NIS2 Country Guide

NIS2 Lithuania: Amended Law on Cyber Security 2024

See how Lithuania has implemented the NIS2 Directive through the amended Law on Cyber Security, in force since 18 October 2024, what it means for essential and important “cybersecurity entities”, and how the National Cyber Security Centre (NCSC) supervises thousands of organisations across critical sectors.

Get Ready Checklist Get Consultation
Lithuania NIS2 law in force: 2024 Competent authority: National Cyber Security Centre (NCSC)

Introduction: NIS2 Directive & the Lithuanian context

Lithuania was already operating under a national Law on Cyber Security and NIS1-based requirements for certain operators of essential services. However, the NIS2 Directive required a broader, more detailed framework and a significant expansion of the entities subject to cybersecurity obligations.

With the 2024 amendments to the Law on Cyber Security, Lithuania has moved to a fully NIS2-aligned regime, combining centralised oversight, military-led coordination through the NCSC, and a structured compliance path for thousands of organisations across both public and private sectors.

Quick link: New to NIS2? Start with our general guides “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in Lithuania

Lithuania has implemented NIS2 via amendments to the Law on Cyber Security of the Republic of Lithuania (LCS), adopted by the Seimas on 11 July 2024 and in force since 18 October 2024. This law transposes the core requirements of Directive (EU) 2022/2555 into Lithuanian law.

On 11 November 2024, the Government adopted an updated Resolution on the implementation of the Law on Cyber Security, which entered into force on 12 November 2024. It sets detailed cybersecurity requirements, reporting rules and criteria for identifying essential and important entities.

Lithuania uses a highly centralised model: the National Cyber Security Centre under the Ministry of National Defence (NCSC) coordinates NIS2 implementation, maintains the register of entities in scope and steers supervision and enforcement.

Status

NIS2 is fully transposed in Lithuania. The amended Law on Cyber Security and its implementing Resolution are in force, and Lithuania is considered one of the earliest NIS2 adopters in the EU.

Legal structure

The amended Law on Cyber Security (LCS) and Government Resolution on its implementation together define scope, obligations, designation of “cybersecurity entities”, supervisory powers and sanctions.

Supervisory approach

NCSC identifies and lists in-scope entities, coordinates with ministries and sector regulators, manages cyber incidents, and runs national outreach and guidance programmes.

NIS2 Lithuania: what you need to know about compliance

Lithuania closely follows the NIS2 model of essential and important entities, referred to nationally as “cybersecurity entities”. The law significantly expands the number of regulated organisations, from roughly 1,000 under the previous regime to an estimated 8,000–10,000 entities.

Who is in scope?

  • Entities in NIS2 Annex I sectors (energy, transport, health, drinking water, digital infrastructure, public administration, etc.).
  • Entities in NIS2 Annex II sectors (postal and courier services, waste management, food, manufacturing of critical products, research, etc.).
  • Medium and large organisations meeting national size/turnover thresholds, typically:
    • Essential entities: ≥ 250 employees or ≥ €50m turnover.
    • Important entities: ≥ 50 employees or ≥ €10m turnover.
  • Additional categories defined nationally, including certain local public administrations, research institutions and hosting service providers.

Core obligations

  • Implement comprehensive cybersecurity risk-management measures aligned with NIS2 Article 21.
  • Maintain governance documentation, including board-approved cybersecurity plans and policies.
  • Ensure incident detection, response and reporting processes meet the 24h / 72h / 30-day notification ladder.
  • Manage supply-chain cybersecurity risks and document security requirements for critical suppliers.
  • Provide training and oversight at management level; directors are explicitly accountable for cybersecurity.

Identification & listing

Entities do not self-register. Instead, NCSC, together with other authorities, identifies entities in scope and enters them into a dedicated NIS2 register. Legacy NIS1 operators are automatically treated as essential entities and listed accordingly.

Once listed, entities are formally notified and their individual compliance deadlines start to run.

Important: Lithuanian law provides a staged compliance window: typically 12 months from listing for organisational measures and 24 months for full technical implementation, after which NCSC and sector regulators can start audits.

Competent authorities & CSIRT

Lithuania combines centralised supervision with strong military-linked coordination: the National Cyber Security Centre under the Ministry of National Defence acts as competent authority, CSIRT and single point of contact for NIS2.

Role Authority Notes
National competent authority & Single Point of Contact National Cyber Security Centre (NCSC) Leads NIS2 implementation, identifies cybersecurity entities, maintains the NIS2 register, coordinates supervision and represents Lithuania in EU-level cooperation.
National CSIRT NCSC / CERT-LT Receives incident notifications, issues alerts and advisories, and coordinates technical response and information sharing with entities in scope.
Policy lead Ministry of National Defence Oversees national cybersecurity policy, including the Cyber Security Development Programme and the establishment of the Cyber Defence Command of the Armed Forces.
Sectoral regulators Various (e.g. energy, finance, communications) Support or share supervisory tasks in their sectors, especially where EU sectoral regulations (e.g. DORA, telecom rules) intersect with NIS2.

NIS2 timeline & key dates (Lithuania)

1 September 2023 — Draft amendments to the Law on Cyber Security published for consultation.
11 July 2024 — Amended Law on Cyber Security adopted by the Seimas (Act transposing NIS2).
18 October 2024 — Law on Cyber Security (as amended) enters into force, formally implementing NIS2.
12 November 2024 — Implementing Resolution enters into force, detailing cybersecurity requirements, reporting and designation rules.
17 April 2025 — Deadline for NCSC to complete the listing of essential and important entities in the national register.
Oct 2025 – Oct 2026 — Typical window for entities to implement organisational and governance controls after listing.
Oct 2026 – Oct 2027 — Typical window for full technical implementation; preparation for first audits.
2027 onwards — Regular NCSC and sectoral supervision and audits of cybersecurity entities.

Sector-specific notes for Lithuania

  • Energy: the scope covers a broad set of energy operators, including electricity, gas, LNG, hydrogen and district heating operators, with strong monitoring and reporting to energy regulators.
  • Digital infrastructure: data centres, cloud providers, electronic communications networks and DNS/TLD operators are treated as highly critical, often essential regardless of size.
  • Healthcare: the number of covered healthcare providers has increased substantially, with expectations around incident drills and alignment with standards such as ISO/IEC 27001.
  • Manufacturing & industry: many manufacturing companies become important entities, particularly where they support critical supply chains or national strategic sectors.
  • Public sector: ministries, central public bodies and larger municipalities are included to strengthen the resilience of public services and state digital infrastructure.

Penalties for non-compliance

The Lithuanian NIS2 regime introduces a robust sanctions framework, with high administrative fines and explicit management liability to ensure that cybersecurity is treated as a board-level priority.

  • For essential entities: fines up to approximately €10 million or 2% of global annual turnover (whichever is higher) for the most serious breaches.
  • For important entities: fines up to approximately €7 million or 1.4% of global annual turnover.
  • Separate fines for procedural breaches (e.g. missed deadlines, incomplete reporting).
  • Possibility of daily coercive penalties and enhanced supervision in case of continued non-compliance.
  • Potential disqualification of directors for repeated or serious negligence, and corrective measures for public-sector bodies instead of monetary fines.

How to prepare for NIS2 in Lithuania

  1. Check if you are likely in scope: review your sector, size and role against NIS2 Annex I & II and national criteria; use the NCSC self-check tools where available.
  2. Monitor your listing status: follow NCSC communications and confirm whether your organisation has been included in the cybersecurity entities register.
  3. Run a gap assessment: compare your current controls against NIS2 Article 21 and Lithuanian cybersecurity requirements (governance, technical measures, documentation, reporting).
  4. Plan for the 12–24 month window: design a realistic roadmap to implement organisational measures within 12 months and technical controls within 24 months of listing.
  5. Strengthen incident readiness: create or update your incident response plan around the 24h / 72h / 30-day reporting scheme and align it with GDPR where personal data is involved.
  6. Review supply-chain risk: map critical suppliers and update contracts with explicit cybersecurity, audit and incident-notification clauses.
  7. Align with recognised frameworks: leverage ISO/IEC 27001, NIST CSF or similar frameworks to structure your ISMS and evidence NIS2 compliance.
  8. Engage the board: ensure that management formally approves the cybersecurity programme and receives regular updates and training on NIS2 obligations.
Run Eligibility Check Start Readiness Test

Official links & resources

🇱🇹 National Cyber Security Centre (NCSC) — official website
📘 Law on Cyber Security & amending acts (Seimas database)
📊 European Commission — NIS2 implementation in Lithuania
📄 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Lithuania

Has Lithuania fully transposed NIS2?
Yes. Lithuania has fully transposed NIS2 through the amended Law on Cyber Security, in force since 18 October 2024, with implementing regulations from November 2024 and NCSC designated as the national authority.
How will we know if we are in scope?
The NCSC, together with other authorities, identifies and lists essential and important entities in a dedicated register. You will be notified if you are included, and public self-check tools can help you understand your likely status in advance.
How long do we have to comply once listed?
In general, entities have 12 months from listing to implement organisational and governance measures, and up to 24 months to complete all technical measures, after which audits may begin.
Who is the NIS2 competent authority in Lithuania?
The National Cyber Security Centre (NCSC) under the Ministry of National Defence is the main NIS2 competent authority, single point of contact and national CSIRT.
Is ISO 27001 certification mandatory?
ISO/IEC 27001 is not mandatory by name, but Lithuanian guidance strongly encourages alignment with recognised standards to structure and demonstrate compliance with the Law on Cyber Security and NIS2.
Information provided for general guidance; always consult the official Lithuanian legislation, NCSC publications and legal counsel for definitive NIS2 compliance requirements.