NIS2 Lithuania: what you need to know about compliance and certification

NIS2 Lithuania

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 was introduced to strengthen cybersecurity within the EU. Due to the increasing threat of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, which imposes stricter requirements and has a broader scope to increase the resilience of critical infrastructures against cyber attacks.

The NIS2 Directive was transposed into national law in Lithuania through the amended Cyber Security Law of the Republic of Lithuania, which entered into force on 18/10/2024, and the Government Resolution on the implementation of the Law of the Republic of Lithuania on cyber security (‘Resolution’), which entered into force on 12/11/2024.

On this page, you will find everything you need to know about the impact of NIS2 on your organisation and how to prepare for the new regulations.

NIS2 entities

The Lithuanian Cyber Security Act is stricter than the European minimum standards and explicitly defines which public and private entities are subject to cyber security obligations.

To this end, Lithuanian law distinguishes between essential entities (esminiai subjektai) and important entities (svarbūs subjektai), known as ‘cyber security entities’. An entity is only officially considered subject to NIS2 after registration in the Lithuanian Cyber Security Information System by the government. A set of identification criteria is used for this purpose, as described in Article 11.

Essential entities are organisations whose disruption of services could have a significant societal or economic impact. Article 11 of the Act describes the general and specific criteria for an essential entity. These include:

  • Large companies active in sectors listed in Annex I of the Act, such as energy, transport and healthcare;
  • Providers of qualified trust services or top-level domain registration;
  • Government institutions at central, regional or municipal level
  • The sole provider of a service that is vital to society or the state;

The general and specific criteria for important entities are also listed in Article 11. Examples include:

  • Medium-sized enterprises in the sectors listed in Annex I;
  • Large enterprises in the sectors listed in Annex II, provided that more than 50% of their turnover comes from those sectors;
  • Micro, small and medium-sized entities providing non-qualified trust services;

The full list of sectors can be found in Annex I and Annex II of the Lithuanian Cyber Security Law.

Annex I: Very critical sectorsAnnex II: Other critical sectors
Energy
• Electricity
• District heating and cooling
• Oil
• Gas
• Hydrogen		Postal and courier services
Transport
• Air
• Rail
• Water
• Road		Waste management
BankingManufacture, production and distribution of chemicals
Financial market infrastructuresManufacture, processing and distribution of food products
HealthcareManufacture
• Medical devices and in vitro diagnostic medical devices
• Computer, electronic and optical products
• Electrical equipment
• Machinery and equipment n.e.c.
• Motor vehicles, trailers and semi-trailers
• Other transport equipment
Drinking waterDigital providers
WastewaterResearch
Digital infrastructure 
Management of ICT services (business-to-business 
Government 
Space 

More information on the definitions of a micro, small, medium-sized and large enterprise can be found here.

What does this mean for my company?

1. Registration (Articles 11, 13, 19

The registration of cyber security entities in Lithuania is coordinated by the National Cyber Security Centre (NKSC) under the Ministry of Defence. The NKSC must draw up a list of entities that are considered important or essential by 17 April 2025 at the latest. This will be done using the general and specific criteria for essential and important entities as described in Article 11 of the Act. The entities included in the register will be notified accordingly. In addition, you can also check whether your entity is registered as a cyber security entity via the NKSC platform.

2. Implementing security measures

If your organisation falls within the scope of the NIS2 Act, this means that you are responsible for implementing appropriate technical and organisational measures to ensure the security of your network and information systems. These measures are described in the government decree:

  • Appointing a cyber security manager and other persons responsible for cyber security
  • Policy for risk analysis and security of information systems
  • Incident management
  • Business continuity and crisis management
  • Supply chain security
  • Security when acquiring, developing and maintaining network and information systems, including the response to and disclosure of vulnerabilities
  • Policies and procedures to assess the effectiveness of measures for managing cyber security risks
  • Cyber hygiene and training in cyber security
  • Policies and procedures on cryptography and, where applicable, encryption
  • Security aspects relating to personnel, access policy and asset management
  • Where appropriate, multi-factor authentication, secure communication and secure emergency communication systems within the entity
  • Policy for the coordinated disclosure of vulnerabilities

The European Commission has set out the above minimum cybersecurity measures in Implementing Regulation 2024/2690 for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines, social networking service providers, and trust service providers.

3. Incident reporting obligation (Art. 18)

Important and essential entities are required to notify the national CSIRT, in Lithuania this is NKSC, if a significant incident occurs. In addition to the NKSC, they must also notify the recipients of their services if the significant incident affects the provision of services in the (sub)sectors listed in Annexes I and II.

A significant incident is defined in the NIS2 Act as ‘any incident that has significant consequences for the provision of one of the services in the sectors or subsectors listed in Annexes I and II of the Act and that:

  • has caused or is likely to cause a serious operational disruption of one of the services in the sectors or subsectors listed in Annexes I and II or financial losses for the entity concerned; or
  • has affected or is likely to affect other natural or legal persons by causing significant material or non-material damage’.

The significant incident shall be reported by the cyber entity to the NKSC in accordance with the following procedure:

  1. immediately and within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning via the NKSC’s notification platform, stating the suspected cause and any cross-border implications;
  2. immediately and within 72 hours of becoming aware of the significant incident, the entity shall communicate an incident report containing an information update and an initial assessment of the incident;
  3. at the request of the NKSC, the entity shall submit an interim report;
  4. No later than one month after the incident report, the entity shall submit a final report stating:
      1. A detailed description of the incident, as well as its severity and consequences;
      2. The type of threat or root cause that likely led to the incident;
      3. Applied and ongoing risk mitigation measures;
      4. iv. The cross-border consequences of the incident, if applicable.
  5. If the incident is still ongoing one month after the incident report, the entity must submit a progress report and a final report must be submitted within one month of the incident being resolved.

In Implementing Regulation 2024/2690, the European Commission has defined the criteria for a significant incident for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engine providers and social networking service platform providers, and trust service providers. These special rules take precedence over national rules in the event of any conflict.

Finally, all entities, regardless of whether they fall within the scope of the NIS2 Act, can voluntarily report (significant) incidents, cyber threats and near misses to the NKSC via the notification platform.

More information about the Cyber Security Information System can be found on the NKSC website.

4. Management obligations and responsibilities

The management bodies of entities falling within the scope of the NIS2 Act must comply with a number of obligations:

  • Appoint a cyber security manager and/or security officer to coordinate and supervise the implementation of cyber security measures, and other persons responsible for cyber security;
  • Follow training to acquire sufficient knowledge and skills to identify risks and assess control measures and their impact on their services, at least every two years;
  • Provide continuous training on cyber security for the employees of the cyber security entity;
  • Approve the cyber security control measures;

The management bodies are liable for non-compliance with the NIS2 Act.

5. Cooperation with authorities

NIS2 entities must cooperate with the national authorities. This concerns the exchange of information on the security of network and information systems, reporting incidents, cooperation with the inspection service, etc.

How to demonstrate NIS2 compliance?

As indicated in the ‘Enforcement and penalties’ section below, the Lithuanian authority carries out inspections to ensure compliance with the NIS2 Act by cyber security entities.

In addition, the cyber security entity is required to have an independent audit carried out by an accredited CAB at least every three years. Based on this independent conformity assessment, the cyber security entity can obtain a certificate demonstrating compliance with the NIS2 Act to stakeholders.

The national certification scheme, which has been in force since 2016 and has already undergone several changes, is similar to ISO/IEC 27001.

If you would like more information about certification, you can make an appointment with an expert here.

Enforcement and sanctions (Art. 28 et seq.)

The NKSC carries out inspections to verify compliance by cyber security entities with the requirements set out in the NIS2 Act. A distinction must be made between essential and important entities:

  • Essential entities are checked both proactively (ex ante) and reactively (ex post) and are required to undergo regular conformity assessments.
  • Important entities are, in principle, only checked reactively, after an incident or if there is a suspicion of non-compliance with the law.

The Lithuanian NIS2 Act provides for specific sanctions for entities that fail to comply with the legal provisions. These sanctions vary according to the nature and severity of the infringement and are divided into administrative measures and administrative fines. The legislator distinguishes between serious, moderate and minor infringements. The NKSC selects one or more measures based on the legal procedure.

Possible administrative measures that may be imposed include warnings, appointing a control officer, temporarily suspending certification or authorisation, temporarily prohibiting the performance of management functions, etc.

Administrative fines that may be imposed are also laid down by law and can amount to up to 10,000,000 euros for essential entities and up to 7,000,000 euros for important entities. An overview of the administrative measures and fines can be consulted on the NKSC website.

Deadlines

The Lithuanian NIS2 Act will enter into force on 18/10/2024. From that date, NIS2 entities will be required to implement the minimum set of management measures against cyber threats. Significant incidents must also be reported in accordance with the prescribed procedure. Furthermore, administrative bodies must comply with their obligations as described above, and entities must cooperate with the competent authorities and are also subject to their supervision.

The Lithuanian government is required to compile a list of cyber security entities by 17/04/2025. These cyber security entities will have 12 months from the date of registration to implement organisational measures, i.e. by 17/04/2026. The cyber security entity will have 24 months from the date of registration to implement the technical measures, i.e. by 17/04/2027 at the latest. Essential entities are also subject to deadlines for regular conformity assessments. The ex-post evaluation must be carried out by 01/01/2029 at the latest.

Competent authorities (Articles 4, 5, 7, 9, 10)

In Lithuania, various national authorities are involved in shaping and implementing cyber security policy. The coordination and implementation of these policy measures are divided among several agencies, each with specific responsibilities.

The Ministry of Defence is responsible for Lithuania’s overall cyber security policy. It sets strategic goals and priorities and coordinates their implementation. The Ministry of Foreign Affairs plays a role in developing legal frameworks for diplomatic measures in response to cyber threats and incidents.

The National Cyber Security Centre (NKSC), operating under the Ministry of Defence, is the national authority for network and information system security. It also acts as the Computer Security Incident Response Team (CSIRT) and as the central point of contact for cyber security incidents. The NKSC is responsible for overseeing cyber security issues and providing guidelines and recommendations to both public and private entities.

Cyber security policy in Lithuania is implemented by the National Cyber Security Commission, the Lithuanian police and the State Data Protection Inspectorate. The National Crisis Management Centre coordinates the response to large-scale cyber incidents that exceed national capacity and, in such cases, ensures communication with European institutions.

Useful links

More information and answers to your NIS2-related questions can be found on the NKSC website.