Executive Summary
On 29-30 December 2025, Russian state hackers (Sandworm) destroyed the digital systems of two Polish combined heat-and-power stations by stealing the certificates that authenticate utility networks (welivesecurity.com, Dragos, SecurityWeek). On 15 April 2026 the Russian Ministry of Defence published a 21-target European list naming Vilnius (UNITED24, Meduza). Lithuania completed BRELL desynchronisation from the Russian grid on 9 February 2025; in September 2025 Litgrid launched a 382 million euro programme that has concrete-blocked the Nemencine and Neris substations. The Energy Security Operations Centre sits in the Ministry of Energy, not the Ministry of National Defence; rules across ten-plus acts leave wartime commandeering authority ambiguous. EU NIS2 (deadline 17 October 2024) covers cybersecurity; the Critical Entities Resilience Directive covers physical resilience. Reference models exist in Estonia (Civil Crisis Act 2025), Poland (Security and Defence Fund 2025), and Ukraine (Law 9381). The recommended next step is a feasibility study by the two ministries, with Seimas and operator input. Final design is for Lithuania to determine.
The Problem
Modern attacks target the systems that keep a country running before any soldier crosses a border. The Sandworm DynoWiper attack on Polish power stations in late December 2025 showed that destroying utility software is now a routine operation. Russian missile and drone strikes have destroyed roughly 70 percent of Ukraine's electricity-generating capacity since 2022. Lithuania faces the same threat surface across electricity, district heating, gas storage, the port of Klaipeda, the rail and road corridors through the Suwalki gap, hospitals, water, digital infrastructure, and food supply.
Critical-infrastructure rules are spread across more than ten Lithuanian acts; wartime commandeering authority over private operators is ambiguous; physical-hardening standards are largely voluntary; the Energy Security Operations Centre sits in the Ministry of Energy while defence-coordination authority sits in the Ministry of National Defence; there is no single registry tying identification, mandatory standards, audit, and crisis command together.
Without action: A hybrid campaign combining cyber attacks on grid software with kinetic strikes can paralyse civil and military functions before any allied response. Voluntary protection regimes elsewhere have produced compliance below 30 percent; mandatory regimes with audits exceed 80 percent.
Lithuanian Context
BRELL desynchronisation completed on 9 February 2025 has already shifted the threat surface; the Litgrid 382 million euro programme launched in September 2025 has begun concrete-blocking the Nemencine and Neris substations. Whether legal consolidation should follow the Estonian single-act model, whether wartime authority over private operators sits with the Ministry of National Defence or the Ministry of Energy, and how the framework aligns with NIS2 and the Critical Entities Resilience Directive are determinations for the Seimas and Lithuanian operators.