Cybersecurity regulation in Lithuania (2026)

The revised Law on Cybersecurity was adopted on 11 July 2024 and entered into force on 18 October 2024, meeting the EU deadline. The Government's implementing Resolution setting technical and organisational requirements entered into force on 12 November 2024.

The National Cyber Security Centre (NKSC) under the Ministry of National Defence is the sole competent authority, national CSIRT, and supervisory body. It manages the national Register of cybersecurity entities, monitors compliance, and coordinates incident response within the EU cybersecurity network.

By 17 April 2025, NKSC compiled the initial Register, identifying 1,443 essential and important entities across critical sectors. The total universe of in-scope entities is estimated at 8,000–10,000 once the full identification process is complete.

Essential and important entities must report significant incidents to NKSC following the NIS2 three-stage timeline: early warning within 24 hours, full incident notification within 72 hours, and a final (or progress) report within one month. Affected service recipients must also be notified where an incident impacts service delivery.

Entities notified of their inclusion in the Register have 12 months to implement organisational measures (e.g. appoint a cybersecurity officer, adopt cybersecurity policies) — deadline approximately April 2026 for the first cohort — and 24 months to implement full technical measures.

Essential entities face fines up to €10 million or 2% of global annual turnover (whichever is greater); important entities face up to €7 million or 1.4% of global turnover. Additional non-financial sanctions include temporary suspension of activities and temporary dismissal of the responsible manager.