Lithuania

Overview

EU Member State (since May 2004), NATO (since March 2004). For the EU framework, see the EU Framework page.

Lithuania occupies one of the most strategically sensitive positions in Europe: bordered by Russia’s Kaliningrad exclave and Belarus, controlling one side of the Suwalki Gap — the 100-km corridor NATO considers its most vulnerable point. This geography has driven intelligence capabilities far exceeding what 2.8 million people would suggest. VSD (civilian intelligence) and AOTD (military intelligence, origins 1918) face persistent Russian, Chinese, and Belarusian espionage. Pegasus infections confirmed on Lithuanian territory (May 2024). The BCS East-West Interlink — Lithuania’s sole submarine cable to Sweden — was severed November 2024 by the Chinese vessel Yi Peng 3. Belarus weaponised migration in 2021.^[1][2]

Privacy Framework

The VDAI (State Data Protection Inspectorate) enforces the GDPR and the Personal Data Processing Law. Largest fine: Vinted EUR 2.39 million (July 2024). NIS2 transposed via Cyber Security Law (October 2024). Intelligence law expanded February 1, 2026 with provisions criticised for allowing surveillance without clear maximum time limits and classifying conditions for court-free intelligence methods.^[3][4]

Surveillance and Intelligence

Intelligence Agencies

VSD (State Security Department): Civilian intelligence and counterintelligence, accountable to Seimas and President. AOTD (Second Investigation Department): Military intelligence, counterintelligence, cyber warfare under Ministry of National Defence, origins October 27, 1918. Article 22 of the Constitution requires judicial authorisation for surveillance, but the February 2026 expansion retains provisions criticised for indefinite monitoring without meaningful judicial review.^[5]

Pegasus Infections (May 2024)

Access Now and Citizen Lab confirmed Pegasus infections in the Baltic region including at least one Belarusian activist based in Vilnius (infection dating to March 2021). No evidence Lithuania is a Pegasus customer; Estonia (which acquired Pegasus) is believed to operate it across EU jurisdictions. Lithuania’s territory is an active surveillance environment for state-sponsored spyware.^[2]

Russian and Belarusian Threats

VSD 2025 National Threat Assessment: Russia actively rebuilding spy networks, conducting sabotage operations across Europe, and could develop capabilities for limited military action against NATO countries within three to five years. Belarus weaponised migration in 2021, directing thousands to the Lithuanian border. Hosts NATO ENSEC COE (Energy Security Centre of Excellence) in Vilnius.^[6]

Internet Infrastructure and Transit Exposure

IXPs: LIXP (Vilnius), LITIX (Vilnius, connected to AMS-IX/DE-CIX/LINX), BALT-IX (Vilnius/Kaunas). The BCS East-West Interlink (218 km, Lithuania-Sweden via Gotland) is Lithuania’s sole submarine cable — severed November 17, 2024 simultaneously with C-Lion1, by Chinese vessel Yi Peng 3 (departed Russia’s Ust-Luga), reducing internet capacity by one-fifth. Cross-border fibre: Baltic Highway (3,000 km Tallinn-Frankfurt backbone). Lithuania ranks first in Europe for fiber-optic penetration.^[7]

FRA cable-tapping exposure: The BCS East-West Interlink terminates at Katthammarsvik, Gotland, Sweden, within FRA collection jurisdiction. Lithuanian data transiting this cable is subject to Swedish bulk interception under the FRA Law (Type 2 warrants, ministerial only for non-Swedish persons). The ECtHR ruled Sweden’s regime violated Article 8 ECHR in 2021.^[8]

Data Retention

6-month retention of traffic and location data (internet) / 12-month (telephony). Lithuania has not repealed or substantially amended retention provisions despite the CJEU’s Digital Rights Ireland invalidation of the underlying EU directive.^[9]

International Data Sharing Agreements

Mutual Legal Assistance

EU Member States (26 countries): EU MLA Convention 2000, Schengen, EIO, Prüm. Council of Europe (50 signatory states): European Convention on MLA 1959 + Protocols. US-Lithuania MLAT: Signed January 16, 1998, in force August 26, 1999. Trilateral MLA with Estonia and Latvia (Tallinn, November 11, 1992). Bilateral MLA with Russia (pre-independence agreement on legal cooperation).^[10]

Intelligence and Defense Cooperation

NATO (since 2004); hosts ENSEC COE. NB8 (Nordic-Baltic Eight). Club de Berne and Counter-Terrorism Group. Baltic trilateral intelligence cooperation with Estonia and Latvia. SIS II, Europol, Eurojust. EU-US Umbrella Agreement, SWIFT/TFTP, PNR. Interpol I-24/7. Egmont Group.^[11]

The Privacy Backdoor Effect

• FRA transit: Sole submarine cable terminates in Sweden’s FRA collection jurisdiction
• Intelligence expansion: February 2026 law allows surveillance without clear time limits
• Pegasus: Infections confirmed on Lithuanian territory (Estonian operator suspected)
• Suwalki Gap: Strategic vulnerability drives intelligence capabilities disproportionate to population
• EU Framework: Lithuanian data in SIS II, Prüm, EIO accessible to 27 EU states

Recent Developments

Intelligence Law Expansion (February 2026): Significantly expanded VSD/AOTD powers while retaining provisions for surveillance without clear maximum time limits.^[4]

BCS East-West Interlink Severed (November 2024): Sole submarine cable cut by Yi Peng 3, simultaneously with C-Lion1. Under investigation.^[7]

Pegasus Confirmed (May 2024): Belarusian activist in Vilnius among confirmed targets in Baltic region.^[2]

VSD Threat Assessment (2025): Russia could develop limited military action capability against NATO within 3–5 years.^[6]

Sources