The updated Law on Cybersecurity (the "Cybersecurity Law") entered into force on 18 October 2024 in Lithuania.
The Cybersecurity Law implements the following European Union legislation:
- NIS Directive 2;
- The Cybersecurity Act;
- Regulation of the European Parliament and the Council establishing a European Centre of Excellence for Cyber Security Industry, Technology and Research and a Network of National Coordination Centres.
Government-Approved Measures
To support the effective implementation of the Cybersecurity Law, the Lithuanian Government has approved additional measures, including:
- The National Cyber Incident Management Plan.
- A methodology for identifying cybersecurity entities based on criteria.
- Detailed cybersecurity requirements for entities.
- Procedures for enforcement measures.
- A list of users for the Secure National Data Transmission Network.
- Criteria and procedures for determining additional electronic communication and cybersecurity services fees.
The provisions of the NIS2 Directive implemented in the Cybersecurity Law will strengthen the cybersecurity governance model in Lithuania.
The Law and related implementing legislation will provide clear guidelines that will require a cybersecurity entity to approve cybersecurity policy documents, periodically analyse and manage its cybersecurity risks, assign cybersecurity persons responsible for cybersecurity, manage and report cybersecurity incidents, ensure the security of its supply chain, implement technical cybersecurity measures, etc.
The cybersecurity entity's manager will be required to ensure that the organisation complies with these requirements. Non-compliance or other breaches may result in a range of sanctions by the National Cyber Security Centre, such as the temporary dismissal of the manager, suspension of activities, and finally, fines of up to € 10 million or up to 2% of the total global annual turnover.
In addition, we would like to draw your attention to a recent decision by the Government, which approved the following measures to support theimplementation of:
- The National Cyber Incident Management Plan;
- A methodology for identifying cybersecurity entities based on specific criteria;
- A description of cybersecurity requirements;
- Procedures for applying enforcement measures to cybersecurity entities;
- A list of users of the Secure National Data Transmission Network;
- Criteria and procedures for setting fees for additional electronic communication and cybersecurity services provided by the Secure National Data Transmission Network.
The recommendation of ECOVIS ProventusLaw:
1. Ensure all cybersecurity policies align with the new law and include requirements from the NIS2 Directive and the Cybersecurity Act.
2. Implement or update a cybersecurity risk management framework. This should include regular risk assessments, detailed incident response procedures, and reporting structures.
4. Conduct due diligence and assess the cybersecurity standards of all third-party vendors, ensuring they meet the new requirements.
Non-compliance with theLaw on Cybersecurity can lead to severe sanctions, including:
- Temporary dismissal of the organisation's manager,
- Suspension of activities, or
- Fines up to €10 million or 2% of the global annual turnover.
Set up ongoing internal audits and compliance checks to ensure adherence to the new law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
