From Bronze Night to NIS2: How the Baltics Are Implementing the EU’s New Cybersecurity Regime 

13 birželio, 2025 Naujienos

In April 2007, Estonia made global headlines — not for a military conflict or natural disaster, but for one of the first coordinated large-scale cyberattacks against a nation-state. Sparked by the relocation of a Soviet-era war memorial in Tallinn (known as the Bronze Night), the country’s digital infrastructure was flooded with denial-of-service attacks. Government websites, banks, media outlets, and essential services were knocked offline. It was a wake-up call: digital threats could now paralyze a country just as effectively as tanks and missiles. 

Fast forward to 2025, and the legal response to cybersecurity has evolved dramatically. On June 11, the Baltic law firm WIDEN Legal hosted a webinar titled “NIS2 Uncovered: The New Cybersecurity Rulebook for Businesses” to help companies navigate the practical implications of the directive. The session featured a cross-Baltic team of specialists: Asta Macijauskienė (Lithuania) introduced NIS2 and covered cybersecurity risk measures; Anete Bože (Latvia) explained how essential and important entities are defined and listed; Henri Ratnik (Estonia) clarified the strict incident notification obligations; and Rauno Kinkar (Estonia) presented the range of enforcement powers and penalties. Together, they broke down a complex legal framework into actionable steps for legal, compliance, and IT professionals alike. 

What NIS2 Changes 

NIS2 significantly expands the list of organizations that fall in scope when it comes to cybersecurity regulation. The days when only telecoms and energy companies were considered “critical” are over. The new directive now applies to a broad range of sectors, including: 

• Digital infrastructure (cloud platforms, DNS, CDNs) 

• Banking and financial services 

• Healthcare and water services 

• Public administration 

• Space, food, manufacturing, and even research 

But it’s not just about sector – it’s about criticality and risk. NIS2 introduces two categories of regulated organizations: 

• Essential Entities: typically larger or more vital organizations, subject to tighter rules. 

• Important Entities: smaller but still high-impact firms, also within scope. 

In other words, even a medium-sized SaaS startup, logistics firm, or payment processor might now be legally obligated to meet strict cybersecurity requirements — if its service is seen as socially or economically critical. 

Baltic Implementation: A Patchwork in Progress 

While NIS2 is an EU directive, it must be transposed into national law by each Member State. As of mid-2025: 

• Latvija has adopted its national law — the Kiberdrošības likums — with various extentions. For example ­ll electronic communications businesses are classified as essential entities, regardless of size. 

• Lietuva has implemented NIS2 across more than 20 legal acts and imposes contractual cybersecurity requirements on vendors working with essential service providers. 

• Estija, despite its cybersecurity leadership, has not yet formally adopted national legislation. Transposition is still underway. 

This divergence matters. While the core requirements covering risk management and incident reporting (Article 21 and Article 23) remain the same, the enforcement details, sector lists, and notification protocols vary across the Baltics. 

What Businesses Must Do 

At the heart of NIS2 are proactive obligations. Companies falling under its scope must: 

Implement Cybersecurity Risk Management Measures 

This includes: 

• Risk analysis and information security policies 

• Business continuity and disaster recovery planning 

• Supply chain security measures 

• Staff training, access control, and multi-factor authentication 

• Secure development, cryptography, and vulnerability handling 

Secure the Supply Chain 

Organizations are responsible not just for their own systems, but for the security practices of third-party vendors. In Lithuania, for example, contracts must require suppliers to: 

• Report cyber incidents promptly 

• Undergo audits 

• Comply with specific security standards and certifications 

Report Incidents Quickly and Clearly 

If a significant incident occurs – one that affects data confidentiality, service availability, or public safety – companies must notify their national CSIRT or competent authority: 

• Within 24 hours: early warning 

• Within 72 hours: detailed incident report 

• Within 1 month: final report, including root cause and mitigation measures 

If the incident affects clients or users, those individuals must also be notified — especially if they can take actions to reduce their own exposure. 

Enforcement: Fines, Bans, and Audits 

Authorities are empowered to: 

• Conduct random audits and on-site inspections 

• Impose administrative fines of up to €10 million or 2% of global turnover (whichever is higher for essential entities) 

• Temporarily suspend licenses or even ban CEOs from holding managerial positions in severe cases of non-compliance 

And no – liability doesn’t end with the company. Legal representatives and executives can be held personally liable for failing to ensure NIS2 compliance. 

Conclusion: It’s Not Just an IT Issue Anymore 

The NIS2 Directive signals a new era in cybersecurity governance. It reframes security from a technical function to a strategic, legal, and leadership-level priority. For businesses across the Baltics – particularly those involved in essential digital services or public sector infrastructure – compliance is no longer optional or theoretical. 

As the 2007 Bronze Night attacks showed, it only takes one incident to shake the foundations of digital society. With NIS2, the EU is sending a clear message: resilience starts with responsibility.  

Early legal intervention helps to substantially minimize damage, contain the breach, and meet strict regulatory reporting deadlines. With this in mind, WIDEN has also launched a 24/7 emergency legal hotline to support businesses facing cyber-attacks, data breaches, and other security incidents.   

Hotline Details  

• Phone: +372 6400373 – available 24/7  

• First call and initial legal feedback are FREE  

• All communication is protected by attorney-client privilege  

Read more about the brand-new emergency hotline. 

We invite you to watch the recording of the webinar hosted on 11 June 2025.