NIS2 in Lithuania

1. Quick SME Applicability Snapshot in Lithuania

Does NIS2 apply to SMEs in Lithuania?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Lithuania and, in certain cases, foreign digital providers serving the Lithuanian market.

SMEs should assess qualification under Lithuania's national cybersecurity framework based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Lithuania

Lithuania has transposed NIS2 through an amendment (Act XIV-2902) to the Law on Cybersecurity of the Republic of Lithuania (No. XII-1428), adopted on 11 July 2024 and in force since 18 October 2024. The supplementary Government Resolution on Implementation — establishing the cybersecurity requirements applicable to essential and important entities — came into force on 12 November 2024.

The framework aligns Lithuania's regime with Directive (EU) 2022/2555 and introduces several national specifics: Lithuania expands scope beyond the Directive to include local-level public administration, entities engaged in critical research and experimental development (potentially including certain universities), and electronic information hosting service providers. Entities must appoint a cybersecurity manager responsible for implementation and compliance, and there is no self-registration obligation — the NCSC identifies and notifies entities directly.

Notified entities have 12 months from notification to implement organisational measures and 24 months for technical measures. The NCSC notified the initial register of 1,443 cybersecurity entities around 17 April 2025.

3. Scope of Application in Lithuania

Lithuania's scope exceeds the Directive minimum. The Law explicitly extends to local-level public administration, entities engaged in critical research and experimental development activities (which may include certain universities), and electronic information hosting service providers — none of which are required by the Directive.

4. Size Thresholds and SME Applicability in Lithuania

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors are automatically within scope.

Small and micro enterprises may be designated if considered critical to national security, economic stability, or essential service continuity.

Lithuanian authorities retain formal designation powers where systemic risk justifies inclusion.

5. Entity Classification Framework in Lithuania

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including inspections and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced supervision.

Lithuania follows the Directive's two-tier supervisory structure.

6. Cybersecurity Risk Management Requirements in Lithuania

Lithuania's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Lithuania risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and Lithuanian cybersecurity guidance is encouraged.

Supply chain oversight includes vendor due diligence and contractual cybersecurity safeguards.

7. Management Liability and Governance in Lithuania

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Lithuania's framework:

• Boards are accountable for compliance oversight.
• Senior management must ensure sufficient cybersecurity competence. Entities are required to appoint a cybersecurity manager and other designated persons responsible for cybersecurity implementation and compliance.
• Administrative sanctions may address governance failures.
• Temporary suspension of managerial functions is available under the Law, but applies only to essential entities and only following a court decision. In addition, essential entities must undergo a mandatory independent conformity assessment at least every three years, conducted by an accredited certification body, based on a scheme similar to ISO/IEC 27001.

NIS2 management liability Lithuania expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Lithuania

9. Supervisory Authorities and Enforcement Model in Lithuania

Primary authority: National Cyber Security Centre (NCSC Lithuania).

Lithuania operates a centralized supervisory model coordinated by the NCSC, with sector-specific regulators involved where necessary.

Supervisory powers include:

• Requests for documentation and information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination mechanisms

The enforcement structure aligns with Directive-level cooperation requirements.

10. NIS2 Fines and Sanctions in Lithuania

Lithuania applies Directive-aligned administrative penalties.

NIS2 fines Lithuania enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of authorizations or certifications
• Managerial suspension powers

Criminal liability applies only where explicitly provided under Lithuanian legislation.

11. NIS2 Supply Chain and Vendor Security in Lithuania

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Lithuania's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Lithuania

Entities within scope must:

• No self-registration is required. The NCSC, together with other governmental institutions, identifies entities that fall within scope and notifies them directly by electronic means. Entities should check whether they have received a notification from the NCSC (sent to the email address registered with the Lithuanian Register of Legal Entities). Entities uncertain of their status may contact the NCSC directly or use the NCSC's public compliance-check tool.
• The NCSC may request supplementation or clarification of information related to an entity's activities, employees, and other circumstances relevant to scope assessment.
• Disclose sector classification
• Maintain updated reporting contacts

The NCSC compiled and notified the initial register of 1,443 cybersecurity entities around 17 April 2025 (passed). Notified entities have 12 months from notification to implement organisational measures (deadline: approximately 17 April 2026) and 24 months for technical measures (deadline: approximately 17 April 2027). The register is not publicly available.

While entities are not required to register themselves, organisations that meet size and sector thresholds should proactively verify whether they have been notified. If not yet notified, organisations should contact the NCSC, as failure to comply once identified carries significant sanctions.

13. Interaction With GDPR and Other Laws in Lithuania

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination

14. Cross-Border Applicability

Entities with their main establishment in Lithuania are supervised by Lithuanian authorities for cross-border services.

Foreign digital providers offering services in Lithuania may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Lithuanian market.

15. Implementation Timeline in Lithuania

• Directive adoption: 2022
• National legislative amendments: Amended Law on Cybersecurity (No. XII-1428) adopted by Seimas 11 July 2024; Government Resolution on Implementation adopted 6 November 2024 and in force 12 November 2024
• Entry into force: 18 October 2024 (amended Law on Cybersecurity); 12 November 2024 (Government Resolution on Implementation)
• Commission notification: Fully notified; Lithuania is among the Member States that completed transposition on time and is not subject to an EC reasoned opinion
• Compliance milestones: NCSC entity identification and notification deadline: 17 April 2025 (passed; 1,443 entities notified); organisational measures deadline: 17 April 2026 (12 months from notification); technical measures deadline: 17 April 2027 (24 months from notification); essential entity conformity assessment: at least every 3 years from listing

Lithuania completed NIS2 transposition on 18 October 2024, meeting the EU deadline. The NCSC notified the initial register of cybersecurity entities around 17 April 2025. The organisational measures compliance deadline of 17 April 2026 is now imminent for notified entities; the technical measures deadline follows on 17 April 2027.

16. Key Takeaways for SMEs in Lithuania

• Medium-sized entities in covered sectors are automatically within scope. Note that Lithuania's scope also extends to local-level public administration, critical research entities, and electronic information hosting service providers beyond the Directive minimum.
• Small entities may be designated if critical to national or economic stability.
• Board-level governance oversight is mandatory. Entities must also appoint a cybersecurity manager. Essential entities must undergo a mandatory independent conformity assessment at least every three years by an accredited certification body.
• Incident reporting follows 24h / 72h / 1 month deadlines.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is required.
• Entities do not self-register — the NCSC identifies and notifies entities directly. Check whether your organisation has received an NCSC notification. If notified around 17 April 2025, organisational measures are due by approximately 17 April 2026 and technical measures by 17 April 2027. Entities not yet notified should contact the NCSC proactively.

FAQ: NIS2 Lithuania SME Guide