NIS 2 Status in Lithuania
What the directive requires, how Lithuania implements it, and where NKSC sits in the picture.
Overview
The NIS 2 directive is the EU layer. It binds every member state, including Lithuania, with a single minimum standard for essential and important entities. Lithuania has to carry that standard into Lithuanian law and run a supervisor underneath it.
Lithuania transposes NIS 2 by amending the Lietuvos Respublikos kibernetinio saugumo įstatymas (Law on Cyber Security). The amending law was adopted on 11 July 2024 and entered into force on 18 October 2024, one day after the EU deadline. Implementing government regulation followed in November 2024. Lithuania is therefore among the member states that met the 17 October 2024 transposition deadline in substance.
The Nacionalinis kibernetinio saugumo centras (National Cyber Security Centre, NKSC) under the Ministry of National Defence is the competent authority, the single point of contact under Article 8 NIS 2, and operates the national CSIRT under the brand CERT-LT. The number of obligated entities in Lithuania is publicly estimated by NKSC sources in the 8,000 to 10,000 range, the exact figure depending on the applicability assessment per entity.
EU directive
Directive (EU) 2022/2555 (NIS 2)
The EU-wide cybersecurity directive. It sets the obligations every member state has to transpose, including the size and sector test for essential and important entities.
EU implementing act
Commission Implementing Regulation (EU) 2024/2690
Technical and methodological measures for providers of digital infrastructure. Directly applicable in Lithuania without national transposition.
Lithuanian transposition
Lietuvos Respublikos kibernetinio saugumo įstatymas (Law on Cyber Security), as amended, in force from 18 October 2024
The Lithuanian NIS 2 transposition. The amending law was adopted on 11 July 2024. Government implementing regulation followed in November 2024 with the catalogue of cybersecurity requirements for essential and important entities.
Amended Law on Cyber Security
The amending law of 11 July 2024 brings the NIS 2 obligations into Lithuanian law. It defines essential and important entities, the supervisory powers of NKSC, incident reporting duties and sanctions. Operational detail sits in the government implementing regulation that took effect in November 2024.
NKSC as competent authority and CSIRT
NKSC runs supervision, audits and enforcement proposals. It is also the single point of contact under Article 8 NIS 2 and operates the national CSIRT, CERT-LT. Sector regulators retain their existing roles where lex specialis applies, for example DORA in finance.
Registration and reporting
The directive requires member states to identify entities by 17 April 2025. In Lithuania NKSC compiles this list of essential and important entities. Significant incidents follow the directive: early warning within 24 hours, incident notification within 72 hours, final report within one month.
In Lithuania, Lithuanian law applies
Activities on Lithuanian territory follow the Lithuanian transposition. A German managing director with a Lithuanian subsidiary reads the amended Law on Cyber Security for that subsidiary, not the BSIG. The directive obligations are identical. The procedure, supervisor and sanctions sit in Lithuanian law.
Lithuania cannot drop below the EU floor
The directive is minimum harmonisation. Lithuania can go stricter, and historically has on national security cyber requirements. Lithuania cannot fall below the directive, neither on obligations for essential and important entities, nor on reporting deadlines, nor on management body accountability.
NKSC
Nacionalinis kibernetinio saugumo centras, the National Cyber Security Centre under the Ministry of National Defence. Competent authority, single point of contact under Article 8 NIS 2, supervisor, and operator of the national CSIRT. Maintains the register of essential and important entities.
CERT-LT
The national CSIRT, operated inside NKSC. Handles incident notifications, technical coordination and the 24/7 contact line for urgent cases. In practice NKSC and CERT-LT are one institution with two roles, not two separate authorities.
ENISA
The EU cybersecurity agency. Publishes guidelines, runs the European vulnerability database and coordinates across borders. Not a supervisor for Lithuanian entities. That sits with NKSC.
Lithuanian NIS 2 looks identical to German NIS 2.
The directive obligations are the same. The supervisor, the law text, the sanctions regime, the registration channel and the deadlines for follow-up regulation are not. A Lithuanian entity reads the amended Law on Cyber Security and NKSC guidance. A German entity reads the BSIG and BSI guidance. Cross-border groups have to map each subsidiary to its national supervisor.
Since the public register is not searchable, registration is optional.
NKSC maintains the register of essential and important entities, but the list is not published openly. That does not make registration optional. Entities that meet the size and sector test under Annex I or II of the directive have to self-identify and provide registration data to NKSC. Article 27 NIS 2 also requires entities to keep their registration data current.
Only the eleven CIR sectors are in scope in Lithuania.
Commission Implementing Regulation (EU) 2024/2690 sets technical measures for a narrow set of digital infrastructure providers. The Lithuanian Law on Cyber Security covers the full NIS 2 perimeter from Annex I and Annex II, plus public administration entities and any additional entities Lithuania may designate. Reading only the CIR list understates the scope by an order of magnitude.
Most Lithuanian mid-market operators we see still treat NIS 2 as an extension of the old NIS 1 regime. That is half right. NKSC was the supervisor before, and remains so. The scope is broader, the management body accountability is heavier, and the catalogue of cybersecurity requirements in the implementing regulation is more detailed than the previous decision.
The practical step is the same as everywhere in the EU: run the applicability test against the directive, register with the national supervisor (here NKSC), set up the four continuous obligations (keep registration data current, incident notification, supply chain risk, supervision by the management body) and document the minimum. The earlier NIS 1 paperwork helps as a baseline, but does not replace the NIS 2 obligation register.
We build the NIS 2 obligation register at the EU layer, not on a single national transposition. The same checklist fits a Lithuanian subsidiary under the amended Law on Cyber Security, a German parent under the BSIG and a Dutch sister under the Cyberbeveiligingswet. The article references swap per country. The obligations in substance do not.
For the Lithuanian scope, start with the applicability check, then incident reporting cadence, supply chain clauses and sign-off by the management body. Where NKSC publishes sector guidance, we link it. We do not copy it.
- Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
- Commission Implementing Regulation (EU) 2024/2690
- Lietuvos Respublikos kibernetinio saugumo įstatymas (Law on Cyber Security), as amended — e-tar.lt (Lithuanian legal acts register)
- Nacionalinis kibernetinio saugumo centras (NKSC) — official site
- CERT-LT — national CSIRT, operated inside NKSC
- European Commission, Shaping Europe's digital future, NIS 2 directive implementation in Lithuania
- Ministry of National Defence of the Republic of Lithuania — parent ministry of NKSC