Lithuania has updated its national legislation, with the revised Cybersecurity Law aligning with Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive). The new Cybersecurity Law took effect on October 18, 2024. The implementing legislation was adopted on November 6, 2024.
By April 17, 2025, national cybersecurity authorities are required to compile the initial list of entities considered essential and important under this law.
These designated entities will then have an up to 24-month grace period to fully implement the rigorous requirements set forth by the law. A 12-month grace period is established for the implementation of organizational risk management measures and a 24-month grace period for technical risk management measures. It is important to stress that said transition period will start only from the date of inclusion of the relevant entity in the Cybersecurity Information System, processed by the National Cyber Security Centre (NSSC). This transition period is designed to allow organizations sufficient time to upgrade their infrastructure and operational strategies to comply with the new standards.
Main Obligations of Cybersecurity Entities
The obligations stipulated by the new Cybersecurity Law are aimed at maintaining a robust level of security for networks and information systems based on the performed risk assessment. These obligations include the adoption of effective risk management practices and the establishment of incident response mechanisms. Entities are also required to report cybersecurity incidents to the NSSC. Large-scale cybersecurity incidents must be reported within 24 hours of detection, with a detailed follow-up report due within 72 hours. Meanwhile, according to the implementing legislation, other cybersecurity incidents shall be reported within 72 hours of detection. According to the implementing legislation, cybersecurity entities are required to adapt their incident management systems to automatically register cyber incidents on the NSSC platform within 12 months of their registration in the Cybersecurity Information System.
Severe Sanctions for Non-compliance
As it is stipulated in NIS2, to enforce these stringent requirements, Lithuania has set severe sanctions for entities that fail to comply with the new cybersecurity regulations. The most drastic of these sanctions can result in fines of up to EUR 10 million or 2% of the entity’s total global annual turnover for the previous financial year, depending on which is greater. These penalties emphasize the critical nature of adhering to cybersecurity measures and ensure that entities take their responsibilities seriously.
In addition to the fine, the NSSC will have the power to impose various enforcement measures on cybersecurity entities. For example, it may instruct cybersecurity entities to inform the entities to which they provide services of possible actions that may be taken by those entities in response to a serious threat. Certain severe enforcement measures, such as suspension of activities or temporary suspension of a manager, can only be applied to essential entities and only by court decision.
Challenges in Implementation
The implementation of the NIS2 Directive may face significant hurdles, particularly due to the expected shortage of skilled cybersecurity professionals such as auditors and security officers. This shortage is part of a broader global talent gap in cybersecurity, which may be more pronounced in smaller markets like Lithuania. The deficit of qualified professionals could delay necessary compliance audits and overall implementation of compliance within the entities and may affect the company’s finances, as the high demand for such services is expected to lead to higher prices.
Conclusion
The implementation of Lithuania’s updated Cybersecurity Law, in response to the NIS2 Directive, significantly elevates the cybersecurity standards across the nation. By introducing precise incident reporting, risk management requirements, and substantial penalties for non-compliance, the new legislation aims to ensure a relatively high, risk-based cybersecurity level within key entities. However, the effective implementation of these requirements may be challenged by a shortage of skilled cybersecurity professionals, potentially hindering timely compliance and leading to increased costs for businesses as they strive to meet these new requirements.
By Asta Macijauskiene, Partner, Widen
This article was originally published in Issue 11.11 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
