Lithuania
(a) What is the NIS2 implementation status?
On 18 October 2024, the amended Law on Cybersecurity of the Republic of Lithuania (available only in Lithuanian language) (the “Law”) came into force, transposing the NIS2 Directive into Lithuanian law.
(b) What is the envisaged NIS2 implementation timeline?
The Law came into force on 18 October 2024. Additionally, on 12 November 2024, the amended and recast Resolution on the Implementation of the Law on Cybersecurity of the Republic of Lithuania (available only in Lithuanian language) (the “Resolution”) came into force. It was amended in accordance with the provisions of the NIS2 Directive. The Resolution, among other things, establishes a description of cybersecurity requirements applicable to entities identified as essential or important for cybersecurity.
(c) What does the NIS2 mean for other national cybersecurity legislation?
The transposition of the NIS2 Directive into Lithuanian law primarily impacted the Law and the Resolution, as these are the key legal acts governing cybersecurity in Lithuania. It introduced stricter security measures such as incident response planning, supply chain security, and risk assessments.
(d) Who will be the supervisory authority and how are they preparing the market?
The main Lithuanian cybersecurity institution and supervisory authority for Lithuania is the National Cybersecurity Centre under the Ministry of National Defence of the Republic of Lithuania (NCSC). The primary functions of the NCSC, among other things, include identifying cybersecurity subjects (ministries of the Republic of Lithuania also participate in this process) and overseeing them, managing cyber incidents, as well as educating and providing necessary information to help institutions comply more easily with Lithuanian cybersecurity laws.
NCSC has identified the initial essential and important entities that are required to comply with the new cybersecurity requirements established by the Law (identified entities will be referred to as “Cybersecurity entities”) and has prepared a Register of Cybersecurity entities (the “Register”) (according to the NCSC, 1443 Cybersecurity entities were included in the Register in Lithuania). Around 17 April 2025, the NCSC notified the relevant entities by electronic means of their status in the Register, or, where applicable, requested the supplementation/clarification of information related to their activities, employees and other relevant circumstances for the purpose of assessing their qualification under the Law.
Additionally, NCSC educates about the recent changes in national cybersecurity legislation and has a separate section where useful information on the amended Law is provided (available only in Lithuanian language).
(e) What should you be doing/on the lookout for?
Close attention must be paid by medium and large companies who operate in sectors set out by the Law (small and micro enterprises are generally excluded unless their service disruption could significantly impact public sector, etc.). Such organisations should check whether they have received a notification/confirmation from the NCSC, which was sent around 17 April 2025 to the e-mail address registered with the Lithuanian Register of Legal Entities as the entity’s point of contact.
Nevertheless, if an organisation is uncertain whether they have received a notification/confirmation from the NCSC, it may contact NCSC directly here: Contacts | NKSC. Please note that the official Register is not publicly available.
In any case, organisations that have been identified as Cybersecurity entities should familiarise themselves with the amended national cybersecurity laws to assess what changes are needed to comply with the newest cybersecurity requirements. At the same time, given that the Register is reviewed and updated annually, other organisations operating in sectors of high criticality and other critical sectors could also familiarise themselves with these requirements, considering that they may be identified and included in the Register in the future or choose to apply them on a voluntary basis (which is generally encouraged and considered good practice).
Under the applicable regulatory framework, specific implementation timelines apply once an organisation is identified as a Cybersecurity entity. Following identification, entities are currently required to implement organisational and other related requirements, such as the appointment of cybersecurity officers, within 12 months from the date of their inclusion in the Register, while technical measures must be implemented within 24 months from that date. Further details on the scope and content of these measures are primarily set out in the Resolution.
Contact
Rimtis Puišys E: rimtis.puisys@eversheds.lt
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page