Cybersecurity ยท Lithuania
Cybersecurity law in Lithuania: NIS2 compliance (2026)
Lithuania shaded by its cybersecurity status
Cybersecurity in Lithuania: comprehensive law, anchored by Law on Cybersecurity of the Republic of Lithuania (amended 11 July 2024, in force 18 October 2024), transposing EU NIS2 Directive (2022/2555); supplemented by Government Resolution on Implementation (in force 12 November 2024). Competent authority and national CSIRT: National Cyber Security Centre (NKSC/NCSC) under the Ministry of National Defence..
Lithuania fully transposed the EU NIS2 Directive through an amended Law on Cybersecurity that entered into force on 18 October 2024, with implementing technical/organisational requirements following on 12 November 2024. The National Cyber Security Centre (NKSC) acts as the single national cybersecurity authority, CSIRT, and supervisory body, with enforcement powers including binding instructions, on-site inspections, and fines. Entities classified as essential or important face tiered compliance timelines, organisational measures within 12 months of registration, technical measures within 24 months.
NIS2 & cybersecurity law in Lithuania
In Lithuania, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.
- Framework
- the NIS2 Directive (EU) 2022/2555, transposed into national law
- Approach
- cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
- Applies to
- medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
- Incident reporting
- an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
- Maximum fine
- up to โฌ10 million or 2% of global annual turnover for essential entities
- Oversight
- the national competent authority and CSIRT designated under NIS2
NIS2 is a directive, so Lithuania implements it through national law; exact scope and deadlines can vary slightly by transposition.
NIS2 in Lithuania: FAQ
Yes. As an EU member, Lithuania has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.
Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.
An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.
Up to โฌ10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.
Key points
The revised Law on Cybersecurity was adopted on 11 July 2024 and entered into force on 18 October 2024, meeting the EU deadline. The Government's implementing Resolution setting technical and organisational requirements entered into force on 12 November 2024.
The National Cyber Security Centre (NKSC) under the Ministry of National Defence is the sole competent authority, national CSIRT, and supervisory body. It manages the national Register of cybersecurity entities, monitors compliance, and coordinates incident response within the EU cybersecurity network.
By 17 April 2025, NKSC compiled the initial Register, identifying 1,443 essential and important entities across critical sectors. The total universe of in-scope entities is estimated at 8,000-10,000 once the full identification process is complete.
Essential and important entities must report significant incidents to NKSC following the NIS2 three-stage timeline: early warning within 24 hours, full incident notification within 72 hours, and a final (or progress) report within one month. Affected service recipients must also be notified where an incident impacts service delivery.
Entities notified of their inclusion in the Register have 12 months to implement organisational measures (e.g. appoint a cybersecurity officer, adopt cybersecurity policies), deadline approximately April 2026 for the first cohort, and 24 months to implement full technical measures.
Essential entities face fines up to โฌ10 million or 2% of global annual turnover (whichever is greater); important entities face up to โฌ7 million or 1.4% of global turnover. Additional non-financial sanctions include temporary suspension of activities and temporary dismissal of the responsible manager.
Timeline - major decisions & events
Lithuania's National Cybersecurity Centre completed the first round of entity identification under the new Cybersecurity Act and formally notified essential and important entities of their register status. From the notification date, entities have 12 months to appoint cybersecurity officers and 24 months to implement required technical measures; the regulated population is expected to grow to 8,000-10,000 entities once identification is complete.
Eversheds Sutherland (reporting on NCSC) โLithuania's NCSC annual cybersecurity status report recorded 3,874 incidents in 2024, up 63% from 2,378 in 2023; three were classified as major incidents attributed to foreign state-sponsored groups conducting espionage. Social engineering accounted for 59% of all incidents, up from 38% the prior year, indicating a shift in attack vectors against Lithuanian organisations.
NKSC / Ministry of National Defence Lithuania โThe Lithuanian Government's secondary legislation specifying detailed technical and organisational requirements for entities covered by the new Cybersecurity Act took effect, completing the NIS2 implementation package. It mandates risk assessments, supply chain security, business continuity plans, and incident-handling procedures calibrated to entity classification.
European Commission โ Digital Strategy โRussia-linked hacktivist group Killnet targeted Lithuanian government, transport, energy, and financial sector websites with sustained DDoS attacks in direct retaliation for Vilnius blocking EU-sanctioned goods transit to the Russian exclave of Kaliningrad. The incident highlighted Lithuania's acute geopolitical cyber exposure and accelerated domestic investment in DDoS resilience and incident-response capacity.
Euronews โLithuania's parliament approved an updated National Security Strategy that formally elevated cyber resilience to a core pillar alongside conventional defence and NATO interoperability, guiding budget allocations and legislative reforms, including the subsequent NIS2 transposition drive, through the mid-2020s.
Ministry of National Defence of Lithuania โThe Lithuanian Government adopted the National Cyber Security Strategy by Resolution No. 818, establishing strategic objectives on critical information infrastructure protection, adoption of ISO 27001-based security standards, public-private partnership, cyber exercises, R&D, and international cooperation aligned with EU and NATO frameworks.
Ministry of National Defence of Lithuania โAmendments adopted by the Seimas on 19 December 2017 entered into force, transposing EU NIS1 Directive 2016/1148 into Lithuanian law. Incident investigation and electronic-network security functions were transferred from the Communications Regulatory Authority to NKSC, consolidating the entire cybersecurity supervisory apparatus under the Ministry of National Defence.
NATO CCDCOE (Ministry of National Defence translation) โLithuania's government banned Kaspersky Lab antivirus products on computers managing critical energy, finance, and transport systems in both public and private sectors, citing national security risk from the Russian-linked vendor. The decision, the first of its kind globally, preceded similar bans by the US FCC and EU institutions by several years and set a precedent for supply-chain security decisions in the Baltic region.
France 24 โLithuania's parliament adopted the foundational Law on Cyber Security (No. XII-1428), which entered into force on 1 January 2015. The law established the national cybersecurity architecture, designated the authorities responsible for policy development, set mandatory security measures for state information-resource managers and critical infrastructure operators, and created the legal basis for establishing the National Cyber Security Centre (NKSC) in 2015.
Seimas of the Republic of Lithuania โLithuania - other topics
Cybersecurity in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ