Article authored by Viesturs Deksnis.
The General Data Protection Regulation brought about many major legal changes in various sectors and businesses, but now another huge challenge has appeared to change the lives of many businesses and institutions forever. The NIS 2 Directive is a legislative framework aimed at enhancing security in the European Union by establishing a high level of security for network and information systems. The directive also speaks to a high level of cybersecurity across the EU, presenting various requirements with which companies, whether small, medium-sized or large, will have to comply.
What should companies consider when thinking about the tough effort of complying with the directive? What are the various nuances, potential costs, legal matters and other aspects of this? Here is an interview with attorney Paulius Galubickas, who is a partner at the HubLegal law firm in Lithuania and has IT background in software developing.
Mr Galubickas, before we proceed with our main topics, here’s a brief question about the current mood of the Lithuanian business environment. It seems that every day we are reading about new banks entering the market in Vilnius, and this suggests that the country is developing very rapidly. We have also seen many stories about the Baltic States each day. Many indicators are decreasing and tax rates are going up in Estonia, which we have usually seen as the leading country among the three. Latvia is facing certain struggles while Lithuania has experienced tremendous growth in all sectors. What is the overall economic situation in Lithuania?
It is true that the economy is growing and people are getting richer. Lithuania’s IT sector is very vibrant with new companies and startups arriving in Lithuania to establish affiliates. We cannot, however, deny the geopolitical tensions which are present in all three Baltic Staes. Businesses must adapt to the relevant risks, which means that there are fewer investments in real estate, and sums that are paid for real estate are lower than was the case a few years ago. Mortgage rates are higher than usual, so I would say that in general terms, Lithuania is doing just fine, but we had an election a week ago. A new government will be established soon, and I hope that the new Cabinet of Ministers will continue to support startups and the fin-tech sector irrespective of problems which usually exist among growing businesses. Despite the various geopolitical risks, I would say that our economy is doing well.
That is good. Let’s turn to our main topic. Please start with a brief overview of how Lithuania is responding to the NIS 2 Directive. Are companies already doing this, and what are the first challenges that have been experienced?
The NIS 2 Directive has already been transposed into Lithuanian law. A new cybersecurity law was passed to enshrine all of the directive’s provisions into national law. The law has very detailed technical annexes which lay out the very specific steps that must be taken by companies which are subjected to the directive’s requirements. I would say that Europe is terribly slow when it comes to IT innovations, but it is very quick with various regulations. This is the biggest problem. IT companies in Europe are much weaker than those in the United States, but we nevertheless have very strict and specific rules with which we must comply. This is not necessarily a bad thing, but right now everything that applies to cybersecurity may look good on paper, but time will tell how resilient companies will prove to be if something major happens, such as something that Russia does. We cannot predict the future. The rules are good, but the risk is that companies will not take them too seriously, as was the case with the GDPR. Rules will be seen as a formality and nothing more.
You mentioned risks caused by Russia. Last week the media in Latvia reported that the number of cyberattacks as skyrocketed to the highest level during the past two years. The number of cyber incidents is up by 40% since Russia’s invasion of Ukraine, and the number of attacks against tax institutions and critical infrastructure has quadrupled. What’s the situation in Lithuania?
Pretty much the same. The number of cyberattacks has increased dramatically during the last several years. Large companies face daily raids from various sides, and it is not always clear whether the blame rests with criminals, Russian government institutions or secret services. We know that Russia is using tools from the criminal world in politics, and the line between the behaviour of criminals and the state is pretty much indiscernible. Hackers all around the world are prepared to work on behalf of Russian government institutions which are displeased with political decisions taken in the Baltic States. That leads them to put pressure on energy and telecoms companies. So far nothing critical has happened, but this process may become more dangerous in future.
I agree. We must prepare our critical infrastructure to deter such attacks. When it comes to the business environment, though we see that there are certain resources which companies will need when implementing the requirements of NIS 2. Could you briefly describe these?
The big headache for companies is money. I think that compliance with this directive will be ten times higher than compliance with the GDPR. In this case, companies must look good on paper, but they also have to purchase a huge amount of expensive hardware and software for cybersecurity. This is a problem for companies which don’t have that much money. It has always been difficult to sell network security solutions to companies, because they see no direct value therein. If nothing happens, they may think that the investment isn’t worth it, but once there’s a serious incident, it may be too late and to change something afterward. This will be a huge challenge for SMEs which will now have to find additional resources to purchase the necessary equipment.
What’s the deadline for implementation of the NIS 2 Directive?
The new cybersecurity law in Lithuania which contains the directive’s requirements took effect on October 18. Additional requirements have been posted by the Lithuanian government. We also have the National Cybersecurity Centre, which is our local regulator on cybersecurity. It has already released guidelines and self-assessment forms, and soon we will have a self-assessment tool that will allow companies to see whether they fall under NIS2 requirements. This process is ongoing and will take a few months before companies receive an official decision from the National Cybersecurity Centre to confirm that they are on the official register of important and essential companies, which means that they are obliged to make their systems more secure so as to satisfy the new requirements. This will be a serious challenge, not least in terms of finding the human resources and consultants who will be able to ensure tailor-made cybersecurity solutions.
On the other hand, there may be companies and consultants, as you mentioned, which can take advantage of this situation …
… to make quick money. There are already a few legal firms nosing around the process, but this has less to do with the law than it does with technical solutions and software solutions for cyber and network security. There are plenty of consultants, but it is very hard to ensure that one of them will provide you with all of the assistance that you need.
Who will ensure primary control over this process? When the GDPR took force, I remember that everyone wondered who would monitor the companies and take steps in case some of them failed to implement the relevant requirements. There were major fines equal to a high percentage of annual revenues. What can you tell us about the control mechanism and the possible penalties for failing to comply with the new requirements?
The National Cybersecurity Centre will take the lead in Lithuania. It will supervise, monitor and audit companies to check on their compliance with the new national cybersecurity rules. The centre operates under the aegis of the Ministry of Defence and is an independent agency. The GDPR was supervised by the Data Protection Authority, which is a completely different institution. Most cybersecurity events relate to data leakage or deletion, so I think that future incidents will be investigated by both agencies. The National Cybersecurity Centre presents itself as a user friendly institution which does not want companies to fear major fines. The priority is not to fine companies for non-compliance, but instead to help companies to comply with the new rules in the first place. These are very friendly and helpful people who publish reams of guidelines and other information to help companies to comply. But you never know what political winds will blow in future. I’m afraid that the regulator may eventually become stricter and more willing to kill off less important companies that have not complied. Let’s hope that everything will be OK.
Do you have any information about how other European countries have done with the NIS 2 Directive?
It varies from country to country. All EU member states are obliged to implement the NIS 2 Directive, but most of them did not comply with the deadline. Countries in Eastern Europe such as Poland, Lithuania, Latvia and Estonia are on the front lines when it comes to these cybersecurity requirements. Other countries may be more relaxed and less afraid simply because they do not share a border with Russia or Belarus. They take a laissez-faire approach to the requirements, and I think that this may well cause problems, because cyberattacks do not take national borders into account. This means that co-operation among certain member states when a cyber incident erupts may be difficult and not as fast as we could hope.
Final topic. Let’s talk about the conference “IT Leaders Day: Empowering Cybersecurity and Digital Transformation with Industry Peers,” which BAKOTECH are organising. I understand that you will be one of the speakers at this event. What will be your topic, and could you offer us a brief glimpse into the main theses that you will be presenting?
I’ll be speaking about specific rules and challenges which companies will soon face. I am obliged to address these. “IT Leaders Day” provides management and IT specialists a chance to learn about the latest trends and solutions in the world of IT. This event will focus on sharing education and know-how, thus helping participants to understand how technology can help a business to grow. BAKOTECH organises this event to increase understanding among partners and clients about the role which IT solutions play in business operations. Lithuania is a major market for BAKOTECH, so we’re interested in helping companies to adjust to technological advancements. BAKOTECH is joining with my law firm HubLegal to promote collaboration and practical and legal compliance with the new regulation in the cybersecurity sector. I will personally be talking about how NIS 2 is implemented in Lithuania, looking at the relevant challenges and providing practical advice on how to ensure minimal compliance with the requirements without fearing the possible penalties that might be incurred.
When it comes to practical help to entrepreneurs, I understand that you represent the legal industry, but as you have mentioned, the IT side is even more important. How does your firm co-operate with the IT sector?
Any company’s compliance with NIS2 requirements requires IT consultants and legal advisers who work as a team. When it came to the GDPR, compliance could be ensured only by lawyers. In this case, by contrast, lawyers can’t comprehend all of the technical specifics, and that means that they will need help from IT professionals. To offer a brief comparison – it cost EUR 5,000 to 10,000 to conduct an audit so as to ensure a company’s compliance with the GDPR. I believe that operations needed to ensure compliance with the NIS 2 will cost ten time more than that. Companies will have to draft policies on IT security, disaster recovery, technical and organisational measures, etc. Papers will be required, but technical solutions will matter more, and those costs will make up the majority of project expenditures. I think that a cybersecurity audit can be conducted by a team of two or three people. Penetration testing will be required, but there are no companies here in Lithuania who are capable of doing so; I believe the same is true in Latvia. Without a penetration test, you cannot identify weaknesses. The test takes about a week to conclude, and lawyers cannot conduct it. I am very concerned that Europe is organising such a massive project – one that is good, but very expensive. Companies will have to find workarounds in their rules and just hope that they won’t ever face any cybersecurity issues. Of course, that does not really apply to critical state-owned companies which have enough resources.
Such companies, of course, have already run the tests several times. I absolutely agree that the main challenges will rest with medium-sized companies. Time will tell how the situation proves to develop.
Let’s see, and let’s hope for friendly regulators, because excessive regulatory strictness can kill any business. I have looked at the list of technical solutions and requirements in the law, and 100% compliance is simply impossible. The basis for all of this is best practice from ISO standards, and the rules are very specific and very detailed. Have you ever heard of the phrase “software bill of materials?” It means that software must be accompanied by a list of the components that exist within it. The new cybersecurity regulation has nothing to say about that. Most dangerous cyber incidents occur through bad components in normal software. We can remember the last few global incidents involving Log4J or CrowdStrike and Microsoft services. One supplier’s component was bad, and that killed all of the depending IT systems. Even now we are not talking about a software bill of materials, but that is a critical thing when it comes to software systems.
Precisely. That Microsoft case was huge!
Editor’s note: BAKOTECH will host “It Leaders Day: Empowering Cybersecurity and Digital Transformation with Industry Peers” on October 24. This will be a key tech even that will help to share the future of cybersecurity in Lithuania.