Online safety & content laws in Liechtenstein (2026)

Liechtenstein enacted the consolidated revision of its Cyber Security Act, completing transposition of EU Directive 2022/2555 (NIS2) and its 'twin' CER Directive; coverage expanded to approximately 1,800–2,200 essential and important entities, and board members face personal financial liability if they cannot demonstrate participation in cyber-risk management training.

Liechtenstein's updated five-year National Strategy for Protection Against Cyber Risks entered into force, coordinated by the National Cyber Security Unit (NCSU); the mandatory NIS2 entity registration portal launched simultaneously, with existing NIS1 entities required to re-register by 31 March 2025.

Regulation EU 2022/2065 became fully enforceable across EEA states, binding platforms operating in Liechtenstein to remove illegal content, provide algorithmic transparency, and protect users; Liechtenstein designated a Digital Services Coordinator to oversee national compliance and liaise with EU enforcement bodies.

Liechtenstein adopted its first dedicated Cyber Security Act, implementing EU NIS1 Directive 2016/1148 and providing the legal foundation for the National Cyber Security Unit, mandatory incident reporting by operators of essential services, and cooperation with ENISA; it was later superseded by the 2025 NIS2 revision.

Iceland, Liechtenstein, and Norway jointly welcomed the DSA's goals to combat illegal online content but urged the European Commission to preserve core ISP liability safe harbours from the e-Commerce Directive and to balance content takedown against freedom of expression, directly influencing the EEA incorporation process.

The government created the NCSU as the central coordinating body for all cyber-risk matters and stood up CSIRT.LI as Liechtenstein's official Computer Security Incident Response Team; the move was driven by a surge in cybercrime — cases grew 88% in 2020 and a further 172% in 2021, making it the fastest-growing offence category in the country.

The totally revised Datenschutzgesetz, modelled on Germany's BDSG, brought Liechtenstein's data-protection regime into full conformity with the EEA-incorporated GDPR; enforcement authority was transferred from the regional court to the Data Protection Authority (Datenschutzstelle Liechtenstein), which gained new investigative and sanctioning powers.

EEA Joint Committee Decision No. 154/2018 incorporated the General Data Protection Regulation (EU 2016/679) into the EEA Agreement, making the GDPR directly applicable in Liechtenstein and triggering an urgent total revision of the national Data Protection Act to close the resulting regulatory gap.

Liechtenstein deposited its instrument of ratification with the Council of Europe; under Liechtenstein's monist legal system the Budapest Convention became immediately part of domestic law, with provisions distributed across the Criminal Code, Code of Criminal Procedure, Communications Act, E-Commerce Act, and Mutual Legal Assistance Act rather than in a single cybercrime statute.

Transposing EU Directive 2000/31/EC into EEA law, the ECG established Liechtenstein's foundational rules for information society services: safe-harbour liability exemptions for hosting, caching, and mere-conduit providers; country-of-origin supervision; and mandatory disclosure obligations for online service providers — the bedrock framework later complemented by the DSA.

Liechtenstein's first comprehensive Data Protection Act, implementing EU Directive 95/46/EC, established the Datenschutzstelle (Data Protection Authority) and core safeguards for personal data processing applicable to online services; it remained in force until superseded by the GDPR-aligned revision in January 2019.