	NIS2 Implementation in the EU
	Lithuania
	(Europe) Firm Ellex Valiunas Contributors Azuolas Cekanavicius Updated 28 Jan 2026
Status of the legislative process	Enacted
Status of the NIS2 Implementation Act	The general requirements of NIS2 have been transposed into the amended Republic of Lithuania Law on Cyber Security (hereinafter – the “LCS”) (lit. Lietuvos Respublikos kibernetinio saugumo įstatymas), which was adopted on 11 July 2024, and came into force on 18 October 2024. Additional regulations, further elaborating on technical and organizational measures, reporting, designation of cybersecurity entities and more were adopted on 11 November 2024. (most recent consolidated version 17 December 2025).
Significant deviations of the National Implementation Act from the NIS2 Directive, if any	The extended scope of application includes: local level public administration; entities that pursue critical research or experimental development activities (which may include universities); and electronic information hosting service providers. Entities do not need to register with the authorities if they fall under the NIS2 scope. The National Cyber Security Centre, together with other governmental institutions, will determine which entities fall under the NIS2 scope and, based on their assessment results, contact such entities and include them in a specific NIS2 entity list by 17 April 2025. According to data as of 24 April 2025, there are 1,443 organizations included in the register across 11 sectors of high criticality and 7 other critical sectors. To help the organizations listed in the register comply with applicable legislation and maintain a unified approach to implementation, the Cybersecurity Information System ("KSIS") was created. All organizations included in the register are required to sign in to KSIS and use it as the primary communication platform with the supervisory authority (National Cyber Security Centre). An extensive list of mandatory technical and organizational measures was adopted by the government. In-scope entities will have a 12-24 months transitional period to incorporate them in practice.
Date of entry into force of the Implementation Act	The LCS has been in force since 18 October 2024 whereas further implementing acts, detailing reporting mechanisms, technical and organizational measures, enforcement measures and more, were adopted on 11 November 2024 and came into force on 12 November 2024. Currently, the information provided regarding the LCS remains applicable. The updates relate to the implementing acts, where the most recent consolidated version—covering reporting mechanisms, technical and organizational measures, enforcement measures, and other regulatory elements—is dated 17 December 2025.

NIS2 Implementation in the EU

Back XLS

Status of the legislative process

Enacted

Status of the NIS2 Implementation Act

The general requirements of NIS2 have been transposed into the amended Republic of Lithuania Law on Cyber Security (hereinafter – the “LCS”) (lit. Lietuvos Respublikos kibernetinio saugumo įstatymas), which was adopted on 11 July 2024, and came into force on 18 October 2024. Additional regulations, further elaborating on technical and organizational measures, reporting, designation of cybersecurity entities and more were adopted on 11 November 2024. (most recent consolidated version 17 December 2025).

Significant deviations of the National Implementation Act from the NIS2 Directive, if any

The extended scope of application includes: local level public administration; entities that pursue critical research or experimental development activities (which may include universities); and electronic information hosting service providers.
Entities do not need to register with the authorities if they fall under the NIS2 scope. The National Cyber Security Centre, together with other governmental institutions, will determine which entities fall under the NIS2 scope and, based on their assessment results, contact such entities and include them in a specific NIS2 entity list by 17 April 2025.
According to data as of 24 April 2025, there are 1,443 organizations included in the register across 11 sectors of high criticality and 7 other critical sectors.
To help the organizations listed in the register comply with applicable legislation and maintain a unified approach to implementation, the Cybersecurity Information System ("KSIS") was created.
All organizations included in the register are required to sign in to KSIS and use it as the primary communication platform with the supervisory authority (National Cyber Security Centre).
An extensive list of mandatory technical and organizational measures was adopted by the government. In-scope entities will have a 12-24 months transitional period to incorporate them in practice.

Date of entry into force of the Implementation Act

The LCS has been in force since 18 October 2024 whereas further implementing acts, detailing reporting mechanisms, technical and organizational measures, enforcement measures and more, were adopted on 11 November 2024 and came into force on 12 November 2024.

Currently, the information provided regarding the LCS remains applicable. The updates relate to the implementing acts, where the most recent consolidated version—covering reporting mechanisms, technical and organizational measures, enforcement measures, and other regulatory elements—is dated 17 December 2025.