Skip to content
World Watch/Lithuania/Cybersecurity

Cybersecurity ยท Lithuania

Cybersecurity law in Lithuania: NIS2 compliance (2026)

Comprehensive lawLaw on Cybersecurity of the Republic of Lithuania (amended 11 July 2024, in force 18 October 2024), transposing EU NIS2 Directive (2022/2555); supplemented by Government Resolution on Implementation (in force 12 November 2024). Competent authority and national CSIRT: National Cyber Security Centre (NKSC/NCSC) under the Ministry of National Defence.Country index 93 ยท A+

Lithuania shaded by its cybersecurity status

Cybersecurity in Lithuania: comprehensive law, anchored by Law on Cybersecurity of the Republic of Lithuania (amended 11 July 2024, in force 18 October 2024), transposing EU NIS2 Directive (2022/2555); supplemented by Government Resolution on Implementation (in force 12 November 2024). Competent authority and national CSIRT: National Cyber Security Centre (NKSC/NCSC) under the Ministry of National Defence..

Lithuania fully transposed the EU NIS2 Directive through an amended Law on Cybersecurity that entered into force on 18 October 2024, with implementing technical/organisational requirements following on 12 November 2024. The National Cyber Security Centre (NKSC) acts as the single national cybersecurity authority, CSIRT, and supervisory body, with enforcement powers including binding instructions, on-site inspections, and fines. Entities classified as essential or important face tiered compliance timelines, organisational measures within 12 months of registration, technical measures within 24 months.

NIS2 & cybersecurity law in Lithuania

In Lithuania, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.

Framework
the NIS2 Directive (EU) 2022/2555, transposed into national law
Approach
cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
Applies to
medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
Incident reporting
an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
Maximum fine
up to โ‚ฌ10 million or 2% of global annual turnover for essential entities
Oversight
the national competent authority and CSIRT designated under NIS2

NIS2 is a directive, so Lithuania implements it through national law; exact scope and deadlines can vary slightly by transposition.

NIS2 in Lithuania: FAQ

Does NIS2 apply in Lithuania?

Yes. As an EU member, Lithuania has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.

Who must comply with NIS2 in Lithuania?

Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.

What are the NIS2 incident-reporting deadlines in Lithuania?

An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.

What are the penalties under NIS2 in Lithuania?

Up to โ‚ฌ10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.

Key points

NIS2 Transposition

The revised Law on Cybersecurity was adopted on 11 July 2024 and entered into force on 18 October 2024, meeting the EU deadline. The Government's implementing Resolution setting technical and organisational requirements entered into force on 12 November 2024.

Supervisory Authority (NKSC)

The National Cyber Security Centre (NKSC) under the Ministry of National Defence is the sole competent authority, national CSIRT, and supervisory body. It manages the national Register of cybersecurity entities, monitors compliance, and coordinates incident response within the EU cybersecurity network.

Entity Registration & Scope

By 17 April 2025, NKSC compiled the initial Register, identifying 1,443 essential and important entities across critical sectors. The total universe of in-scope entities is estimated at 8,000-10,000 once the full identification process is complete.

Incident Reporting Obligations

Essential and important entities must report significant incidents to NKSC following the NIS2 three-stage timeline: early warning within 24 hours, full incident notification within 72 hours, and a final (or progress) report within one month. Affected service recipients must also be notified where an incident impacts service delivery.

Compliance Timelines

Entities notified of their inclusion in the Register have 12 months to implement organisational measures (e.g. appoint a cybersecurity officer, adopt cybersecurity policies), deadline approximately April 2026 for the first cohort, and 24 months to implement full technical measures.

Penalties & Enforcement

Essential entities face fines up to โ‚ฌ10 million or 2% of global annual turnover (whichever is greater); important entities face up to โ‚ฌ7 million or 1.4% of global turnover. Additional non-financial sanctions include temporary suspension of activities and temporary dismissal of the responsible manager.

Timeline - major decisions & events

Apr 17, 2025decision
NCSC Notifies 1,443 Entities of NIS2 Registration, Compliance Clock Starts

Lithuania's National Cybersecurity Centre completed the first round of entity identification under the new Cybersecurity Act and formally notified essential and important entities of their register status. From the notification date, entities have 12 months to appoint cybersecurity officers and 24 months to implement required technical measures; the regulated population is expected to grow to 8,000-10,000 entities once identification is complete.

Eversheds Sutherland (reporting on NCSC) โ†—
Jan 1, 2025guidanceofficial
NCSC Annual Report: 3,874 Cyber Incidents in 2024, 63% Rise, Three State-Actor Attacks

Lithuania's NCSC annual cybersecurity status report recorded 3,874 incidents in 2024, up 63% from 2,378 in 2023; three were classified as major incidents attributed to foreign state-sponsored groups conducting espionage. Social engineering accounted for 59% of all incidents, up from 38% the prior year, indicating a shift in attack vectors against Lithuanian organisations.

NKSC / Ministry of National Defence Lithuania โ†—
Nov 12, 2024lawofficial
Government Implementing Resolution on Cybersecurity Technical Measures Enters into Force

The Lithuanian Government's secondary legislation specifying detailed technical and organisational requirements for entities covered by the new Cybersecurity Act took effect, completing the NIS2 implementation package. It mandates risk assessments, supply chain security, business continuity plans, and incident-handling procedures calibrated to entity classification.

European Commission โ€” Digital Strategy โ†—
Jun 27, 2022incident
Killnet Launches DDoS Campaign Against Lithuanian Government and Critical Infrastructure

Russia-linked hacktivist group Killnet targeted Lithuanian government, transport, energy, and financial sector websites with sustained DDoS attacks in direct retaliation for Vilnius blocking EU-sanctioned goods transit to the Russian exclave of Kaliningrad. The incident highlighted Lithuania's acute geopolitical cyber exposure and accelerated domestic investment in DDoS resilience and incident-response capacity.

Euronews โ†—
Dec 16, 2021decisionofficial
Seimas Approves Revised National Security Strategy Elevating Cyber Resilience

Lithuania's parliament approved an updated National Security Strategy that formally elevated cyber resilience to a core pillar alongside conventional defence and NATO interoperability, guiding budget allocations and legislative reforms, including the subsequent NIS2 transposition drive, through the mid-2020s.

Ministry of National Defence of Lithuania โ†—
Aug 13, 2018guidanceofficial
Government Adopts National Cyber Security Strategy (Resolution No. 818)

The Lithuanian Government adopted the National Cyber Security Strategy by Resolution No. 818, establishing strategic objectives on critical information infrastructure protection, adoption of ISO 27001-based security standards, public-private partnership, cyber exercises, R&D, and international cooperation aligned with EU and NATO frameworks.

Ministry of National Defence of Lithuania โ†—
Jan 1, 2018lawofficial
Amended Law on Cyber Security Enters into Force, NIS1 Directive Transposed

Amendments adopted by the Seimas on 19 December 2017 entered into force, transposing EU NIS1 Directive 2016/1148 into Lithuanian law. Incident investigation and electronic-network security functions were transferred from the Communications Regulatory Authority to NKSC, consolidating the entire cybersecurity supervisory apparatus under the Ministry of National Defence.

NATO CCDCOE (Ministry of National Defence translation) โ†—
Dec 21, 2017decision
Lithuania Becomes First Country Worldwide to Ban Kaspersky Products Across Public and Private Critical Sectors

Lithuania's government banned Kaspersky Lab antivirus products on computers managing critical energy, finance, and transport systems in both public and private sectors, citing national security risk from the Russian-linked vendor. The decision, the first of its kind globally, preceded similar bans by the US FCC and EU institutions by several years and set a precedent for supply-chain security decisions in the Baltic region.

France 24 โ†—
Dec 11, 2014lawofficial
Seimas Enacts First Standalone Law on Cyber Security (No. XII-1428), Effective 1 January 2015

Lithuania's parliament adopted the foundational Law on Cyber Security (No. XII-1428), which entered into force on 1 January 2015. The law established the national cybersecurity architecture, designated the authorities responsible for policy development, set mandatory security measures for state information-resource managers and critical infrastructure operators, and created the legal basis for establishing the National Cyber Security Centre (NKSC) in 2015.

Seimas of the Republic of Lithuania โ†—

Lithuania - other topics

Cybersecurity in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’