NIS2 Compliance in Lithuania: NCSC-LT’s Enforcement Role, the Post-BRELL Energy Sector, and Your 2026 Obligations
When Lithuania disconnected from the BRELL power grid on 8 February 2025 and synchronised with Continental Europe the following day, its energy operators did not just gain frequency control independence from Moscow. They inherited an immediate, concrete NIS2 obligation: critical energy infrastructure that now sits entirely within the EU’s cybersecurity regulatory perimeter, with no legacy arrangement to hide behind.
That timing matters. Lithuania transposed NIS2 through its amended Law on Cybersecurity (Act XIV-2902, amending Law XII-1428) on 11 July 2024, with the law entering force on 18 October 2024. The implementing regulation followed on 12 November 2024. By 17 April 2025, the National Cyber Security Centre (NCSC-LT, known domestically as NKSC) had identified and notified 1,443 entities. Their compliance clocks are now running.
This guide covers everything you need to navigate Lithuania’s NIS2 framework: the law itself, NCSC-LT’s supervisory powers, the thresholds that determine whether you are in scope, sector-specific considerations for energy and finance, the technical requirements that go beyond the EU baseline, and the penalty regime if you fall short.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
The Lithuanian Law on Cybersecurity: How It Differs from NIS2
The NIS2 Directive (EU) 2022/2555 required member states to transpose by 17 October 2024. Lithuania met that deadline. Its amended Cybersecurity Law follows the directive’s structure closely but introduces three requirements that go beyond the EU baseline:
1. Dual-role appointment. Every in-scope entity must designate a cybersecurity manager responsible for overall compliance and a separate security officer responsible for day-to-day protection. NIS2’s Article 20 requires management accountability but does not prescribe these specific roles. Lithuania does.
2. Secure State Data Network. Public institutions must route communications exclusively through Lithuania’s national secure network infrastructure (Articles 37–38 of the Law). Commercial telecommunications are not sufficient for government entities.
3. Training frequency. Senior management and key staff must complete cybersecurity training at least every two years. NIS2 requires training but sets no interval. Lithuania’s implementing regulation also requires annual cyber hygiene training for all staff.
The implementing legislation — the Decision on Cybersecurity Requirements of November 2024 — establishes 12 mandatory technical domains with prescriptive standards that in several areas exceed the EU Commission Implementing Regulation 2024/2690. The technical section below covers the most significant of these.
NCSC-LT: Single Authority, Military Oversight, Dual CSIRT Role
Lithuania’s supervisory architecture is straightforward: one authority, total coverage. NCSC-LT (National Cyber Security Centre, Gedimino str. 40, Vilnius) is simultaneously:
- The national competent authority for NIS2
- The national CSIRT (Computer Security Incident Response Team)
- The single point of contact for essential and important entities
What distinguishes NCSC-LT from most EU counterparts is its organisational home: the Ministry of National Defence. This is not a civilian data protection authority or an independent telecoms regulator. It is a defence institution. In practice, this means Lithuania’s supervisory approach is shaped by national security priorities as much as by commercial compliance considerations — a distinction that matters particularly for energy and critical infrastructure operators.
NCSC-LT operates 24/7 CSIRT services for urgent incidents (cert@cert.lt; +370 706 82 250 for standard enquiries, Mon–Fri 08:00–17:00 EET). Under Articles 26 to 29 of the Lithuanian Cybersecurity Law, the Centre’s supervisory powers include:
- Conducting audits and demanding risk assessments
- Issuing binding instructions and remediation orders
- Requesting detailed documentation and evidence
- Performing on-site inspections
- Instructing entities to notify their downstream customers of serious threats
- Temporarily suspending business licences in severe non-compliance cases
Essential entities are subject to both ex ante (proactive) and ex post (reactive) supervision. Important entities face reactive supervision by default, with proactive checks triggered by risk indicators. The first systematic sectoral audits are expected from 2027 onwards, once the 24-month technical implementation window closes.
Who Is In Scope: Thresholds and the Lithuanian Register
Lithuania applies the NIS2 size thresholds directly, with one important procedural difference: entities do not self-register. NCSC-LT compiles the Register itself and notifies qualifying organisations.
| Entity type | Size threshold | Sectors |
|---|---|---|
| Essential | ≥250 employees OR ≥€50M annual turnover | Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, space, public administration |
| Important | ≥50 employees OR ≥€10M annual turnover | Above sectors plus: postal/courier, waste management, chemicals, food, manufacturing, digital providers, research |
| Regardless of size | Any size | Qualified trust service providers, TLD registries, DNS providers, public electronic communications networks operating in Lithuania |
Small and micro enterprises are excluded unless their service disruption could cause significant public sector impact. The law expanded Lithuania’s regulated entity population from approximately 1,000 under NIS1 to an estimated 8,000–10,000 organisations. For a full breakdown of NIS2 scope thresholds across all sectors, see our complete scope guide.
The Register is not publicly available. NCSC-LT notified the initial 1,443 identified entities around 17 April 2025. If you believe your organisation meets the thresholds and have not received notification, use the compliance-check wizard on the NKSC website or contact NCSC-LT directly. Being absent from the Register does not exempt you from the Law’s obligations if you meet the criteria.
The Energy Sector: Why the BRELL Exit Raises the Stakes
Lithuania’s energy operators face a compliance context unique in the EU. On 8 February 2025, the three Baltic states began their coordinated disconnect from the BRELL system — the electricity grid that interconnected Belarus, Russia, Estonia, Latvia, and Lithuania, with frequency control managed from Moscow. By 9 February 2025, Lithuania, Latvia, and Estonia had completed synchronisation with Continental Europe’s ENTSO-E network.
The geopolitical significance is well documented. The cybersecurity implication for NIS2 compliance is less often stated: every Lithuanian electricity generator, transmission system operator (TSO), distribution system operator (DSO), and supplier that previously operated under BRELL’s Moscow-managed frequency control now operates on EU-integrated infrastructure — and is squarely within NIS2’s energy sector essential entity scope.
The BRELL exit did not wait for compliance windows to close. Lithuania’s energy sector’s attack surface changed overnight, with adversaries fully aware of the strategic significance. The NCSC-LT’s defence-ministry ownership means energy sector audits will be assessed through a national security lens, not merely a regulatory compliance lens.
Under Lithuania’s Cybersecurity Law, energy sector coverage extends beyond IT to operational technology (OT) — the industrial control systems managing grid substations, pipeline SCADA systems, and district heating networks. Essential entity thresholds apply to electricity operators with ≥250 employees or ≥€50M turnover; the energy sector’s large incumbents will almost universally qualify. The 96%–99% system availability mandates in Lithuania’s technical requirements have direct operational consequences for energy infrastructure managers who have historically treated IT and OT as separate governance domains.
The Financial Sector: Vilnius as the EU’s Fintech Hub
Lithuania holds a position in EU financial services that few compliance articles have connected to NIS2: it is the EU’s leading jurisdiction for fintech licensing. As of 2025–2026, 248 fintech companies operate in Lithuania, 231 of them headquartered in Vilnius. These firms collectively serve approximately 40 million EU customers under Bank of Lithuania licences — licences valid across the entire single market.
The names are not obscure. Revolut, Google Pay, Nuvei, Airwallex, Robinhood (EU entity), and Checkout use Lithuanian licences to operate across Europe. This concentration means that NIS2’s financial sector obligations, applied through Lithuania’s Cybersecurity Law, have outsized reach: a Lithuanian-licensed payment institution’s NIS2 incident notification goes to NCSC-LT, but the service disruption affects customers across 27 member states.
The practical implication: financial entities licensed in Lithuania but operating cross-border are subject to NCSC-LT’s supervision for NIS2 purposes, even if their operational teams sit in Berlin, Dublin, or Amsterdam. Article 26 of NIS2 Directive 2022/2555 establishes that entities fall under the jurisdiction of the member state where they are established — which for these firms is Lithuania.
Banking and financial market infrastructure entities meeting the essential entity threshold (≥250 employees or ≥€50M turnover) face the full Article 21 risk management obligations. Smaller fintechs qualifying as important entities face a lighter but still substantive regime. The Bank of Lithuania’s regulatory sandbox and Newcomer Programme do not replace NIS2 obligations — they exist in parallel.
Technical Requirements: Where Lithuania Exceeds the EU Baseline
Lithuania’s November 2024 Decision on Cybersecurity Requirements establishes 12 mandatory technical domains. Several contain prescriptive standards not present in the EU Commission Implementing Regulation 2024/2690:
| Requirement area | Lithuania standard | EU baseline under IR 2024/2690 |
|---|---|---|
| System availability | 96% or 99% uptime for critical infrastructure | No specific uptime mandate |
| Logging retention | Minimum 90 days; monthly review; specialised hardware | Logging required; retention period not specified |
| Password policy | 10–15 characters; 6-month forced rotation; max 5 login attempts | MFA/continuous authentication; no specific length rule |
| Vulnerability scanning | Every 6 months; critical vulnerabilities removed immediately | Vulnerability management required; no fixed scan interval |
| Staff training | Annual cyber hygiene for all staff; management every 2 years | Training required; no frequency specified |
| KSIS reporting | Submit or update details in national KSIS system within 5 days | No equivalent national system requirement |
The KSIS requirement deserves particular attention. KSIS (Kyberinformacinė saugos informacinė sistema — Lithuania’s Cybersecurity Information System) is the national registry where entities must maintain current records of risk assessments, business continuity test results, and audit documentation. The 5-day update window is a continuous compliance obligation, not a one-time registration step. Organisations that treat KSIS as a bureaucratic filing system — rather than a live compliance record — expose themselves to binding instructions from NCSC-LT without the protection of demonstrable good-faith effort.
Incident Reporting: The Three-Stage Obligation
Lithuania’s incident reporting framework follows NIS2’s Article 23 three-stage model:
- 24-hour early warning: Submit to NCSC-LT within 24 hours of becoming aware of a significant incident. The purpose is situational awareness, not root-cause analysis — known facts only.
- 72-hour incident notification: Provide an updated assessment including initial severity classification, potential cross-border impact, and whether the incident appears to involve a criminal act.
- 30-day final report: Deliver a comprehensive post-incident analysis including root cause, impact assessment, and remediation measures taken.
For financial sector entities, the 24-hour and 72-hour windows align with DORA (Digital Operational Resilience Act) timelines, which also apply to financial entities from January 2025 onwards. Where an incident triggers both NIS2 and DORA reporting obligations, Lithuania’s NCSC-LT has indicated a coordinated approach with the Bank of Lithuania — but entities should verify this arrangement for their specific licence category before relying on it.
Penalties and Personal Liability
Lithuania’s penalty regime matches the NIS2 maximums and adds a personal liability dimension absent from many member state implementations:
| Entity category | Maximum fine | Basis |
|---|---|---|
| Essential entities | €10,000,000 | Or 2% of total worldwide annual turnover (whichever is higher) |
| Important entities | €7,000,000 | Or 1.4% of total worldwide annual turnover (whichever is higher) |
| Procedural violations | €300,000–€2,000,000 | Failure to cooperate, provide information, or meet registration obligations |
| Essential entity (public sector) | €60,000 | Fixed maximum for government bodies |
| Important entity (public sector) | €30,000 | Fixed maximum for government bodies |
Executive liability is the element that compliance officers should place before their boards. Under the Lithuanian Cybersecurity Law, directors and senior managers can face up to a 3-year personal disqualification from holding management positions if their negligence contributed to a serious cybersecurity failure. This is not a theoretical provision: NIS2’s Article 20 requires member states to ensure management bears accountability, and Lithuania implemented this in direct, enforceable form.
NCSC-LT can also instruct NCSC-LT-registered entities to publicly disclose a breach if they judge that transparency serves the public interest — a reputational penalty that may in practice exceed the financial fine for consumer-facing businesses.
Your NIS2 Compliance Checklist for Lithuania
The following timeline applies to entities notified on or around 17 April 2025. Entities notified later have their own 12- and 24-month windows starting from their notification date.
| Deadline | Obligation | Owner |
|---|---|---|
| Immediate (ongoing) | Maintain KSIS records; update within 5 days of any change | Cybersecurity manager |
| Immediate (ongoing) | Operate 24/7 incident reporting capability; test escalation paths to NCSC-LT | CISO / Security officer |
| 17 April 2026 | Appoint cybersecurity manager and security officer; document roles and responsibilities | Board / C-suite |
| 17 April 2026 | Complete initial risk assessment; document results in KSIS | Cybersecurity manager |
| 17 April 2026 | Establish incident response plan aligned with 24h/72h/30d reporting obligations | CISO |
| 17 April 2026 | Implement supply chain security assessment process for critical suppliers | Procurement + IT |
| 17 April 2026 | Deliver first mandatory cybersecurity training cycle (all staff) | HR + Security officer |
| 17 April 2027 | Implement technical measures: 90-day logging, MFA, 6-month vulnerability scans, password policy | IT / CISO |
| 17 April 2027 | Achieve and document 96%/99% system availability targets for critical infrastructure | Operations + IT |
| Triennial (from 2027) | Commission independent conformity assessment by accredited CAB; obtain compliance certificate | Compliance officer |
| Board accountability | Ensure board has approved cybersecurity risk management policy; document approval | Board secretary / Legal |
Frequently Asked Questions
Does Lithuania require self-registration for NIS2?
No. NCSC-LT proactively identifies and registers qualifying entities. However, if you meet the thresholds and have not been notified, you should contact NCSC-LT or use the compliance-check wizard on the NKSC website. The absence of a notification does not remove your legal obligation.
My company is licensed in Lithuania but operates across the EU. Which authority supervises us?
NCSC-LT. NIS2’s Article 26 assigns jurisdiction to the member state of establishment. Lithuanian-licensed entities — including fintech firms using Bank of Lithuania licences to passport across the EU — fall under NCSC-LT’s supervisory remit for cybersecurity purposes regardless of where their customers or operational teams are located.
Are operational technology (OT) systems in scope?
Yes. Lithuania’s Cybersecurity Law explicitly extends to OT systems controlling industrial processes, utilities, and public infrastructure. Energy sector operators, in particular, should treat their SCADA and industrial control systems as in-scope from day one.
When will NCSC-LT begin active enforcement audits?
The first systematic sectoral audits are expected from 2027, after the 24-month technical implementation window closes. However, NCSC-LT can conduct reactive audits at any time — triggered by incidents, complaints, or risk indicators. Essential entities are also subject to proactive ex ante supervision.
How does Lithuania’s NIS2 interact with DORA for financial entities?
Both frameworks apply in parallel. DORA’s ICT risk management and incident reporting obligations apply from January 2025; NIS2 obligations apply from October 2024. Where both trigger reporting, the timelines are broadly aligned (24h/72h) but the reporting destinations differ (Bank of Lithuania for DORA, NCSC-LT for NIS2). Coordinate your incident response plan to address both simultaneously.
Key Takeaways
- Lithuania transposed NIS2 on time (18 October 2024) with a stricter-than-baseline technical framework covering 12 mandatory domains
- NCSC-LT, operating under the Ministry of National Defence, is the single supervisory authority with broad audit, inspection, and enforcement powers
- 1,443 entities were notified in April 2025; organisational measures are due by 17 April 2026, technical measures by 17 April 2027
- The BRELL exit (February 2025) places Lithuanian energy operators on EU-integrated infrastructure with immediate NIS2 and OT security implications under defence-ministry oversight
- Vilnius-based fintechs serving 40 million EU customers carry their NIS2 obligations under NCSC-LT supervision regardless of where their EU customers are located
- Executive disqualification (up to 3 years) for negligent directors is an enforceable personal liability — board-level accountability is not optional
- The KSIS 5-day update requirement is a continuous obligation, not a one-time filing
Sources
- European Commission Digital Strategy, NIS2 Directive implementation in Lithuania
- EUR-Lex, Directive (EU) 2022/2555 (NIS2)
- Eversheds Sutherland, Lithuania — EU NIS2 Directive
- Advisera, NIS2 Transposition in Lithuania: What Does the Lithuanian Cybersecurity Act Require?
- Advisera, NIS2 in Lithuania — Overview of Decision on Cybersecurity Requirements
- Copla, NIS2 directive regulations and implementation in Lithuania
- Baltic Times, NIS2 in the Baltics: How Lithuania, Latvia, and Estonia Differ
- Invest Lithuania, Lithuania officially joins European Power Grid
- Invest Lithuania, Lithuania’s Fintech Overview 2025–2026
