Lithuania

(a) What is the NIS2 implementation status?

On 18 October 2024, the amended Law on Cybersecurity of the Republic of Lithuania (available only in Lithuanian language) (the “Law”) came into force, transposing the NIS2 Directive into Lithuanian law.

(b) What is the envisaged NIS2 implementation timeline?

The Law came into force on 18 October 2024. Additionally, on 12 November 2024, the amended and recast Resolution on the Implementation of the Law on Cybersecurity of the Republic of Lithuania (available only in Lithuanian language) (the “Resolution”) came into force. It was amended in accordance with the provisions of the NIS2 Directive. The Resolution, among other things, establishes a description of cybersecurity requirements applicable to entities identified as essential or important for cybersecurity.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The transposition of the NIS2 Directive into Lithuanian law primarily impacted the Law and the Resolution, as these are the key legal acts governing cybersecurity in Lithuania. It introduced stricter security measures such as incident response planning, supply chain security, and risk assessments.

(d) Who will be the supervisory authority and how are they preparing the market?

The main Lithuanian cybersecurity institution and supervisory authority for Lithuania is the National Cybersecurity Centre under the Ministry of National Defence of the Republic of Lithuania (NCSC). The primary functions of the NCSC, among other things, include identifying cybersecurity subjects (ministries of the Republic of Lithuania also participate in this process) and overseeing them, managing cyber incidents, as well as educating and providing necessary information to help institutions comply more easily with Lithuanian cybersecurity laws.

Currently NCSC is identifying essential and important entities that will have to comply with the new cybersecurity requirements established by the Law (identified entities will be referred to as “Cybersecurity entities”) and preparing a Register of Cybersecurity entities (the “Register”). By 17 April 2025, the NCSC will include Cybersecurity entities in the Register and inform them via electronic notification (according to preliminary estimates by the NCSC, up to 2000 Cybersecurity entities may be included in the Register in Lithuania).

Additionally, NCSC educates about the recent changes in national cybersecurity legislation and has a separate section where useful information on the amended Law is provided (available only in Lithuanian language).

(e) What should you be doing/on the lookout for?

Close attention must be paid by medium and large companies who operate in sectors set out by the Law (small and micro enterprises are generally excluded unless their service disruption could significantly impact public sector, etc.). Organisations can check whether they are preliminarily included in the Register by providing certain data (available only in Lithuanian language). In any case, as mentioned above, NCSC will send notifications of inclusion in the Register by 17 April 2025.

Nevertheless, organisations operating in sectors of high criticality and other critical sectors as set out by the Law should familiarise themselves with the amended national cybersecurity laws to assess what changes could be needed to comply with the newest cybersecurity requirements. If identified as a Cybersecurity entity, there will be limited time to implement necessary adjustments in accordance with the Law and the Resolution. Organisational requirements, such as appointing cybersecurity officers, must be met by 17 April 2026, and technical requirements by 17 April 2027.