I still remember the sharp rise in calls from our Baltic clients around the end of 2024. Something had clearly shifted. Most questions danced around one theme: “Are we NIS2-compliant yet?” It was more than just regulatory anxiety—it was the realization that the cyber resilience game in Lithuania had changed drastically. With the Network and Information Security 2 Directive (NIS2) coming into force, the urgency hit companies across critical sectors, from manufacturing to healthcare.
Lithuania isn’t just ticking boxes with its implementation of NIS2. It’s adopting a military-led, centralized model that raises the bar for compliance across thousands of organizations. So, what does NIS2 Lithuania mean in practice, and how should stakeholders prepare? Let’s unpack the law, deadlines, obligations, and what’s truly at stake.
Key takeaways: where Lithuania stands in April 2025
The seismic shift started with the Lithuanian Seimas adopting Act XIV-2902, amending the national Cyber Security Law (No XII-1428). In doing so, Lithuania officially replaced its outdated NIS-1 regime with a comprehensive legal framework in line with the European Union’s Network and Information Security 2 Directive.
Here’s a snapshot of where things currently stand:
NIS2 implementation overview – Lithuania (as of April 2025)
| Theme | Status and notes |
| Transposition | New Cyber Security Law passed on 11 July 2024; effective from 18 October 2024 |
| Scope | Expanded from ~1,000 to 8,000–10,000 entities |
| Entity classes | Essential: ≥250 employees or €50M turnover; Important: ≥50 employees or €10M |
| Timeline | Entities to be listed by 17 April 2025; compliance windows of 12 and 24 months follow |
| Reporting | 24-hour alert → 72-hour update → 30-day final report |
| Authority | National Cyber Security Centre (NCSC) under the Ministry of Defence |
| Sanctions | Up to €10M or 2% global turnover for essential entities |
| Public sector | Covered by the directive, but subject to corrective orders instead of fines |
Let’s now walk through the most critical elements of Lithuania NIS2 implementation, from legislative timelines to what companies should be doing right now.
From consultation to enforcement: the NIS2 timeline
Lithuania followed a precise legislative journey from consultation to binding law. This path ensured transparency while setting clear expectations for affected organizations.
Timeline of Lithuania’s NIS2 directive transposition
| Date | Milestone | Status |
| 01 Sep 2023 | Draft posted on e-Consultation portal | Complete |
| 11 Jul 2024 | Law passed by Seimas | Complete |
| 18 Oct 2024 | Law enters into force | Complete |
| 17 Apr 2025 | Deadline for NCSC to list all essential/important entities | Ongoing |
| Oct 2025 – Oct 2026 | Entities implement governance controls | Upcoming |
| Oct 2026 – Oct 2027 | Entities implement technical controls | Upcoming |
| 2027 onwards | Sectoral and NCSC audits begin | Upcoming |
The countdown starts the moment an entity is listed by NCSC, not before. This staged compliance clock—12 months for organizational measures and 24 for technical—allows structured adaptation but requires serious planning.
How Lithuania is implementing the NIS2 directive
Lithuania’s approach stands out in Europe for three key reasons: centralised control, military oversight, and a highly structured compliance path. The amended Cyber Security Law aligns closely with NIS2 Article 21, covering everything from risk governance to executive accountability.
Key components of Lithuania’s new Cyber Security Law
| Chapter | Summary |
| I–II | Defines scope and terms, adds universities and research to national sectors |
| III | Maps risk management duties to ISO 27001; requires board-approved cyber plans |
| IV | Sets 24h/72h/30d incident reporting protocols, with optional near-miss reports |
| V | Grants NCSC audit powers and allows sector regulators to oversee domains |
| VI | Introduces fines, daily coercive penalties, and disqualification of directors |
| Transition | Automatically lists legacy NIS-1 operators as essential entities |
Rather than requiring self-registration, Lithuania empowers the NCSC to list all qualifying entities—a move intended to ensure no one slips through the cracks. A public compliance-check wizard is available on the NCSC website.
Sanctions and executive liability
Failing to comply with the Lithuania NIS2 directive isn’t just a slap on the wrist. Sanctions can hit hard, and accountability reaches all the way to the boardroom. Executive liability has become more than just theoretical—it’s enforceable.
Sanctions structure under the Lithuanian Cyber Security Law
| Entity type | Max fine | Escalation path |
| Essential | €10M or 2% global turnover | Warning → Order → Daily fine → Full penalty |
| Important | €7M or 1.4% global turnover | Same as above |
| Procedural breaches | €0.3–2M | Applied to missed deadlines or partial compliance |
| Executives | Up to 3-year disqualification | Triggered by repeated negligence |
| Public sector | No monetary fines | Subject to corrective and public naming |
This creates a compliance culture where cybersecurity is a board-level issue. Directors must formally approve cyber programs and plan for their first audit by 2027.
Industry impact: from hospitals to hydrogen
The Lithuania NIS2 transposition significantly broadens the types of entities under regulation, bringing many previously untouched sectors into the fold. This isn’t just a tweak—it’s a major expansion of cybersecurity obligations.
Sector-specific changes under NIS2 Lithuania
| Sector | Changes | Typical new duties |
| Manufacturing | Regulated as important (≥50 FTE) | Supplier-risk assessments, red-team testing |
| Energy | Includes LNG, hydrogen, district heating | Monitoring, KPIs to energy regulator (VERT) |
| Healthcare | From 60 to 200+ covered providers | Incident drills, ISO 27001 compliance |
| Digital infra | Essential regardless of size | 24/7 SOC in EU, vendor register |
| Finance | Overlaps with DORA regulation | TLPT cycles, dual reporting channels |
| Public sector | Ministries and big cities listed | CISO appointment, mandatory reporting |
What companies should do next
Many organizations are waiting to be officially listed by NCSC, but that doesn’t mean it’s time to sit idle. Proactive planning now will pay off later, especially when the compliance clock starts ticking.
Start with these core actions:
- Check your listing on the NCSC wizard to confirm your classification.
- Run a gap analysis against Article 21 controls—multi-factor authentication and supply chain risk often top the list.
- Create an incident response SOP tailored to the 24h/72h/30d rule and ensure it aligns with GDPR requirements.
- Engage your board early—formal approval of your cyber plan now will limit legal liability down the line.
- Schedule your first audit for 2027 and maintain documentation of all actions taken.
Is your organisation ready to weather the NIS2 storm?
The Lithuania NIS2 implementation reflects a broader shift across the EU—a recognition that cybersecurity isn’t just an IT problem, but a strategic, operational, and governance issue. With the law now in force, and NCSC’s listing deadline approaching fast, Lithuanian companies don’t have the luxury of delay.
The steps you take today—conducting a risk analysis, updating response protocols, involving executive leadership—will define your resilience in the years to come. And with a military-led authority like NCSC at the helm, enforcement won’t be optional.
So the real question isn’t “Will we comply?” It’s “Will we lead—or lag behind?” Let’s make sure it’s the former.
