Executive Summary
On 15 April 2026 the Russian Ministry of Defence published a 21-target European list naming Vilnius (UNITED24, pravda.com.ua, Meduza, TASS); defence-industry sites sit inside that target package. Lithuanian primes such as Granta Autonomy (FPV drones, CEO Gediminas Guoba), Brolis Defence (gallium-antimonide mid-infrared optoelectronics), and Kongsberg-owned NanoAvionics (satellite buses) operate without a dedicated industrial-base protection regime. Foreign-investment screening, secure-supply-chain mandates, defence-grade cybersecurity certification, and wartime production continuity are spread across general company law, EU NIS2 (transposition deadline 17 October 2024), and case-by-case ministerial review. Reference models exist: the US Committee on Foreign Investment review process and Defense Production Act, the Department of Defense Cybersecurity Maturity Model Certification 2.0, the United Kingdom National Security and Investment Act 2021, and Polish foreign-direct-investment screening. The recommended next step is a feasibility study by the Ministry of National Defence and the Ministry of Economy and Innovation, with Seimas, operator, and allied input, that maps screening thresholds, supply-chain audit scope, insurance backstop design, and how the framework aligns with the Wassenaar Arrangement and ITAR. Final design is for Lithuania to determine.
The Problem
On 29-30 December 2025, Russian state hackers (Sandworm) destroyed the digital systems of two Polish combined heat-and-power stations using the DynoWiper tool (welivesecurity.com, Dragos, SecurityWeek) — a precedent for industrial-software attack. On 15 April 2026 the Russian Ministry of Defence named Vilnius in a 21-target European list. Ukrainian wartime experience shows defence-industry sites become continuous targets: Mykolaiv shipyard, Pivdenmash, and dozens of component factories have been struck repeatedly. Hostile takeover is a parallel vector — Ukraine almost lost Motor Sich, its helicopter-engine maker, to a Chinese acquisition before the deal was blocked; the company then produced under wartime conditions.
Lithuania has no defence-specific foreign-investment screening regime; general company law does not require security review of acquisitions of dual-use or weapons manufacturers. Cybersecurity standards for defence suppliers rely on NIS2 transposition rather than a defence-grade certification. Wartime production-continuity authority over private primes is ambiguous. There is no insurance backstop for kinetic damage to defence-industry sites, and no single registry tying identification of strategic suppliers, mandatory standards, audit, and crisis command together.
Without action: A hostile acquisition can compromise an entire capability area before a single soldier crosses a border. A combined cyber and missile strike on undefended primes can halt production at the moment of greatest need. Allied technology-transfer partners may withhold sensitive components without a credible screening and certification regime.
Lithuanian Context
Lithuania's defence industrial base is small and concentrated — Granta Autonomy, Brolis Defence, NanoAvionics, and a handful of others sit within a few kilometres of Vilnius and Kaunas. Whether screening should follow the UK NSI mandatory-notification model, whether wartime production authority sits with the Ministry of National Defence or the Ministry of Economy and Innovation, how the framework aligns with NIS2, the Wassenaar Arrangement, and ITAR, and whether an insurance backstop for kinetic damage is structured as state reinsurance or EU-pooled cover, are determinations for the Seimas and Lithuanian operators.