Cybersecurity - Liechtenstein

The fully revised Cyber-Security Act (CSG, LR 784.13) and Cyber-Security Ordinance (CSV) entered into force on 1 February 2025, transposing EU Directive 2022/2555 (NIS2) into Liechtenstein law. Liechtenstein is notably the EFTA/EEA state that has fully transposed NIS2.

The National Cyber Security Unit (Stabsstelle Cyber-Sicherheit), attached to the Prime Minister's Office, is the central authority and contact point; it operates a national CSIRT and handles supervision, incident reporting and enforcement.

Coverage was broadened to additional sectors (e.g. energy, district heating/cooling, wastewater, waste management, food, postal/courier, space, public administration, research). Registration via the official portal was mandatory from 1 February 2025; existing NIS1 entities had until 31 March 2025 to re-register and new entities within 30 days of qualifying.

Essential and important entities must notify the competent authority of significant cybersecurity incidents and implement risk-management measures, with penalties for non-compliance defined in the CSG/CSV.

The Digital Operational Resilience Act (DORA) became binding in Liechtenstein via the EEA-DORA implementing act on 1 February 2025, supervised by the Financial Market Authority (FMA), imposing ICT risk-management, resilience-testing and ICT-incident notification duties on financial entities.

Liechtenstein maintains a national strategy for protection against cyber risks (national cybersecurity strategy 2025), documented by ENISA, underpinning the legal regime.