1. The Conceptual Framework of the Law of the Republic of Lithuania on Security of Electronic Communication Networks and Information (hereinafter referred to as “this Conceptual Framework”) has been prepared for the purpose of implementing paragraph 157 of the Measures of Implementation of the Programme of the Government of the Republic of Lithuania for 2006-2008, which were approved by Resolution No 1020 of the Government of the Republic of Lithuania of 17 October 2006 (Valstybės žinios (Official Gazette)No 112-4273, 2006).

The strengths, weaknesses, opportunities and threats (SWOT) analysis of the information society development, given in the Strategy for the Development of Information Society of Lithuania approved by Resolution No 625 of the Government of the Republic of Lithuania of 8 June 2005 (Valstybės žinios (Official Gazette) No 73-2649, 2005) talks, among other things, about the outstanding problems of security of information technologies as one of the threats for the development of information society. It has also stressed that while developing new electronic services and application solutions it is necessary to ensure security of information technologies. The abovementioned Resolution defines information society development priorities. One of them is knowledge economy, the implementation of which pursues certain objectives, such as to support the development of secure and modern information infrastructure.

 

2. The Law on Security of Electronic Communication Networks and Information (hereinafter referred to as “the Law”) will govern the relations related to security of electronic communication networks and information (hereinafter referred to as “network and information security”), facilitate the development of secure information society, and increase consumer confidence in the information society.

3. The fast growth in the field of information society and media prompted by the increasing development of information and communication technologies in recent years will be further promoted by very widespread fast connections integrating many devices (according to the data of 2005, there were 781 thousand Internet subscribers in Lithuania). Today, a traditional electronic format material is available (e.g. movies, videos, music), in addition, new exclusively digital services are emerging, for example, interactive software. The convergence of information society and media services, networks and devices has finally become a part of everyday life: information and communication technologies are now more user-friendly, faster and easier to adapt. In order to be able to respond to radical developments of information and communication technologies and to accelerate the development of the information society, there must be a pro-active policy. It is vitally important to amend legal acts, so that the existing legal system does not impede the technological progress, but, on the contrary, contributes to it: they must suit the existing public relations and properly protect users, increase their confidence in information technologies, and encourage the use of advanced and secure information technologies (according to the statistical data of one of the biggest Internet providers in Lithuania, the number of network-related incidents has increased at least 100 times from 1998 to 2004).

4. In Lithuania, the society’s social relations are being increasingly moved to a virtual space: electronic communications are actively used not only to send or receive information, but also to utilise the e-banking, e-business and e-government potential. Unfortunately, these changes also incite illicit activities in the electronic space. A survey on network and information security situation in Lithuania conducted in 2005 has revealed that 78 % of directly interviewed people (respondents of representative survey), 79 % of business  enterprises and 100 % of Internet service providers have faced  computer viruses. Accordingly, 63 % of Internet users, 76 % of business enterprises and 100 % of Internet service providers indicated receiving spam from the Internet. 18 % of directly interviewed people, 25 % of business enterprises and 71 % of Internet service providers have suffered losses because of various network and information security incidents. Given the present situation, it is necessary to constantly and systematically tackle network and information security problems and strengthen the legal framework in this field at a national level.

5. In its Communication to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions “i2010 – A European Information Society for Growth and Employment” of 1 June 2005, the European Commission has identified security as one of the main challenges of digital convergence in the creation of a Single European Information Space: making Internet safer from and resistant to fraudsters, harmful content and technology failures to increase trust amongst investors and consumers. Once information and communication technologies are reliable and secure, converging digital services will be increasingly accessible. The European Union legislation does not lay down any specific requirements for the Member States to be transposed into national legislation; however, network and information security in the European Union is already considered as a priority.

6. Considering that the most important public relations must be regulated by laws rather than by secondary legislation, a relevant form to regulate public relations in the field of network and information security has been chosen, i.e. a law.

7. The main objective of the Law is to define and lay down the regulatory framework for public relations related to network and information security. Inasmuch as it is related to network and information security in the provision of electronic communication services, the Law will also fill in the gaps in the legal regulatory framework for the provision of electronic communication services.

8. The Law will define regulatory principles for network and information security activities and the concept of network and information security as well as other concepts related to this subject-matter. Article 4(c) of Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency (OJ 2004 L 77, p. 1) stipulates that “network and information security” means the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems. This concept, which has not been used yet in the legislation of the Republic of Lithuania, is to be transposed into the Law.

9. Currently spam constitutes the major part of the total e-mail flow and that is a big problem for electronic communication networks. The systems of Internet service providers are overloaded, the overall throughput is decreasing, the fight against spam requires additional resources, and serious financial losses are incurred. Spam adds to the threat of computer viruses and various frauds. Consumer opinion surveys also show that spam is one of the major security problems to the consumers. The inconveniences increase consumers’ distrust in electronic mail and the Internet in general. It is forecasted that this problem will be further aggravated by the spread of Universal Mobile Telecommunications Systems (UMTS) standard, when mobile communication network will be opened for the Internet. The use of electronic communication services for the purposes of direct marketing is partly regulated by the Law of the Republic of Lithuania on Electronic Communications (Valstybės žinios (Official Gazette) No 69-2382, 2004). For the abovementioned reasons, the Law will define the concept equivalent to the concept of network and information security defined in Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency, by additionally extending the concept of network and information security to cover the capacity of information system to reduce spam sent for direct marketing purposes. This would allow filling in the regulatory gap, when information systems are adapted for and facilitate the sending of spam.

10. The Law will:

11. The Law will also provide for general regulatory and legal basis, enabling the adoption of secondary legislation, which will set out the provisions of the Law in a greater detail. The secondary legislation will be adopted by the Government of the Republic of Lithuania, by a body to be designated by the Government, and by the Communications Regulatory Authority of the Republic of Lithuania (hereinafter referred to as “Communications Regulatory Authority”).

 

12. The number of information and network security breaches is growing fast. This causes a lot of financial losses and creates new risks and threats for the development of the information society. It is necessary to contribute to the development of a secure information society by properly regulating public relations in this field. Today there is no law in the Republic of Lithuania that regulates, in a coherent manner, public relations related to network and information security; however, some legal acts contain provisions relating to network and information security. Unfortunately, they do not ensure a thorough and clear regulation of these relations.

13. Article 62 of the Law of the Republic of Lithuania on Electronic Communications stipulates that providers of publicly available electronic communication services must implement appropriate technical and organisational measures to safeguard security of their services, and, if necessary, implement such same measures in cooperation with providers of public communication networks to safeguard security of public communication networks. These measures shall ensure a level of security appropriate to the risk posed. Once the provider of publicly available electronic communication services becomes aware of a particularly high risk of a breach of security of the electronic communication network or a part thereof, he must inform subscribers of such a risk and, where the measures taken by the service provider have failed to eliminate the cause of origin of such a risk, of any possible remedies and of the likely costs of such remedies. The abovementioned provision of the Law of the Republic of Lithuania on Electronic Communications provides only for a general obligation of both providers of publicly available electronic communication services and providers of public communication networks to take undefined measures to safeguard security of their services. It should be noted that this obligation is binding only on undertakings providing electronic communication networks and services; therefore, the proposed Law will broaden the circle of entities, by additionally setting relevant obligations related to network and information security for those undertakings which provide intermediate services of information society (e.g. information storage) and do not necessarily come within the scope of application of the Law of the Republic of Lithuania on Electronic Communications. The proposed Law will lay down guidelines for technical and organisational measures aimed to ensure network and information security. In addition, the Law will authorize the Communications Regulatory Authority to approve secondary legislation, specifying in a greater detail technical and organisational measures to be implemented to ensure network and information security according to the relevant services.

14. Article 63 of the Law of the Republic of Lithuania on Electronic Communications requires to ensure confidentiality of communications. It stipulates that undertakings providing electronic communication networks and/or services must take appropriate organisational and technical measures and ensure that it is prohibited to disclose the content of information transmitted via electronic communication networks and/or related traffic data to persons that are not actual users of electronic communication services without the consent of the interested actual users of electronic communication services or to create conditions for gaining access to such information and/or related traffic data. The State Data Protection Inspectorate (hereinafter referred to as “the Data Protection Inspectorate”) acting pursuant to Resolution No 807 of the Government of the Republic of Lithuania of 20 July 2005 “On the Approval of the Rules of Checking Confidentiality of Information” (Valstybės žinios (Official Gazette) No 89-3341, 2005,) shall monitor the compliance by undertakings providing electronic communication networks and/or services with the requirements concerning confidentiality of information.

15. Article 68 of the Law of the Republic of Lithuania on Electronic Communications regulates the use of electronic communication services for the purpose of direct marketing and prohibits the use of electronic communication services without a prior consent of the subscriber, determines certain requirements for senders of such electronic messages (e.g. prohibition to disguise or conceal the identity of the sender and the obligation for the sender to indicate a valid address at which the recipient may send a request to stop sending such information). The provisions of Chapter 9 of the abovementioned law are also partly related to the protection of privacy as part of safeguarding network and information security. With the massive spread of spam (which represents about 70 % of the total e-mail traffic today), a bare possibility to punish the spam sender is insufficient. In order to stop this negative phenomenon and taking into consideration the principle of technological neutrality, the Law will provide for the identification and implementation of technical and organisational measures designed for the prevention of the spread of spam.

16. Article 24 of the Law of the Republic of Lithuania on Legal Protection of Personal Data (Valstybės žinios (Official Gazette) No 63-1479, 1996; No 15-597, 2003) stipulates that the data controller and data processor must implement appropriate organisational and technical measures intended for the protection of personal data against any accidental or unlawful destruction, alteration, disclosure as well as against any other unlawful processing. The abovementioned measures must ensure a level of security adequate for the nature of data to be protected and the risks posed by processing operations and must be specified in a written or equivalent document (such as data processing regulations to be approved by the data controller, a contract between the data controller and the data processor, etc.). This provision of the Law of the Republic of Lithuania on Legal Protection of Personal Data is analogous to the provision of Article 62 of the Law of the Republic of Lithuania on Electronic Communications, with the exception that it is applicable to data controllers and data processors who, while providing relevant services, process data of a natural person.

17. Other articles of the Law of the Republic of Lithuania on Legal Protection of Personal Data lay down the system of protection of personal data (as a part of private information of natural persons).

18. The task to monitor the implementation of provisions of Articles 62 and 68 as well as other articles contained in Chapter 9 is entrusted, by Article 12(5)(1) of the Law of the Republic of Lithuania on Electronic Communications, to the Data Protection Inspectorate, which is responsible under the Law of the Republic of Lithuania on Legal Protection of Personal Data for an individual’s right to privacy, as it processes personal data. In order to protect personal data appropriately (in particular when it is processed by automated (computer-assisted) means), it is necessary to implement appropriate measures for ensuring network and information security. The protection of personal data is not possible without complying with relevant requirements for network and information security. On the other hand, these same requirements also apply for the purpose of guaranteeing other personal rights (apart from the right to privacy) within the information society (protecting persons against fraud or loss of information and financial or time resources, against interruptions in information systems they are using, against deprivation of access to services, etc.); therefore, the competence of relevant authorities in ensuring full protection of personal rights while using information society services must be clearly defined.

19. The Law of the Republic of Lithuania on Electronic Signature (Valstybės žinios (Official Gazette) No 61-1827, 2000) regulates the creation, verification, and validity of electronic signature, signature users’ rights and obligations, and the functioning of the necessary infrastructure. It regulates one of the elements of secure information society, designed to ensure a reliable and legally relevant exchange of information between users of information society services (i.e. electronic signature).

20. The Convention on Cybercrimes (Valstybės žinios (Official Gazette) No 36-1188, 2004) was ratified by the Law of the Republic of Lithuania on the Ratification of the Convention on Cybercrimes (Valstybės žinios (Official Gazette) No 36-1178, 2004); relevant provisions of the Convention were transposed by Articles 196 to 198² of the Criminal Code of the Republic of Lithuania (Valstybės žinios (Official Gazette) No 89-2741, 2000), namely: Article 196 concerning deletion or alteration of computer information (serious damage must be done), Article 197 concerning deletion or alteration of a computer program and interruption of operation of a computer network, a database or an information system (serious damage must be done), Article 198 concerning misappropriation and dissemination of computer information (provided that the information is protected by laws), Article 198¹ concerning illegal connection to a computer or a computer network, Article 198² concerning illegal possession of devices, computer programs, passwords, log-in codes and other data for criminal purposes. Criminal activity of this type is investigated by pre-trial investigation authorities indicated in Article 165 of the Code of Criminal Procedure of the Republic of Lithuania (Valstybės žinios (Official Gazette) No 37-1341, 2002). It should be noted that a specialised Cybercrimes Investigation Division was established within Lithuanian Criminal Police Bureau to carry out pre-trial investigations with respect to such criminal activities.

21. The proposed Law is not intended to replace the computer crime system set up in the Criminal Code of the Republic of Lithuania. It will enable not only to take responsive measures for offences already committed (punish the perpetrators), but also to ensure prevention of such offences and their adverse effects. The Law will also clearly delimit behaviour, i.e. define activities, which are not formally criminalized (because the Criminal Code of the Republic of Lithuania criminalizes certain activities only by introducing a supplementary criteria – serious damage done), but are clearly dangerous, such as the creation and use of a harmful software code; unauthorised connection to an electronic communication network or information system or facilitation of such connection; collection, dissemination, acquisition, use or other kind of operations with e-mail address for direct marketing and similar purposes without consent of the user; such acts will carry administrative liability under the Code of Administrative Offences of the Republic of Lithuania (Valstybės žinios (Official Gazette) No 1-1, 1985).

22. The Law of the Republic of Lithuania on State Registers (Valstybės žinios (Official Gazette) No 86-2043, 1996; No 124-4448, 2004) regulates the setting-up, management, reorganisation and liquidation of state registers (cadastres); the system of state registers and general principles of interaction between state registers; and rights and responsibilities of leading state register management bodies, state register management bodies, state register supervisory institutions, state register managers, state register data suppliers and recipients. Article 2(19) of the Law of Republic of Lithuania on State Registers defines a register as a totality of legal, organisational and technical measures intended for the registration of register objects designated by the law, and the collection, accumulation, processing, systematisation, storage and provision to legal and natural persons of quantitative, qualitative, geographic and other data and documents.

23. Article 20 of the Law of the Republic of Lithuania on State Registers lays down data security requirements for registers: “The register management body and register managers shall bear responsibility for register data protection. When processing register data, it shall be required to implement register data protection measures intended for ensuring the accuracy of register data and safeguarding them from accidental or unlawful destruction, alteration, disclosure, and also from all other unlawful forms of processing. To ensure the protection of register data, register data protection regulations shall be drawn up and approved by the leading register management body in compliance with the general data protection requirements approved by the Government. These regulations shall specify appropriate register data protection measures, the requirements concerning safe processing of register data and the implementation thereof. Register managers must ensure, in accordance with the provisions of register data protection regulations, appropriate administrative, technical and organisational measures governing data protection as well as compliance with such measures. State officials and employed persons who process register data shall be bound by an obligation to safeguard the confidentiality of data. The obligation to safeguard the confidentiality of data shall remain valid even after the termination of activity related to the processing of register data.”

24. The Law of the Republic of Lithuania on State Secrets and Official Secrets (Valstybės žinios (Official Gazette) No 105-3019, 1999; No 4-29, 2004) lays down the requirements for network and information security in the field of protection of state and official secrets. Chapter 8 of the abovementioned Law regulates the protection of automated data processing systems and networks used for storing, processing or transmitting classified information, by regulating the issuance of authorisations to process classified information via automated data processing (ADP) systems and networks, by laying down security requirements for such systems and networks as well as for information-carrying media. It should be noted that inasmuch as state and/or official secrets are concerned, the proposed Law is not intended to replace regulation of network and information security; the Law will only define general requirements, whereas the Law of the Republic of Lithuania on Sate Secrets and Official Secrets, as a special legal act, will separately regulate relations in the field of safeguarding security of state and/or official secrets.

25. Mention may be made of several network and information security-related resolutions of the Government of the Republic of Lithuania, which regulate, in a wide sense, network and information security within state and municipal institutions: Resolution No 952 of 4 September 1997 “On Data Protection in the State and Municipal Information Systems” (Valstybės žinios (Official Gazette) No 83-2075, 1997; No 2-45, 2003), Resolution No 290 of 5 March 2003 “On the Approval of the Procedure for the Control of Confidential Information in Public Computer Networks and Dissemination of Restricted Public Information” (Valstybės žinios (Official Gazette) No 24-1002, 2003), Resolution No 451 of 19 April 2004 “On the Approval of the Rules for the Setting-up and Validation of State Information Systems” (Valstybės žinios (Official Gazette) No 58-2061, 2004), Resolution No 807 of 20 July 2005 “On the Approval of the Rules for Checking Security of Communications” (Valstybės žinios (Official Gazette) No 89-3341, 2005), and Resolution No 601 of 19 June 2006 “On the Approval of the State Strategy until 2008 for Security of Electronic Information Stored in Information Systems of State Institutions and the Plan of its Implementation Measures” (Valstybės žinios (Official Gazette) 70-2575, 2006):

26. Judging from legislation in the same area of public relations, described in Chapter III of this Conceptual Framework, it can be said that so far none of the laws of the Republic of Lithuania or secondary legislation regulate network and information security in a comprehensive and systematic manner, and that the existing legal acts do not ensure a thorough and coherent regulation of public relations in the field of network and information security and do not create conditions for enhancing consumer confidence in information society and for developing a safe information society. Only fragmentary regulation is provided for. Certain important issues are still outstanding, such as a lack of definitions, absence of a well-structured institutional set-up, no regulation of liability for activities which are not formally criminalized by the Criminal Code of the Republic of Lithuania (because a serious damage is not done), no detailed description of obligations of providers of electronic communication services and intermediate services of information society to take care of the security of their customers (some providers are not bound by such an obligation at all), absence of an investigation scheme for network and information security incidents, no regulation of network and information security in state and municipal systems  (network and information security in state and municipal systems is still regulated by secondary legislation, i.e. by resolutions of the Government of the Republic of Lithuania and ministerial orders), unclear regulatory scheme for the security of critical information infrastructure, absence of regulation concerning the assessment of network and information security.

27. Merely supplementing the Law of the Republic of Lithuania on Electronic Communications does not suffice for solving the problem of underregulation of network and information security for several reasons. Firstly, the proposed Law will cover a wider range of entities than the Law of the Republic of Lithuania on Electronic Communications does, to include providers of intermediate services of information society (the concept is defined in Chapter X of this Conceptual Framework). Secondly, the scope of the Law will include not only electronic communication networks, but also information systems. Thirdly, the Law of the Republic of Lithuania on Electronic Communications does not regulate relations related to the content of information transmitted via electronic communication networks, although network and information security is partly related to this field as well, e.g. it is necessary to regulate such issues as the creation and use of a harmful software code.

28. To ensure network and information security, integrated regulation is necessary, as information systems may be used for various activities which restrict access to services and cause inconveniences (such as spam) for other persons and bring financial losses to the providers of those services, including criminal activities, such as thefts from electronic bank accounts and loss of other data causing considerable financial losses to their legitimate possessors, etc. The activities criminalized by the Criminal Code of the Republic of Lithuania in the computer-related area are of specific criminal nature; therefore, most of them must have specific consequences, i.e. cause serious damage. However, laws do not yet prohibit activities, which are not so much dangerous within the meaning of criminal law as to carry other types of liability for perpetrators.

29. The proposed Law is intended to fill in the abovementioned regulatory gaps and define the prohibited activities in the field of network and information security (e.g. dissemination of a harmful software code), as well as amend the Code of Administrative Offences of the Republic of Lithuania accordingly, by adding new provisions imposing liability for illegal activities in the field of network and information security.

30. The Law will grant market supervision functions in the field of network and information security to one authority, i.e. the Communications Regulatory Authority, and clearly define the scope of competences and powers of this Authority, including the function of ensuring, in cooperation with other authorities acting pursuant to laws regulating their activity and competence in the field of network and information security, a high level of network and information security in Lithuania.

31. As already stated in paragraph 18 of this Conceptual Framework, in order to ensure a more efficient regulatory scheme in the field of network and information security, the competences of relevant authorities must be clearly defined.

32. The Law will lay down general requirements for network and information security, which will ensure consumer interests in the information society. The Law will also define providers’ rights and obligations for ensuring network and information security, e.g. the obligation to filter harmful software codes and block harmful addresses in e-mail systems without affecting the privacy of natural persons (taking into consideration the recommendations provided in the Opinion 2/2006 of 21 February 2006 of the Article 29 of the Directive 95/46/EC on Data Protection Working Party on privacy issues relating to the provision of email screening services), which is not regulated at the moment.

33. The Law will also provide for an investigation scheme for network and information security incidents and create the conditions to prevent the spread of network and information security incidents by temporarily restricting access to services or networks for the sources of network and information security incidents and by imposing other sanctions.

34. The Law will regulate the fields of audit of network and information security and assessments of hardware and software security, which have not been regulated by any other legal acts yet. The Law is aimed not at replacing network and information security audit performed in the market, but at introducing a system for ensuring higher reliability, which will be applied to critical information infrastructures and to state and municipal information systems specified by the Government of the Republic of Lithuania or, on a voluntary basis, to any other market players.

35. Currently no law regulates network and information security of critical information infrastructures. The proposed Law will fill in this regulatory gap by setting forth the basic principles for ensuring network and information security of the critical information systems, identifying the entities (the Government of the Republic of Lithuania or an institution authorised by it) having the right to draw up a list of critical information infrastructures, identifying the entities having the right to submit proposals regarding the drawing-up, amending or supplementing such a list, and designating authorities exercising the supervisory function.

 

36. The practice of regulation of network and information security in foreign countries is not abundant as most of the countries are still in the process of developing the regulatory scheme in this area.

37. For instance, Finland has a Law on the Protection of Privacy in Electronic Communications which came into force on 1 September 2004 and whose objective is to ensure confidentiality and protect privacy in electronic communications, strengthen network and information security, and improve electronic communication services. Taking into consideration the principle of technological neutrality, the abovementioned Law empowers the Electronic Communications Regulator of Finland, FICORA, to approve secondary legislation according to relevant network and information security categories and services. Mention should be made of the requirement for e-mail service providers to fight against spam, also the requirement to provide the unit in charge of investigating network and information security incidents with any information on network and information security incidents, and other.

38. General overview of lawmaking practices in foreign countries in the field of network and information security reveals that regulation is fragmentary. Many foreign countries, in particular European Union Member States, are concerned about the necessity to draw up a single national legal act to regulate network and information security (such a law is currently being drafted by Belgium).

 

39. The European Union legislation provides for relevant obligations while increasing the level of network and information security both on national and international level:

40. The regulatory system of network and information security is based on certain principles, the most important of which are the following:

41. The Law will introduce the following regulatory novelties:

42. The Law will create conditions to protect users, undertakings, state and municipal institutions and agencies against potential threats arising from the use of information services. The Law will clearly regulate competences of each responsible authority in the area of network and information security, and will facilitate effective cooperation and speedy and accurate investigation of network and information security incidents.

43. No adverse effects of the proposed legal regulation are envisaged.

 

44. The Government of the Republic of Lithuania, institutions authorised by it (the Ministry of Transport and Communications and the Ministry of the Interior), and the Communications Regulatory Authority shall be charged with the task of implementing the Law. The Communications Regulatory Authority will be financed in the manner provided for in the Law of the Republic of Lithuania on Electronic Communications. No new authorities will be established. The drafting and implementation of the Law will not require any additional public funds.

 

45. The Law will have the following 7 sections:

Section One. General provisions.

Section Two. The system for the formation and regulation of policy and strategy in the area of network and information security.

Section Three. General requirements for network and information security.

Section Four. Network and information security of state and municipal institutions and of critical information infrastructures.

Section Five. Audit of network and information security and assessment of hardware and software security.

Section Six. Receipt of information and monitoring of compliance with the Law.

Section Seven. Final provisions.

Section One of the Law will define the subject-matter and the purpose of the Law, as well as its application, regulatory principles (principally corresponding to those laid down in Article 2 of the Law of the Republic of Lithuania on Electronic Communications), and objectives. Section One will define the following concepts:

Electronic data means any facts, information or concepts presented in a form suitable for processing in an information system, including a program suitable to cause the information system to perform a function.

Intermediate services of information society means information society services, which totally or partially consist of the transmission of information provided by a user, via an electronic communication network, of the provision of a possibility to use the electronic communication network, or of the storage of information provided by a user.

Information system means any device or a group of interconnected or related devices, one or more of which perform automated processing of electronic data using a program, also in which electronic data is stored or processed or from which electronic data is retrieved or via which electronic data is transmitted with the purpose of processing, use, protection or monitoring. 

Network and information security means the ability of an electronic communication network and information system to resist, at a given level of confidence, accidental events or actions that compromise or may compromise the availability, authenticity, integrity or confidentiality of electronic data stored, processed or transmitted via the information system or electronic communication network, or of the related services offered by or accessible via that information system or electronic communication network, including the ability to block the transmission of e-mail messages sent for direct marketing purposes without a prior consent of the subscriber.

Harmful software means a software code (or a part of it) designed for/facilitating illegal connection to information systems or electronic communication network, for disruption or transformation of operation (including the interception of management) of the information system or electronic communication network, for destruction, damaging, removal or alteration of electronic data, for deprivation or restriction of access to electronic data, or for allowing non-public electronic data to be misappropriated, disseminated, published, distributed or used otherwise.

Critical information infrastructure means an electronic communication network, an information system or a group of information systems, the illegal connection or facilitation of illegal connection to which, the illegal disruption or transformation of which, the destruction, damaging, removal or alteration of or the deprivation or restriction of access to the electronic data stored or processed in or retrieved from or transmitted via which, compromises or may compromise national security, national economy or society’s welfare.

Audit of network and information security means the evaluation of the conformity of electronic communication network and/or information system to the compulsory, applicable and/or declared requirements of network and information security and/or the assessment of the security of the electronic communication network and/or of information system networks and information.

Network and information security incident means any event, action or omission, which causes/facilitates or may cause/facilitate an illegal connection to the information system or electronic communication network, disrupt or transform (including the interception of management) the operation of the information system or electronic communication network, destruct, damage, remove or alter electronic data, deprive or restrict access to the electronic data, also allow the misappropriation, dissemination, publication, distribution or any other use of non-public electronic data and the sending of e-mail messages for direct marketing purpose without a prior consent of the subscriber.

Network and information security management rules means the totality of documents laying down technical and organizational measures for ensuring network and information security.

Provider means an undertaking providing public communication networks, public electronic communication services or intermediate services of information society via the public communication network.

Other concepts to be used in this Law shall have the meanings defined in the Law of the Republic of Lithuania on Electronic Communications and other legal acts.

Section Two will lay down the institutional set-up for the regulation of network and information security and identify the main authorities: the Government of the Republic of Lithuania, institutions authorised by it (the Ministry of Transport and Communications and the Ministry of the Interior), and the Communications Regulatory Authority. In the institutional set-up, political and regulatory functions will be separated, with political functions being assigned to the Government of the Republic of Lithuania and the institutions authorised by it (the Ministry of Transport and Communications, and the Ministry of the Interior), and the function of regulating market monitoring being assigned to the Communications Regulatory Authority. In order to establish a clear institutional framework for administration of network and information security, the Law will define functions of other authorities (such as the Police Department under the Ministry of the Interior) in the field of network and information security, and lay down the guidelines for institutional and international cooperation. This Section will also lay down the principles of application of standardisation documents concerning network and information security.

Section Three will lay down general requirements concerning network and information security, define illegal activities in the area of network and information security, lay down the providers’ (undertakings providing public communication networks, public electronic communication services or intermediate services of information society, via public networks) rights and obligations concerning network and information security. It will contain provisions about the maintenance and monitoring of network and information security and investigations of network and information security incidents. For this purpose the Communications Regulatory Authority will coordinate activities of the investigation group for network and information security incidents; provisions about voluntary application of network and information security requirements will by laid down, etc.

Section Four will deal with ensuring, controlling and maintaining network and information security in state and municipal institutions and of critical information infrastructures. Section Four will serve the purpose of regulating, by a law, security of state and municipal networks and information, which has already been defined in sufficient detail, and facilitating the regulation of security of critical information infrastructures, obligations of state and municipal institutions, possible means of secure transmission of data and provision of public services.

Section Five will regulate network and information security audit, principles and requirements for certified auditors of network and information security, and assessments of hardware and software security.

Section Six will lay down the procedures and conditions for monitoring the compliance with the Law, to ensure its implementation.

Section Seven will set the date of entry into force and implementation of the Law.

 

46. For the purpose of implementing the Law, the following legal acts shall be amended:

The Law of the Republic of Lithuania on Electronic Communications;

The Code of Administrative Offences of the Republic of Lithuania.

47. The Government of the Republic of Lithuania or institutions authorised by it shall, within their competence, amend the legal acts to be compatible with the Law and its implementation.