancing the European Union’s resilience against cyber threats. NIS2 introduces stricter security standards and new compliance requirements for organisations.
So, what does this mean for businesses considered as cyber security subjects?
Stasys Drazdauskas, a legal expert from the international law firm Sorainen, shares his insights on the topic. In this interview, we explore how companies interpret the NIS2 Directive, their challenges, and the steps they take to ensure long-term compliance.
Preparation for the NIS2 Directive
The NIS2 Directive, which was implemented in Lithuania this year when, on 18 October, the amendments to the Law on Cybersecurity came into force, marks an important step in enhancing cyber security across the EU. While the original NIS Directive, effective in 2016, targeted essential sectors like energy, transport, finance, healthcare, public administration, media, and water supply, NIS2 broadened its scope considerably. It now includes additional sectors such as digital services, postal and courier services, waste management, space, food production, manufacturing, chemicals, and research.
With its expanded coverage, the NIS2 Directive applies to a broader range of cyber security subjects. This creates varying levels of preparedness and understanding among organisations.
Discussing these challenges, S. Drazdauskas observes:
“Although the NIS2 Directive has already entered into force, many organisations are still in the early stages of assessing how these changes will impact their operations. The level of understanding varies significantly depending on the company’s size and sector. Businesses not previously subject to cyber security requirements are now actively exploring whether they fall under the NIS2 Directive and what steps they must take to comply. Meanwhile, larger and better-resourced companies, e.g., those operating in critical infrastructure sectors, have already begun their preparations. These organisations understand that compliance with the Directive is not only a legal obligation but also crucial for ensuring business continuity and security.”
This variation in readiness underscores the importance of early action. Organisations that delay their preparations may face significant hurdles, potentially compromising operational resilience and legal compliance.