The Baltic Times

NIS2 in the Baltics: How Lithuania, Latvia, and Estonia Differ

  • 2025-09-23

The European Union's NIS2 Directive is set to reshape cyber security across all member states. The NIS2 Directive has been applicable since October 18, 2024. While its overarching goal is clear, to strengthen resilience against cyber threats, the practical implementation of NIS2 varies from country to country. 

For businesses operating across the Baltic region, understanding these differences is crucial. A company that complies with NIS2 in Estonia may face additional obligations in Lithuania or Latvia. This article examines how the three Baltic states are preparing for NIS2, what risks companies face, and why cross-border expertise is essential. 

For example, the requirements of NIS2 in Lithuania are already being translated into national law, creating obligations that differ from those in neighbouring countries. 

Lithuania: early steps, strict enforcement expected 

Lithuania has taken a proactive approach to cybersecurity regulation. The country already has one of the most developed legal frameworks in the region, shaped by its proximity to geopolitical risks. 

- The Lithuanian government is integrating NIS2 into its Law on Cyber security, expanding the scope of "essential" and "important" entities. 

- National regulators are expected to enforce NIS2 strictly, particularly in sectors such as energy, finance, and municipalities. 

- The focus extends not only to IT systems but also to operational technology (OT), encompassing industrial control systems and public utilities. 

For Lithuanian companies, this means early preparation is necessary. Simply waiting until 2025 will not be enough, as audits and penalties are expected to be rigorous. 

Latvia: more fragmented readiness 

Latvia is moving at a different pace. While NIS2 is being transposed into national law, the process has been slower than in Lithuania. 

- Latvian companies face uncertainty over how national regulators will define "important entities."

- Some obligations may be lighter in the short term, but the EU deadline of January 2026 applies equally. 

- Many organisations in Latvia are still at the awareness stage, focusing on training and basic risk assessments rather than full compliance programs. 

For this reason, understanding the specific obligations of NIS2 in Latvia is essential, as companies cannot rely solely on EU-level guidance. 

Estonia: strong digital foundations, but new obligations 

Estonia, often seen as the digital leader of the region, has robust e-government and cyber security systems already in place. However, NIS2 still introduces new challenges:

- Expansion of scope. Mid-sized IT service providers, cloud companies, and digital platforms will now fall under regulation. 

- Stricter incident reporting timelines. Even Estonian firms accustomed to high cyber standards must adapt to the 24–72 hour notification window. 

- Increased focus on supply chain security. Many Estonian start-ups rely on global vendors, which must now meet NIS2 standards. 

Estonia's advanced digital ecosystem is an advantage, but it also means companies face higher expectations from regulators and partners. 

Key differences across the Baltics 

While NIS2 sets a common EU framework, three differences stand out in the Baltics: 

Speed of implementation 

- Lithuania: fast and strict. 

- Latvia: slower, still defining scope. 

- Estonia: balanced, but with high expectations. 

Sector focus 

- Lithuania emphasises critical infrastructure and municipalities. 

- Latvia focuses more on financial services and telecoms. 

- Estonia targets digital services and cloud providers. 

Regulatory culture 

- Lithuania: strong enforcement and high penalties expected. 

- Latvia: more fragmented but catching up. 

- Estonia: mature digital governance, but stricter supply chain oversight. 

The risk of non-compliance 

The financial penalties under the NIS2 directive are severe: 

- Up to €10 million or 2% of global turnover for essential entities. 

- Up to €7 million or 1.4% of global turnover for important entities. 

But beyond fines, the reputational risks are equally damaging. A single unreported incident can erode client trust across the region. 

Case in point: a regional logistics provider 

Consider a logistics company with operations in all three Baltic states. 

- In Lithuania, it must implement a strict incident response plan and ensure municipal partners comply with NIS2. 

- In Latvia, there is uncertainty about whether it will be classified as an "important entity," which complicates its planning. 

- In Estonia, it must audit its global IT vendors to comply with supply chain security requirements. 

Without a coordinated strategy, the company risks gaps in compliance and exposure to penalties in each jurisdiction. 

Why does a cross-border IT partner matter?

This is where regional expertise becomes essential. An IT partner with presence and experience in all three countries can help businesses: 

- Assess gaps across Lithuania, Latvia, and Estonia. 

- Develop a single compliance framework that meets all national requirements. 

- Train management boards to handle their new responsibilities under NIS2. 

- Audit supply chains and update contracts to include security clauses. 

With over three decades of digital expertise, Baltic Amadeus has extensive practical experience across the entire Baltic region, helping companies prepare for NIS2, regardless of their jurisdiction. 

Frequently asked questions 

➤ Does NIS2 apply equally to small and large companies? 

Yes, if they operate in regulated sectors. Mid-sized digital service providers will now be included. 

➤ How fast must incidents be reported? 

Within 24–72 hours, depending on severity. 

➤ Will national regulators differ in enforcement? 

Yes. Lithuania is likely to be the strictest, Latvia is slower to enforce, and Estonia is focused on digital providers. 

➤ Can ISO 27001 certification ensure compliance? 

Not fully. It helps, but NIS2 requires additional measures such as board-level accountability and supply chain oversight. 

One directive, three paths to compliance

NIS2 directive is a regional challenge. Companies operating in the Baltics must navigate three slightly different regulatory environments. 

In Lithuania, early and strict enforcement is expected. In Latvia, uncertainty remains, but obligations will tighten by 2026. In Estonia, mature digital systems mean higher expectations. 

What unites the region is the need for practical, IT-driven compliance. Companies that prepare now will avoid penalties, protect their reputation, and strengthen their position in a competitive digital economy.

 

Please enter your username and password.

 Forgot your password?
 

Subscribe!

A subscription to The Baltic Times is a cost-effective way of staying in touch with the latest Baltic news and views enabling you full access from anywhere with an Internet connection. Subscribe Now!

About The Baltic Times

The Baltic Times is an independent monthly newspaper that covers latest political, economic, business, and cultural events in Estonia, Latvia and Lithuania. Born of a merger between The Baltic Independent and The Baltic Observer in 1996, The Baltic Times continues to bring objective, comprehensive, and timely information to those with an interest in this rapidly developing area of the Baltic Sea region. Read more... Our news analysis and commentaries provide readers with insight essential to understanding the three Baltic countries and their neighbors.

Publisher: Gene Zolotarev
Editor in chief: Linas Jegelevicius

Contact Us

Editorial: editor@baltictimes.com
Subscription: subscription@baltictimes.com
Advertising: adv@baltictimes.com


SIA Baltic News Limited
Reg.#: 40003044365
Address: 1-5 Rupniecibas street, Riga, Latvia
Phone: +37167229978

Stay Connected

2025 © The Baltic Times /Cookies Policy Privacy Policy