Cybersecurity · Liechtenstein
Cybersecurity regulation in Liechtenstein (2026)
Liechtenstein shaded by its cybersecurity status
Liechtenstein has a comprehensive horizontal cybersecurity law: the revised Cyber-Security Act (CSG) and its ordinance (CSV) entered into force on 1 February 2025, fully transposing the EU NIS2 Directive into national law via the EEA. The regime imposes risk-management and incident-reporting duties on 'essential' and 'important' entities across many sectors, overseen by the National Cyber Security Unit (Stabsstelle Cyber-Sicherheit) and its CSIRT. The financial sector is additionally governed by DORA (in force 1 February 2025 via the EEA) and FMA Directive 2021/3.
Key points
The fully revised Cyber-Security Act (CSG, LR 784.13) and Cyber-Security Ordinance (CSV) entered into force on 1 February 2025, transposing EU Directive 2022/2555 (NIS2) into Liechtenstein law. Liechtenstein is notably the EFTA/EEA state that has fully transposed NIS2.
The National Cyber Security Unit (Stabsstelle Cyber-Sicherheit), attached to the Prime Minister's Office, is the central authority and contact point; it operates a national CSIRT and handles supervision, incident reporting and enforcement.
Coverage was broadened to additional sectors (e.g. energy, district heating/cooling, wastewater, waste management, food, postal/courier, space, public administration, research). Registration via the official portal was mandatory from 1 February 2025; existing NIS1 entities had until 31 March 2025 to re-register and new entities within 30 days of qualifying.
Essential and important entities must notify the competent authority of significant cybersecurity incidents and implement risk-management measures, with penalties for non-compliance defined in the CSG/CSV.
The Digital Operational Resilience Act (DORA) became binding in Liechtenstein via the EEA-DORA implementing act on 1 February 2025, supervised by the Financial Market Authority (FMA), imposing ICT risk-management, resilience-testing and ICT-incident notification duties on financial entities.
Liechtenstein maintains a national strategy for protection against cyber risks (national cybersecurity strategy 2025), documented by ENISA, underpinning the legal regime.
Timeline - major decisions & events
Liechtenstein adopted an updated national cyber strategy succeeding the 2020–2024 plan, reflecting the new CSG, evolving threats and technological change, and reinforcing the role of the national Cyber Security Unit and CSIRT.
Government of Liechtenstein (Regierung.li) ↗The EU Digital Operational Resilience Act (Regulation 2022/2554), incorporated into the EEA Agreement and supplemented by a national implementing act (EEA-DORA-DG), began applying in Liechtenstein, imposing ICT risk-management, incident-classification/reporting and third-party-risk rules on financial entities supervised by the FMA.
Finanzmarktaufsicht (FMA) Liechtenstein ↗Liechtenstein's overhauled Cyber-Sicherheitsgesetz and accompanying ordinance (CSV) implement EU Directive 2022/2555 (NIS2) via the EEA, vastly expanding covered sectors (energy, water, public administration, postal, waste, food, research, space) and introducing mandatory registration with the Stabsstelle Cyber-Sicherheit plus incident-reporting and supervisory/sanction powers.
Government of Liechtenstein (Regierung.li) ↗Liechtenstein enacted its first dedicated Cyber-Sicherheitsgesetz (LGBl. 2023 No. 269), implementing the EU NIS Directive (2016/1148) via EEA Joint Committee decisions and creating the legal basis for protecting operators of essential services and digital service providers.
Government of Liechtenstein (Regierung.li) ↗The financial-market authority issued guidance harmonising ICT and cyber risk-management expectations for supervised financial intermediaries, laying the groundwork later aligned with and superseded by DORA.
Finanzmarktaufsicht (FMA) Liechtenstein ↗The government approved Liechtenstein's inaugural 'National Strategy for the Protection of Liechtenstein against Cyber Risks' (2020–2024), targeting the population, economy/financial centre, critical infrastructure and state bodies, and anchoring the Stabsstelle Cyber-Sicherheit and national CSIRT.
Government of Liechtenstein (Regierung.li) ↗Liechtenstein's Datenschutzgesetz of 4 October 2018 and its ordinance took effect, implementing the GDPR into national law and confirming the Datenschutzstelle as supervisory authority responsible for data-security obligations.
Lilex – Liechtenstein Law Database ↗Following EEA Joint Committee Decision No. 154/2018, the EU General Data Protection Regulation entered into force for Liechtenstein, Iceland and Norway, establishing binding personal-data security and breach-notification duties.
Datenschutzstelle Liechtenstein ↗Hackers exfiltrated several gigabytes of client data from Valartis Bank Liechtenstein and attempted to blackmail account holders for Bitcoin ransoms, a high-profile incident that highlighted financial-sector cyber exposure ahead of formal cyber legislation.
The Register ↗Liechtenstein - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →