Executive Summary
The Critical Infrastructure Protection Law represents a strategic pivot from passive protection to proactive resilience. By consolidating over ten disparate legislative acts and establishing mandatory standards for 200+ critical objects across 12 sectors, this initiative addresses systemic capability gaps exploited in modern hybrid and high-intensity conflicts. The framework transitions from Critical Infrastructure Protection (CIP) to Critical Infrastructure Resilience (CIR)—emphasizing the ability to anticipate, absorb, and recover from disruptions. Key elements include: unified legal consolidation (following Estonian model), three-tier physical hardening standards (passive fragment protection, drone-strike resistance, missile-hardening), mandatory incident reporting (24-hour early warning, 72-hour detailed report), pre-defined wartime commandeering authorities, and strategic financial support mechanisms. The framework serves as a non-kinetic deterrent, communicating that Lithuania is not a 'brittle' target but a resilient society capable of sustaining vital functions under extreme pressure.
Transforms CI from vulnerability to deterrent asset; Establishes legal foundation for €billions in protection investment; Creates 'Resilient Lithuania' capable of maintaining essential functions under military threat, influence operations, or economic disruption
In short: 200+ CI objects registered across 12 sectors; Three-tier mandatory hardening standards; 100:1 prevention vs. replacement ROI; Unified command structure for civil-military crisis response; EU NIS2/CER compliance; Deterrence through survivability
The Problem
Modern conflict has evolved into a multi-domain struggle where critical infrastructure is the primary target. The goal is to demoralize the population, obstruct military mobilization, and disrupt the economy. In the contemporary 'gray zone' of conflict, the functional paralysis of a state can be achieved without a single soldier crossing a border—simply by degrading the systems that sustain civil society and military readiness. The current Lithuanian legal landscape for infrastructure protection is characterized by fragmentation: responsibilities distributed across various ministries and agencies, often operating in silos with differing standards for cybersecurity, physical protection, and crisis response. This lack of a unified framework creates 'seams' that adversaries can exploit through hybrid tactics, such as cyber-physical sabotage or economic coercion.
CI protection fragmented across 10+ laws with unclear responsibilities; No wartime commandeering authorities; Voluntary compliance for most sectors; No unified command structure for civil and defense crises; Legal authority to commandeer private CI during hybrid attack or war remains unclear; Protection remains largely voluntary, compliance inconsistent across sectors; No mandatory physical hardening standards; No central CI registry with systematic identification criteria
Without action: Ukrainian infrastructure vulnerability demonstrates consequences: legal framework didn't adequately protect energy grid—Russian missiles destroyed approximately 70% of generating capacity and 40% of overall power capacity. Pre-war Ukrainian CIP framework was 'weak' and 'fragmented' with requirements existing only on paper without enforceable teeth. One destroyed power plant = €500M loss + weeks of civilian suffering. Without comprehensive framework: voluntary protection achieves only 30% compliance vs. 80%+ with mandatory standards and audits; Lithuania remains a 'brittle' target; hybrid attack can paralyze state functions before military response
Lithuanian Context
Lithuania faces unique vulnerability in Baltic region where security of critical infrastructure is primary pillar of national sovereignty and prerequisite for credible deterrence. Geographic position including Suwalki gap creates critical chokepoint for NATO military mobility. Transition from passive protection to proactive resilience essential for small state in high-risk location facing existential threat. The legal framework serves as non-kinetic weapon—communicating that Lithuania is not a 'brittle' target but a resilient society capable of sustaining vital functions under extreme pressure.
Suwalki gap region where protection of rail and road corridors is shared responsibility between civilian operators and Armed Forces; Klaipėda port as critical military mobility and supply chain node; Energy infrastructure vulnerability given regional interconnections; Border regions requiring enhanced resilience for military mobility support