Overview of Lithuania’s Decision on Cybersecurity Requirements

As part of NIS2 transposition, Lithuania has published its NIS2 Law, and the government decision by which it describes cybersecurity requirements in more detail.

This article presents these cybersecurity requirements.

On November 6, 2024, the Lithuanian government published its Decision on the Implementation of the Law on Cybersecurity of the Republic of Lithuania with several parts, including the National Cyber Incident Management Plan, Methodology for Identifying Cybersecurity Actors Based on Specific Criteria, etc. You can find the original document here (in Lithuanian).

1. Network and Information Systems Security Policy
2. Cybersecurity Risk Analysis
3. Responsibilities for Cybersecurity
4. Cyber Incident Management
5. Business Continuity
6. Supply Chain Security
7. Acquisition, Development, and Maintenance Security
8. Assessing the Effectiveness
9. Cyber Hygiene Practices and Cybersecurity Training
10. Policies and Procedures for the Use of Cryptography
11. Human Resources Security, Physical Access Policy, and Asset Management
12. Access Control and Multi-Factor Authentication Tools

Each of these is described briefly in the following section.

Overview of the Description of Cybersecurity Requirements

Note: The Description specifies that some of these requirements are mandatory only for essential entities, while they are not mandatory for important entities — for detailed information, consult the original text of the Description.

Network and Information Systems Security Policy (Section I)

This section establishes the core principles and objectives of a security policy. It outlines the obligations for creating, maintaining, and reviewing security documentation, ensuring that network and information systems are governed by clear rules and responsibilities. The policy fosters a security culture, stating the commitment to continuous improvement and regular audits to meet evolving cybersecurity standards.

Cybersecurity Risk Analysis (Section II)

Here, organizations learn how to identify and evaluate threats, vulnerabilities, and potential impacts on their systems. It prescribes a regular risk assessment process covering network and information system assets, likelihood of incidents, and recommended mitigation measures. By clearly defining acceptable risk levels, it ensures that decision makers can prioritize resources and create effective strategies against cybersecurity threats.

Responsibilities of Security Personnel and Management (Section III)

This section clarifies roles and duties for anyone accountable for cybersecurity. It covers the appointment of a cybersecurity manager or officer, staff responsible for implementing protections, and procedures for delegating tasks. Emphasis is placed on separation of duties, independence of security oversight from daily IT tasks, and maintaining open channels for reporting incidents or recommending improvements.

Cyber Incident Management (Section IV)

This section details how to organize and respond to security incidents. It describes procedures for detecting, analyzing, containing, and recovering from incidents, as well as communicating with stakeholders. Clear guidelines ensure swift coordination among technical teams, incident responders, and relevant authorities. Post-incident reviews and lessons learned are mandatory to strengthen future defenses and refine existing processes.

Business Continuity (Section V)

Here, the focus is on ensuring ongoing operations despite adverse events. It describes how to develop continuity plans, protect critical functions, and conduct regular backups of key data. It defines parameters for maximum downtime and data loss, requiring routine drills and plan updates. Ultimately, it ensures that essential services can rapidly return to operation after disruptions or incidents.

Supply Chain Security (Section VI)

Recognizing that third parties can introduce vulnerabilities, this section addresses vetting suppliers, enforcing contractual security clauses, and monitoring vendor compliance. It encourages risk assessments of partners, routine checks of outsourced services, and immediate notification of breaches. By managing supplier risks and dependencies, it fosters a holistic view of security beyond the organization’s perimeter.

Systems Acquisition, Development, Maintenance, and Vulnerability Management (Section VII)

This section governs secure system lifecycles, covering everything from definition of requirements to decommissioning. It sets guidelines for testing software updates, controlling changes, and ensuring prompt patching of known flaws. Emphasis is placed on adopting secure coding practices, maintaining documentation, and establishing processes for responsibly disclosing and fixing vulnerabilities to minimize security risks.

Evaluating the Effectiveness of Cybersecurity Requirements (Section VIII)

Outlined here is a regular review cycle to measure how well security controls achieve their goals. It includes audits, self-assessments, and documentation of compliance with standards or laws. Nonconformities trigger corrective actions, while successes inform best practices. The findings feed into continuous improvement, ensuring the cybersecurity program adapts to new threats and organizational changes.

Cyber Hygiene and Training (Section IX)

This section explains how to build a workforce capable of detecting and preventing threats through basic security awareness and best practices. It emphasizes regular training sessions for employees at all levels, covering password safety, phishing recognition, and data handling guidelines. By promoting a security-focused mindset, it reduces human error-based incidents and fosters a stronger defensive posture.

Cryptography and Encryption Policy and Procedures (Section X)

Here, the requirements for protecting sensitive data in transit and at rest are covered. It mandates the use of robust encryption algorithms, secure key management, and approved cryptographic modules. The policy stipulates scenarios where encryption is necessary, including backups and transmission across untrusted networks. Procedures outline handling key lifecycle events, ensuring data confidentiality and integrity.

Human Resources Security, Physical Access Policy, and Asset Management (Section XI)

This section details employee screening, onboarding, and offboarding procedures alongside guidelines for safeguarding physical premises. Asset management rules specify how hardware and data are inventoried, classified, and protected. By integrating personnel and physical security controls, it reduces risks from insider threats, prevents unauthorized access to facilities, and maintains up-to-date records of critical assets.

Access Control and Multi-Factor Authentication (Section XII)

Finally, this section defines how user accounts, administrator privileges, and system access rights are granted, monitored, and revoked. It stipulates password complexity, session lockouts, and the compulsory usage of multi-factor authentication for critical accounts. These measures guard against unauthorized logins and protect sensitive systems, ensuring that only vetted and authenticated users can perform designated actions.

Comparison with CIR 2024/2690

Since the cybersecurity measures in this Description of Cybersecurity Requirements are very detailed, one may wonder if they were copied from the Commission Implementing Regulation (CIR) 2024/2690 (Technical and methodological requirements of cybersecurity measures and specification for significant incidents for digital critical infrastructure companies).

When analyzing these two documents, it becomes clear that, while there is considerable overlap in broad themes (risk assessment, incident management, business continuity, supply chain, etc.), the Lithuanian regulation adds prescriptive details or extra mandates that go beyond or are absent from CIR 2024/2690.

For example, unlike CIR 2024/2690, the Lithuanian Description requires entities to submit or update details in the Cybersecurity Information System (“Kibernetinio saugumo informacinė sistema — KSIS)”:

• Cybersecurity policy documents (Articles 5-6)
• Approved risk assessment reports and risk management plans (Articles 13-15)
• Continuity plan test results (Articles 29-30)
• Self-audit, compliance, incident investigation documents, etc.

Here is a summary of the most important requirements that exist in the Lithuanian Description, but not in CIR 2024/2690:

1. Two-tier approach (“Essential” vs. “Important”) with separate technical obligations
2. Extensive logging categories, minimum 90-day retention, monthly reviews, specialized logging hardware
3. Mandatory 96% or 99% system availability for critical infrastructure
4. Submitting multiple internal documents (risk assessments, continuity test results, etc.) to a central KSIS within 5 days
5. Appointing a dedicated cybersecurity manager with no overlap in admin duties
6. Highly detailed patch cycles (6-month vulnerability scans, immediate removal of critical vulnerabilities)
7. Complex password rules (10 or 15 characters, forced 6-month rotations, 5 login attempts, etc.)
8. Annual or triannual audits, with a required “cyber hygiene training” for all staff every year
9. More prescriptive physical security (fire sensors, climate control, duplication of HVAC/power for essential entities)

Conclusion

Since the Lithuanian government published this very detailed Description of Cybersecurity Requirements that goes even beyond the requirements of CIR 2024/2690, it is obvious that a very strict implementation will be required in Lithuania.

Therefore, companies in the scope of NIS2 should implement cybersecurity properly, to avoid paying fines.

To find all the documents needed for complying with the NIS2 Directive, check out this NIS 2 Documentation Toolkit that includes all policies, procedures, plans, and other templates.