MANAGEMENT BEWARE:
The new Lithuanian Law on Cybersecurity places a high level of responsibility, as well as liability, on company management bodies
1. Today the amended ‘Lithuanian Law on Cybersecurity’ enters into force
The amended regulation implements the NIS2 ‘Directive on Cybersecurity’ for Lithuania and introduces for certain companies strict cybersecurity requirements.
2. What does this mysterious ‘NIS 2’ stand for?
‘NIS 2’ stands for the European Union’s 2022 ‘Network and Information Security’ directive which aims to ensure the more secure business operations of companies which are of a certain size and importance level for the national economic system and for national security.
3. Is it important for me to know about it?
Check whether your company may be affected by NIS2 cybersecurity requirements in Lithuania.
4. Which companies are affected by NIS2?
NIS 2 distinguishes between two levels of companies: i) essential and ii) important entities, based on their size and the sector in which they operate.
Sectors which are especially affected include the following:
- energy
- transport
- banking
- financial markets and infrastructure
- health
- drinking water, wastewater
- digital infrastructure
- outsourced ICT services
- public administration
- space-based services
But also included are companies which operate in the following areas:
- postal and courier services
- waste management services
- chemical production and distribution
- food production, processing, and distribution
- manufacturing:
- medical devices and in-vitro diagnostic medical devices
- computer, electronic, and optical products
- electrical equipment
- machinery and equipment which is not specified elsewhere
- motor vehicles, trailers, and semi-articulated trailers
- other means of transportation
Check more deeply in terms of whether you must conform with the requirements of the new cybersecurity regulation if your company fulfils the following requirements:
- it has a workforce of more than 50 employees
- it has an annual net turnover which exceeds €10 million
- it operates in one of the aforementioned sectors.
5. Supply chain companies:
My company is not that big or does not directly operate in one of the aforementioned sectors, but it does supply one of the NIS2 entities …
In cases in which your customers or business partners are likely to be classified as being important or essential NIS2 entities, they must ensure their supply chain cybersecurity. This means that their new cybersecurity measures will also have to be implemented to a certain extent within your company if you want to cooperate with them in future. Your company will probably, to a certain extent, also have to comply with and provide contractual guarantees of NIS 2 compliance.
This is especially important within the framework of public procurement.
6. My company is already ISO 27001 certified. May I rely on that?
Please note that even if your company is certified for ISO 27001, this will cover only about 70% of NIS 2 requirements. Therefore, a degree of analysis is required to discover precisely what may be needed in addition.
7. What do I need to do first?
- understand whether your company may be affected by NIS2: you can contact us and we will help you to become fully orientated
- if you could be affected – and you’ll need to check your status quo in terms of cybersecurity – together with our cooperation partner, Centric IT Solutions, we will provide you with an assessment survey and assist you to discover where your company stands right now
- plan for the implementation of NIS2 requirements: we will support you when it comes to identifying which departments and activities are to be included in any further processes
- get the first training for your company’s management team and leading employees in order to raise awareness: together with Centric IT Solutions we will assist you in raising cybersecurity awareness by providing education on NIS2 processes and risk.
8. Why should I take it all seriously?
As it is a different beast from ISO 27001, the ‘Lithuanian Law on Cybersecurity’, as well as EU NIS2, can levy not only heavy fines but also further sanctions against the operation and management of affected companies.
Depending on whether your company is important or essential, possible fines could amount to € 7/10 million or 1,4%/2% of your worldwide annual turnover.
In addition, administrative fines could be imposed upon the company’s manager under Lithuanian law.
In the case of serious infringements, Lithuanian courts could temporarily suspend the business activities of essential entities and temporarily remove managers from their functions.
9. How can we support you?
Our experts at bnt attorneys in CEE Vilnius will be at your service any time you need to gain more clarity about whether your company needs to delve deeper into NIS2, and how you can most effectively start the process.
We closely cooperate with a Centric IT company, one which focuses on the technical implementation of NIS 2.
Therefore you need only contact one person for both legal and technical consultation, and we will coordinate both fields for you, thereby reducing your administrative burden when dealing with separate technical and legal service providers.
We will be happy to arrange a joint meeting (whether online or in person) in order to discuss specific steps and measures which are tailored to your company.
Follow us via our LinkedIn profile:
Link to remain regularly updated with news, important facts, and recommendations in regard of NIS2 in Lithuania.