CRA Compliance in Lithuania

NKSC serves as Lithuania's national competent authority for the CRA, with market surveillance for physical products coordinated with the State Consumer Rights Protection Authority (VVTAT) and sector-specific regulators. Lithuania's Kibernetinio saugumo įstatymas (Law on Cyber Security), updated to transpose NIS2, provides the legislative basis for NKSC's supervisory powers over cybersecurity, which will extend to CRA market surveillance through national implementing legislation. NKSC has been growing rapidly in both capacity and scope, reflecting Lithuania's strategic prioritisation of cybersecurity given its geopolitical position.

Lithuanian manufacturers submit Article 14 notifications to CERT-LT, coordinated through NKSC. NKSC operates incident response capability and participates in the EU CSIRTs network and Baltic CERT cooperation. The Article 14 obligation requires an early warning within 24 hours of detecting active exploitation and a full notification within 72 hours. Lithuania's NIS2 incident reporting framework provides the operational model for CRA Article 14 notifications. Manufacturers should contact NKSC in advance to register and confirm the current Article 14 notification procedure and designated reporting channel.

Market surveillance for CRA products in Lithuania is coordinated between NKSC and VVTAT (State Consumer Rights Protection Authority), with customs authorities involved for imports. The full CRA penalty regime applies: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. VVTAT conducts active market surveillance under EU consumer protection and product safety regulations. Lithuanian manufacturers should maintain CRA technical documentation in Lithuanian and English and should expect NKSC to take a technically informed approach to CRA enforcement given its growing capacity.

NKSC publishes cybersecurity guidance for Lithuanian businesses in Lithuanian and English, including the National Cyber Security Framework aligned with international standards. The Lithuanian Business Support Agency (LVPA) supports manufacturer investments in cybersecurity through EU-funded innovation programmes. Enterprise Lithuania (Versli Lietuva) provides support for manufacturer internationalisation including EU regulatory compliance. Lithuania's technology industry association Infobalt engages technology manufacturers on EU regulatory implementation including the CRA. Baltic cooperation with Estonia and Lithuania provides shared implementation resources and intelligence-sharing benefits for Lithuanian manufacturers.