Lithuania

EU Framework Note: Lithuania has been a member of the European Union since May 1, 2004. The GDPR (Regulation 2016/679) applies directly and is supplemented by the national Law on Legal Protection of Personal Data. Lithuania is subject to the EU Charter of Fundamental Rights, the European Investigation Order framework, and all EU data protection directives including the Law Enforcement Directive (2016/680). Lithuania joined NATO on March 29, 2004.

Overview

Lithuania’s privacy and surveillance landscape is defined by its position on NATO’s eastern frontier. Bordered by Russia’s Kaliningrad exclave to the southwest and Belarus to the east, Lithuania occupies one of the most strategically sensitive positions in Europe. The Suwalki Gap — the 100-kilometer land corridor between Kaliningrad and Belarus that forms Lithuania’s only overland connection to NATO allies — is widely regarded as the alliance’s most vulnerable point. This geography has driven Lithuania to develop intelligence capabilities far exceeding what its population of 2.8 million would suggest.^[1]

Since regaining independence in 1990, Lithuania has transformed from a Soviet-surveilled society to an EU and NATO member state with its own sophisticated intelligence apparatus. The Valstybės saugumo departamentas (VSD) handles domestic intelligence and counterintelligence, while the Antrasis operatyvinių tarnybų departamentas (AOTD) conducts military intelligence under the Ministry of National Defence. Data protection is enforced by the VDAI (State Data Protection Inspectorate), which imposed Lithuania’s largest GDPR fine — EUR 2.39 million against Vinted — in 2024. Pegasus spyware infections have been confirmed on devices within Lithuanian territory, and in November 2024 the country’s sole submarine cable to Sweden was severed in a suspected act of sabotage.^[2][3][4]

Data Protection Authority: VDAI

The Valstybinė duomenų apsaugos inspekcija (VDAI) — the State Data Protection Inspectorate — is Lithuania’s independent supervisory authority established in accordance with GDPR Article 51. Based in Vilnius, the VDAI enforces both the GDPR and the national Law on Legal Protection of Personal Data. Lithuania also has a secondary supervisory authority, the Office of the Inspector of Journalists’ Ethics (OIJE), which oversees data processing in the media sector.^[5]

Notable Decisions

In 2024, the VDAI received 273 data breach notifications affecting 1,467,368 data subjects across Lithuania, and issued 38 compliance recommendations based on its review of breach reports.^[7]

Key Legislation

Law on Legal Protection of Personal Data (Asmens duomenų teisinės apsaugos įstatymas)

Lithuania’s primary data protection law, amended on July 16, 2018 to implement the GDPR. The law supplements the GDPR with national provisions including setting the age of digital consent at 14 years and establishing the VDAI’s structure and enforcement powers. It does not replace the GDPR but provides supplementary rules where the regulation permits member state derogation.^[8]

Law on Electronic Communications (Elektroninių ryšių įstatymas)

Governs telecommunications regulation, including data retention obligations. Amended in 2008 to transpose the EU Data Retention Directive, requiring providers to retain traffic and location data for six months. Despite the CJEU’s invalidation of the Data Retention Directive in 2014, Lithuania’s retention provisions remain in force largely unchanged.^[9]

Law on Intelligence (Žvalgybos įstatymas)

Adopted on July 17, 2000 (Law No. VIII-1861), this establishes the legal framework for the VSD and AOTD. Article 22 of the Lithuanian Constitution requires judicial authorization for surveillance of personal communications. However, large-scale amendments approved by the Seimas in December 2025 entered into force on February 1, 2026, significantly expanding intelligence agencies’ powers. The Seimas Ombudsman has criticized the law for allowing surveillance without clear maximum time limits and for classifying the conditions governing court-free intelligence methods.^[10][11]

Law on Cyber Security (Kibernetinio saugumo įstatymas)

Lithuania replaced its 2018 Cybersecurity Act with a new law that entered into force on October 18, 2024, transposing the EU NIS2 Directive. The National Cyber Security Centre (NCSC), operating under the Ministry of National Defence, oversees enforcement. Organizational compliance deadlines run to April 2026, with technical requirements due by April 2027.^[12]

Surveillance and Intelligence

Intelligence Agencies

The Valstybės saugumo departamentas (VSD) — the State Security Department — is Lithuania’s civilian intelligence and counterintelligence agency, accountable to the Seimas (parliament) and the President. The VSD conducts intelligence in political, economic, scientific, and technological domains. The Antrasis operatyvinių tarnybų departamentas (AOTD) — the Second Investigation Department under the Ministry of National Defence — is responsible for military intelligence, counterintelligence, cyber warfare, and foreign military threat assessment. The AOTD traces its origins to the Intelligence Unit established within the Lithuanian Armed Forces on October 27, 1918.^[2][13]

Pegasus Spyware

In May 2024, Access Now and the Citizen Lab confirmed that Pegasus spyware infected devices belonging to journalists and civil society members in the Baltic region, including at least one Belarusian activist based in Vilnius. The victim received an Apple threat notification on June 22, 2023, and forensic analysis confirmed a Pegasus infection dating to approximately March 2021. The Citizen Lab stated there is no evidence that Lithuania itself is a Pegasus customer; Estonia, which acquired Pegasus in 2019, is believed to operate it across EU jurisdictions. The infections nevertheless demonstrate that Lithuania’s territory is an active surveillance environment for state-sponsored spyware.^[4][14]

Russian and Belarusian Intelligence Threats

The VSD’s 2025 National Threat Assessment identifies Russia as the primary security threat, noting ongoing efforts to rebuild spy networks in Lithuania and allied countries. Russia is actively engaged in sabotage operations targeting infrastructure across Europe. The assessment warns that Russia could develop capabilities for limited military action against one or more NATO countries within three to five years. Belarus, with its deepening dependence on Russia, represents a secondary threat.^[15]

VSD Surveillance Powers and Oversight Concerns

Under the Law on Intelligence (VIII-1861) and the Law on Operative Activities, the VSD and AOTD are authorised to use covert surveillance methods including interception of electronic communications, monitoring of data transmissions, and use of technical intelligence equipment. Article 22 of the Lithuanian Constitution requires judicial authorization for surveillance of personal communications. However, large-scale amendments entering into force on February 1, 2026 significantly expanded intelligence agencies’ powers while retaining provisions criticized by the Seimas Ombudsman for allowing surveillance without clear maximum time limits and for classifying the conditions under which court-free intelligence methods may be used. Civil liberties organizations have raised concerns that the absence of defined duration limits on surveillance operations allows effectively indefinite monitoring of individuals without meaningful judicial review.^[10][11]

Internet Infrastructure and Transit Exposure

Internet Exchange Points

Lithuania has two primary internet exchange points. LIXP (Lithuanian Internet eXchange Point), based in Vilnius, has 11 ISP members and provides neutral domestic peering. LITIX (Lithuanian Internet Exchange), operated by Data Logistics Center (Delska), maintains facilities at two locations in Vilnius and provides access to major European exchanges including AMS-IX, DE-CIX, PL-IX, and LINX. BALT-IX, operated by Baltneta, provides distributed peering platforms across Vilnius and Kaunas.^[17][18]

BCS East-West Interlink

The BCS East-West Interlink is a 218-kilometer submarine fiber-optic cable connecting Sventoji, Lithuania to Katthammarsvik on Sweden’s Gotland island. Built in 1997 by Alcatel and owned by Arelion (formerly Telia Carrier), it is Lithuania’s sole submarine cable connection. On November 17, 2024, the cable was severed, reducing Lithuania’s internet capacity by approximately one-fifth. Simultaneously, the C-Lion1 cable between Finland and Germany was cut in the same Baltic Sea region. The Chinese-flagged cargo vessel Yi Peng 3, which departed from Russia’s Ust-Luga port, was identified at the exact location and time of the disruptions. Investigators believe the ship dragged its anchor across both cables. The incident remains under investigation.^[19][20]

FRA Cable-Tapping Exposure

The BCS East-West Interlink terminates at Katthammarsvik, Gotland, Sweden, placing it within the collection jurisdiction of the Swedish Försvarets radioanstalt (FRA) under Sweden’s Signals Intelligence Act (FRA Law, 2008). The FRA Law authorizes the FRA to intercept cable-bound electronic communications crossing Sweden’s borders, subject to prior authorization from Sweden’s Foreign Intelligence Court. Lithuanian data transiting the BCS East-West Interlink is therefore subject to potential collection under Swedish law. Sweden’s strategic Baltic position gives the FRA access to east-west communications carrying Baltic state traffic to Western Europe. The European Court of Human Rights ruled Sweden’s bulk interception regime in violation of Article 8 ECHR in Centrum för rättvisa v. Sweden (2021). See the Sweden country page for full documentation of the FRA Law and its oversight framework.^[29][30]

Cross-Border Fiber

Lithuania’s international terrestrial connectivity runs primarily through cross-border fiber links to Poland and Latvia. The Baltic Highway, launched in January 2015, provides a 3,000-kilometer fiber backbone connecting Tallinn to Frankfurt via Riga, Vilnius, Warsaw, and Berlin. Lithuania ranks first in Europe for fiber-optic internet penetration, with cross-border fiber connections to PIONIER (Poland) using 10G DWDM systems linking Kaunas to Poznan.^[21]

Data Retention

Lithuania’s Law on Electronic Communications, amended in 2008 to transpose the EU Data Retention Directive, requires telecommunications providers to retain traffic and location data for six months. This includes information on the parties, timing, duration, and location of phone calls, SMS messages, and the IP addresses used for email. Despite the CJEU’s Digital Rights Ireland ruling in April 2014 invalidating the underlying EU directive, Lithuania has not repealed or substantially amended its retention provisions. Civil liberties organizations have criticized Lithuania for continuing mass data collection under a legal basis that the EU’s highest court declared invalid.^[9][22]

International Data Sharing Agreements

NATO (2004)

Lithuania joined NATO on March 29, 2004 and participates fully in NATO intelligence-sharing structures. Lithuania hosts the NATO Energy Security Centre of Excellence (ENSEC COE) in Vilnius, accredited on October 12, 2012, which Lithuania established as the framework nation alongside Estonia, France, Italy, Latvia, and Türkiye. Lithuania is also closely involved with the NATO Strategic Communications Centre of Excellence (STRATCOM COE) in Riga. The Suwalki Gap’s strategic significance makes Lithuania central to NATO eastern flank defence planning.^[23][24]

Baltic Defence Cooperation

Lithuania maintains deep trilateral defence and intelligence cooperation with Estonia and Latvia. The three Baltic states coordinate on threat assessments, border security, and counterintelligence through multiple frameworks including the Baltic Defence College in Tartu and joint military exercises. The VSD and AOTD publish a joint annual National Threat Assessment that is coordinated with Estonian and Latvian counterparts.^[15]

Nordic-Baltic Eight (NB8)

Lithuania participates in the Nordic-Baltic Eight (NB8) cooperation format alongside Denmark, Estonia, Finland, Iceland, Latvia, Norway, and Sweden. Lithuania coordinated NB8 cooperation in 2022. The format covers political, military, economic, and security cooperation, with increasing focus on resilience against hybrid threats in the Baltic Sea region.^[25]

Club de Berne and Counter-Terrorism Group

Lithuania is a member of the Club de Berne, the intelligence-sharing forum of EU member states’ domestic security services plus Norway and Switzerland. Lithuania also participates in the Counter-Terrorism Group (CTG), the post-9/11 operational counterterrorism offshoot. Lithuanian State Security personnel have participated in Club de Berne cyber security inspections.^[26]

EU Law Enforcement Cooperation

Lithuania participates in the Schengen Information System (SIS II), the European Investigation Order (EIO) framework, the Prüm Convention for automated DNA/fingerprint/vehicle data exchange, and Europol/Eurojust cooperation.^[8]

US-Lithuania MLAT

The US-Lithuania MLAT on Mutual Legal Assistance in Criminal Matters was signed at Washington on January 16, 1998. Ratifications were exchanged at Vilnius on August 26, 1999, with the treaty entering into force on the same date. The 2010 US-EU Mutual Legal Assistance Agreement further supplements this bilateral framework.^[27]

Recent Developments

Intelligence Law Expansion (February 2026)

Large-scale amendments to the Law on Intelligence, approved by the Seimas in December 2025, entered into force on February 1, 2026, significantly expanding VSD and AOTD surveillance powers.^[11]

VSD National Threat Assessment: Russia, China, Belarus (2025)

The joint VSD-AOTD assessment identified Russia as capable of limited military action against NATO within 3–5 years, flagged Chinese cyber espionage targeting Lithuanian lasers, semiconductors, and biotech sectors, and warned of continued Belarusian dependence on Russian intelligence.^[15]

BCS East-West Interlink Cable Severed (November 2024)

Lithuania’s sole submarine cable to Sweden was cut on November 17, 2024, alongside the Finland-Germany C-Lion1 cable. The Chinese vessel Yi Peng 3, departing from a Russian port, was identified at both disruption sites.^[19]

NIS2 Transposition (October 2024)

Lithuania’s new Cybersecurity Act entered into force on October 18, 2024, transposing the NIS2 Directive with compliance deadlines through April 2027.^[12]

Vinted GDPR Fine (July 2024)

VDAI imposed a EUR 2,385,276 fine on Vinted for unlawful shadow blocking and improper handling of erasure requests — Lithuania’s largest GDPR penalty. The decision was upheld by the Regional Administrative Court.^[6]

Pegasus Infections Confirmed in Lithuania (May 2024)

Access Now and Citizen Lab confirmed Pegasus infections on devices in Lithuania, including a Belarusian activist in Vilnius. The operator was not publicly identified.^[4]

Intelligence Law Amended Without Clear Surveillance Time Limits (December 2025)

Amendments to the Law on Intelligence, approved by the Seimas in December 2025 and effective February 1, 2026, expanded VSD and AOTD covert surveillance powers while retaining provisions that allow surveillance without defined maximum duration — a deficiency the Seimas Ombudsman had flagged for enabling indefinite monitoring without judicial review.^[11]

Sources