NKSC notice — which of the three did you receive?
- Jun 30
- 4 min read
When you receive a letter from the National Cyber Security Centre (NKSC), the first question that comes to mind is: should I be worried? The answer depends on which of the three main types of notice you received. They are very different — from "you have been added to the register of entities" to "urgently fix your company's cyber security gap."
Summary
Inclusion in the register of entities — your company has become a cyber security entity and must comply with the requirements of the Cyber Security Law.
How to respond? Appoint a cyber security manager, assess your cyber security risks, prepare the relevant procedures, and approve them.
Notice of a detected threat — the NKSC has spotted a specific security gap or infection in your company's systems.
How to respond? Notify your cyber security manager and, together with the IT department, close the gap immediately. This is urgent work that cannot wait.
Notice of an inspection — the NKSC is checking whether you comply with cyber security requirements and is requesting documents that prove it.
How to respond? Submit the requested documents within the stated deadline (usually 5 working days) and cooperate if the NKSC has any additional questions.
1. NKSC notice of inclusion in the register of entities
This is notification that, based on your sector of activity or your size and revenue, your company has been added to the Register of Cyber Security Entities and from now on must comply with the requirements of the Cyber Security Law. The register compiled in April 2025 contained about 1,443 organisations, but it is continually being updated.

The notice also states whether you are an essential or an important entity — the strictness of oversight depends on this. When you receive it, don't panic, but don't put it off either: the transitional deadlines provided run out faster than they appear to. Our experience shows that two months is enough to achieve compliance.
Under the law, responsibility falls on the company's CEO, not on the IT department.
What to do: appoint a person responsible for cyber security (a cyber security manager), connect to the Cyber Security Information System managed by the NKSC, carry out a risk assessment, prepare risk management plans, draw up a list of measures, and implement the other core organisational measures provided for in the Cyber Security Law.
2. NKSC notice of a detected threat or vulnerability
This is the most common and most time-sensitive type of notice. The NKSC continuously monitors Lithuania's cyber space and, when it spots a specific problem in your systems — an exposed vulnerable service, a malware infection, or leaked data — it reports it so that you have time to react.
It is important to understand: this notice is not a fine or an accusation, but a warning. The NKSC acts like a neighbour who has noticed that your door is open. On the other hand, the notice should not be ignored — the longer the gap stays unpatched, the greater the risk that malicious actors will exploit it.
What to do: immediately pass the information to your IT team or service provider, close the detected security gap, and make sure it has not already been exploited. If the notice asks you to, confirm to the NKSC that the problem has been resolved. This is a matter of hours or days, not weeks.
3. NKSC notice of an inspection being carried out
This is a planned compliance check — similar to an inspection by the State Tax Inspectorate or the labour inspectorate. The NKSC checks whether you actually comply with the requirements of the Cyber Security Law and asks you to provide documents that prove it: a risk assessment report and management plan, a compliance assessment report, a non-conformity remediation plan, and reports of audits carried out.
The most important figure: once documents are requested, you usually have to upload them to the KSIS system within 5 working days. That is enough time to gather what already exists, but not to create it from scratch — which is why preparation must be completed in advance.

An inspection that finds gaps is not yet a fine. Enforcement measures are arranged gradually — from warnings and instructions to fines — and the strictest are applied only for malicious and repeated non-compliance. It is worth noting that fines reach up to €7 million for important entities and €10 million for essential ones. Since responsibility falls on the director, in the case of essential entities even suspension from duties is possible.
What to do: clarify exactly what is being requested and by when, upload the documents to KSIS on time, and do so honestly: showing an existing gap together with a plan to fix it is better than submitting a nice but untrue report.
Preparation — in advance, not on the last day
All three notices are easiest to handle when a company has an appointed responsible person, prepared documents, procedures, and a clear action plan. For most companies, an external CISO helps maintain this without a separate full-time role — so that any NKSC notice finds them already prepared.


