Personal Data Protection and ICT Regulation

ECOVIS ProventusLaw invites you to its newest all-in-one essential compliance newsletter, May 2025 edition, on personal data protection and ICT regulation.

New Register of Lithuanian Cybersecurity Entities Established

The new Lithuanian Cybersecurity Entities Register has officially launched, including 1,443 organisations across 11 critical and 7 important sectors. With this expansion, nearly five times more entities than before, many of them from the private sector, have significantly increased their cybersecurity obligations.

Under the revised Cybersecurity Law and the Government Resolution of 6 November 2024, all registered organisations must comply with stricter cybersecurity standards. Transitional deadlines have been set:

12 months for organisational requirements,
24 months for certain technical requirements,
both starting from the entity’s registration date.

To support implementation, the National Cyber Security Centre (NKSC) has made free services available via the KSIS platform.

Free Support: ECOVIS NIS2 Self-Assessment Tool

We have developed a free ECOVIS NIS2 Compliance Self-Assessment Tool to support your compliance journey. This tool is specifically designed to help organisations identify their current level of compliance, understand the regulatory gaps, and effectively plan the necessary steps toward full conformity with national cybersecurity standards.

You can check your organisation’s compliance with NIS2 requirements using our ECOVIS NIS2 self-assessment tool here: tis2.ecovis.lt

Whether you’re newly included in the Cybersecurity Entities Register or want to ensure readiness, our team of experts is here to assist. We provide tailored legal and regulatory guidance to help you navigate the organisational and technical requirements within the applicable transitional deadlines.

More about the Law on Cybersecurity of the Republic of Lithuania and the implementation of the NIS2 Directive.

Bank of Lithuania Aligns with EU Guidelines for Oversight of Critical ICT Providers under DORA

The Bank of Lithuania will implement the Joint Guidelines on Cooperation and Information Exchange for Oversight Purposes (JC/GL/2024/36), adopted by the Joint Committee of the European Supervisory Authorities (ESAs) on June 5, 2024, to enhance supervision under the EU Digital Operational Resilience Act (DORA).

These guidelines ensure effective, consistent, and coordinated oversight across the EU, particularly focusing on critical third-party ICT service providers. Key provisions include:

Coordinated oversight: ESAs will lead oversight of critical ICT third-party providers (CTPPs); NCAs like the Bank of Lithuania will focus on financial entities in their jurisdictions.
Structured information exchange: Secure, standardized formats and procedures for communication between ESAs and NCAs.
Defined roles: Clear responsibilities for incident reporting, risk assessments, and coordinated supervisory actions.

Unsolicited Marketing Email Leads to Data Protection Warning by Lithuanian Authority

The State Data Protection Inspectorate upheld a complaint by UAB “Principo reikalas” regarding an unsolicited direct marketing email received on April 17, 2024. The Inspectorate found that the sender had no prior consent and had used an email address sourced from a public website. The sender admitted to lacking consent and knowledge of proper procedures.

Following the investigation, the Inspectorate ruled the message constituted unlawful direct marketing under the Law on Electronic Communications (Article 81) and the Law on Legal Protection of Personal Data. The sender was instructed to comply with legal requirements in the future, particularly:

Obtain explicit prior consent before sending marketing communications, unless the narrow exception under Article 81(2) applies.
Ensure all marketing messages include a clear opt-out mechanism as required by GDPR Recital 70.

Organisations are advised to review their data processing practices, document consent procedures, and ensure compliance with GDPR and Lithuanian national laws.

EDPB Issues Draft Guidelines on Blockchain and GDPR Compliance

The European Data Protection Board (EDPB) has published draft Guidelines 02/2025 on personal data processing in blockchain technologies, open for public consultation until 9 June 2025.

Key highlights:

Minimise data: Avoid storing personal data on-chain.
Use off-chain storage: Keep personal data off-chain with encrypted or hashed references on-chain.
Uphold rights: Ensure access, rectification, and erasure are possible.
Define roles: Identify data controllers and processors.
Conduct DPIAs: Most blockchain projects require a Data Protection Impact Assessment.

EDPB Publishes 2024 Annual Report, Sets Strategic Priorities for 2024–2027

On 23 April 2025, the European Data Protection Board (EDPB) released its 2024 Annual Report, spotlighting achievements in strengthening GDPR enforcement and regulatory clarity amid digital transformation.

Key highlights:

New Strategy Adopted: The 2024–2027 strategy focuses on modernising data protection, aligning with the AI Act and Digital Services Act, and enhancing global cooperation.
Legal and Advisory Output: Eight Article 64(2) opinions issued on key topics like “Consent or Pay” and AI data use; four new guidelines introduced.
SME and Public Outreach: Resources like the GDPR guide for SMEs (in 18 languages) and simplified guideline summaries were launched.
Cross-Regulatory Engagement: The EDPB actively participated in legislative discussions to ensure practical data protection in a changing digital landscape.

EU Plans GDPR Reform to Ease SME Burden While Preserving Data Protection

The European Commission is preparing a GDPR reform package aimed at reducing administrative burdens—especially for SMEs—while maintaining core privacy principles.

Expected by May 21, 2025, the reforms will simplify obligations like record-keeping for companies with fewer than 500 employees. Key goals include:

Lower compliance costs for SMEs;
Harmonised enforcement across the EU;
Streamlined obligations for data controllers and processors.

Driven by calls for more business-friendly regulation from leaders like Denmark’s Digital Minister and backed by findings from the Draghi report, the reform seeks to improve legal certainty and better align GDPR with today’s digital and cross-border realities.