Dejan KosuticLithuania officially replaced its older Kibernetinio saugumo įstatymas (adopted in 2018) with a new Lithuanian Cybersecurity Act in 2024, thereby transposing the NIS2 Directive (Directive (EU) 2022/2555) into local legislation.
Below is an overview of the Lithuanian Cybersecurity Act (“LCA”) in comparison with the EU’s NIS2 Directive, highlighting both similarities and new or different requirements.
Lithuania’s Cybersecurity Act follows NIS2 requirements closely, but also introduces some additional requirements like role-specific designations (cybersecurity manager, security officer) and a secure national data network requirement for public bodies.
Basics of the Lithuanian Cybersecurity Act
As with NIS2, Lithuania’s Cybersecurity Act aims to mitigate cybersecurity risks in critical infrastructure (referred to as esminiai subjektai (essential entities) and svarbūs subjektai (important entities)) and to strengthen the resilience of their network and information systems.
The Act also designates roles of public institutions — most notably the National Cybersecurity Center (Nacionalinis kibernetinio saugumo centras), or NCSC, under the Ministry of National Defense — to oversee and enforce compliance.
The official text of the LCA is available (in Lithuanian) as Lietuvos Respublikos kibernetinio saugumo įstatymas Nr. XII-1428, and it is meant to implement the core principles and obligations laid down in the EU’s NIS2 Directive.
Additionally, Lithuania’s government has published the Decision on the Implementation of this Law; you can read about the details here: Overview of Lithuania’s Decision on Cybersecurity Requirements.
Lithuania’s Cybersecurity Act compared to NIS2
| Highlight | Lithuanian Cybersecurity Act vs. NIS2 |
| Which companies must comply | Generally the same criteria as in NIS2, but only for companies registered in Lithuania; the exceptions are providers of public electronic communications networks and providers of publicly available electronic communications services that must comply with LCA no matter where they are registered, as long as they provide services within Lithuania. |
| Deadlines | The Act officially entered into force on October 18, 2024, aligning with NIS2 deadlines. However, the National Cybersecurity Center must complete the identification of relevant entities by April 17, 2025. Entities typically have 12 months to implement new cybersecurity requirements after being notified or registered (Article 14(2)). |
| Responsibilities of senior management | Same as NIS2. However, additional requirements are specified in Description of Cybersecurity Requirements. |
| Importance of training | Very similar to NIS2. The Act requires that senior management and key staff receive regular cybersecurity training at least every 2 years (Article 14(7)), ensuring sufficient knowledge to oversee cybersecurity risk management, whereas NIS2 does not specify frequency. Additional requirements are specified in Description of Cybersecurity Requirements. |
| Risk-based approach to cybersecurity | Same as NIS2. However, additional requirements are specified in Description of Cybersecurity Requirements. |
| Cybersecurity measures | Same as NIS2. However, additional requirements are specified in Description of Cybersecurity Requirements. |
| Supply chain security | Same as NIS2. However, additional requirements are specified in Description of Cybersecurity Requirements. |
| Incident reporting obligations | Same as NIS2. However, additional requirements are specified in Description of Cybersecurity Requirements. |
| Using certified IT products & services | Same as NIS2. While the Act does not mandate specific certifications, it encourages alignment with EU standards. |
| Supervision & enforcement | LCA prescribes a detailed enforcement structure in Articles 26-33. The NCSC can conduct on-site inspections & audits, issue binding orders or instructions, impose administrative fines, and temporarily suspend business licenses or managerial rights in severe cases (Article 32). |
| Fines | Similar to NIS2. Fines follow NIS2 thresholds of up to 10 million EUR or 2% of global turnover for essential entities (Articles 30, 31), but add lower fines for government bodies. |
| New / unique points | 1) Secure state data network – Lithuania’s Act includes special rules for public institutions to connect only through a secure state network (Articles 37, 38).
2) Appointed roles – LCA requires a cybersecurity manager and security officer (Article 15). |
Which companies must comply?
LCA is relevant for companies registered in Lithuania that provide products and services in any EU country. There is an exception to this rule, because LCA mandates that the following companies must comply with LCA even if they are not registered in Lithuania, if they are providing their services in the country:
- providers of public electronic communications networks
- providers of publicly available electronic communications services
LCA defines the same criteria as NIS2 for categorizing companies and other organizations as essential and important entities, but there are some other categories of companies that may be included, for example:
- public administration entities
- any entity controlling “state information resources”
Further, LCA clarifies that if an operator is the sole provider of a critical service in Lithuania, it may be identified as essential regardless of size (Article 11(5)).
See also: Which companies must comply with NIS 2? Essential vs. important entities.
Deadlines
While NIS2 required full transposition by October 18, 2024, the Lithuanian Act:
- entered into force on October 18, 2024, except transitional measures
- grants the National Cybersecurity Center until April 17, 2025, to finish identifying essential or important entities (Article 2(3) of the amending law)
- requires newly identified entities to comply with the cybersecurity measures within 12 months of being notified (Article 14(2))
Supervision and enforcement
Under Articles 26 to 29, Lithuania’s National Cybersecurity Center is authorized to conduct audits and demand risk assessments from essential and important entities. The Center can issue binding instructions, request detailed documentation, and perform on-site inspections.
These measures mirror NIS2’s risk-based approach, ensuring that oversight focuses on high-impact entities. Strong enforcement powers aim to keep cybersecurity measures effective, while also aligning with the EU-wide supervision model set out in NIS2.
Fines
Article 30 sets out the financial penalties for noncompliance, reflecting NIS2’s tiered structure. Essential entities face fines up to 10 million euros or 2% of their global turnover, whichever is higher, while important entities risk a maximum of 7 million euros or 1.4%.
However, for government organizations it introduces lower fines, i.e., up to 60,000 euros for essential, and up to 30,000 euros for important (government) entities.
The Lithuanian Act emphasizes proportionality, weighing factors like incident severity and prior offenses. This approach aligns closely with NIS2, ensuring deterrence and consistent EU-wide enforcement standards.
New or unique requirements in Lithuania’s Act
Article 15 mandates the appointment of a “kibernetinio saugumo vadovas” (cybersecurity manager) and a “saugos įgaliotinis” (security officer). The manager oversees overall compliance and reports directly to top leadership, while the officer ensures day-to-day safeguards for specific networks.
Articles 37 and 38 establish the Saugusis valstybinis duomenų perdavimo tinklas (Secure State Data Network) for public institutions. This network, fully independent from public telecoms, applies heightened organizational and technical safeguards, ensuring robust confidentiality and integrity of state information. NIS2 does not prescribe such a dedicated national infrastructure, so Lithuania’s approach adds an extra layer of protection for governmental entities, reinforcing resilience against large-scale cyber threats.
Requirements that are the same as in NIS2
Overall, LCA requirements are very similar to NIS2 Articles 20-25:
- responsibilities of the senior management — see the details here: What is NIS 2 Directive? A detailed and straightforward guide
- importance of training — learn more: How to perform training and awareness according to NIS 2
- risk-based approach to cybersecurity — learn more: The 8 most important cybersecurity and reporting requirements in NIS2
- cybersecurity as a mixture of technical, operational, and organizational measures — see also: List of required documents according to NIS 2
- supply chain security
- incident reporting obligations — see also: What are reporting obligations according to NIS 2?
- using certified IT products and services
However, as mentioned above, the Lithuanian government has published much more detailed requirements in the part of their decision called “Description of Cybersecurity Requirements” — you can read the details in this article: Overview of Lithuania’s Decision on Cybersecurity Requirements.
Lithuania’s Cybersecurity Act vs. NIS2
Lithuania’s Cybersecurity Act transposing NIS2 mirrors the Directive’s main points — risk-based measures, incident reporting, senior management liability — while also introducing role-specific designations (cybersecurity manager, security officer) and a secure national data network requirement for public bodies. It also features a robust supervision mechanism that grants the National Cybersecurity Center significant authority to enforce compliance.
Together with the government’s Description of Cybersecurity Requirements, this creates a very thorough framework for cybersecurity compliance that will raise the level of security in Lithuania’s critical infrastructure companies.
To find all the documents needed for complying with the NIS2 Directive, check out this NIS 2 Documentation Toolkit that includes all policies, procedures, plans, and other templates.
