What is AI regulation in Lithuania?
AI regulation: countries and regions
AI regulation in Lithuania rests on the directly applicable European Union AI Act, implemented nationally through January 2025 amendments to the Law on Technology and Innovation and the Law on Information Society Services. Lithuania was among the first three EU member states to designate both required authorities: the Communications Regulatory Authority (RRT) is the market surveillance authority and single point of contact, and the Innovation Agency is the notifying authority. The framework is paired with an active AI regulatory sandbox and heavy national investment in sovereign computing and Lithuanian-language AI.
What this means
Lithuania does not write its own substantive rules for what artificial intelligence may or may not do. Those rules, the risk categories and the technical duties come from the EU AI Act, which applies directly in every member state. Lithuania's own legislative work has focused on a narrower question: which national bodies hold the power to supervise the market, certify high-risk systems and act as the point of contact for the European Commission.
In January 2025 the Lithuanian parliament answered that question. It named the Communications Regulatory Authority, known by its Lithuanian initials RRT, as the market surveillance authority and single point of contact, and the Innovation Agency as the notifying authority that designates and oversees the independent bodies certifying high-risk AI. This made Lithuania one of the earliest EU states to put a complete national enforcement structure in place ahead of the Act's main deadlines.
Alongside the regulatory plumbing, Lithuania treats AI as an industrial opportunity. It has launched one of the EU's first AI regulatory sandboxes, won European funding for a national AI supercomputing centre, and invested tens of millions of euros in Lithuanian-language AI resources so that the technology works in the national language and serves the public sector. The data protection regulator, the State Data Protection Inspectorate (VDAI), supervises the privacy dimension that runs through almost every AI deployment.
Why it matters
Lithuania matters as a worked example of how a small, digitally ambitious EU state can implement pan-European rules early and turn compliance into a competitive position rather than a burden. For organisations deploying AI in or into Lithuania, the practical significance is that the enforcement structure is already settled and operational, so there is a clear authority to deal with rather than the uncertainty that lingers in member states still finalising designations.
The choice of the RRT as market surveillance authority is itself informative. Rather than create a new AI regulator, Lithuania assigned the role to its established communications and market-surveillance body, which already runs product-safety style oversight. This means AI systems entering the Lithuanian market face a familiar conformity and enforcement logic, and the open question the ministry itself has flagged is how responsibilities are divided between the RRT and existing sectoral authorities for areas such as finance, health and data protection.
The sandbox and infrastructure programmes raise the stakes for businesses that engage early. The Innovation Agency sandbox offers structured guidance, an AI Academy curriculum and access to high-performance computing, and the RRT participates so that relationships formed there can ease the path to later certification. The LitAI AI Factory and the national investment in Lithuanian-language resources signal that the state wants domestic models trained and hosted locally, which shapes expectations around data governance, sovereignty and where sensitive workloads should run.
How it works
The dual-layer structure
The substantive rules come from the EU AI Act (Regulation 2024/1689), which classifies AI by risk and sets the duties for prohibited practices, high-risk systems, transparency and general-purpose models. Lithuania's national law does not rewrite these. Through amendments adopted by the Seimas on 14 January 2025 to the Law on Technology and Innovation and the Law on Information Society Services, it allocates the supervisory roles the Act requires and connects AI oversight to the existing market-surveillance system.
Who supervises what
The Communications Regulatory Authority (RRT) is the market surveillance authority and the single point of contact for the European Commission. It is responsible for ensuring that AI systems placed on the market, and the products they are embedded in, remain reliable and safe, and it can investigate, order corrective action, require withdrawal or recall, and impose penalties where systems are non-compliant. The Innovation Agency is the notifying authority: it assesses and designates the notified bodies (companies, research and academic institutions) that carry out conformity assessment and certification of high-risk AI systems, and it also runs the national sandbox. The State Data Protection Inspectorate (VDAI) supervises the data-protection dimension under the GDPR and Lithuania's implementing law, and has published guidance, including an FAQ for organisations starting with AI systems, stressing GDPR compliance and expert involvement. The ministry has openly noted that the main outstanding task is dividing functions cleanly between the RRT as national competent authority and the existing sectoral market surveillance authorities.
The regulatory sandbox
Lithuania is among the first EU states to stand up an AI regulatory sandbox, operated by the Innovation Agency with the RRT participating in oversight. It provides a controlled environment for micro, small and medium enterprises to develop, test and refine AI systems before market entry. The programme runs on multiple levels: public consultations and open guidance for any business, and a selective track for developers of high and medium-risk systems. It includes a structured AI Academy covering modules from risk management to data governance, followed by tailored expert consultation, and provides access to high-performance computing resources. EU funding of three million euros was allocated across Lithuanian regions, and the first cohort was expected in the first quarter of 2026. By engaging early, developers can build relationships with the regulator that may smooth later time-limited permissions to test high-risk systems in real conditions before full certification.
Sovereign computing and language resources
Lithuania has tied its regulatory readiness to infrastructure. A national consortium led by Vilnius University won EU co-financing for LitAI, an AI Factory with a total value of 130 million euros, half co-financed by the EuroHPC Joint Undertaking. Hosted at the Lithuanian Radio and Television Centre's VDC3 data centre in Vilnius and expected to begin operating in the first quarter of 2027, it is intended to give the country sovereign, AI-optimised high-performance computing for both national and European needs, with more than 80 services spanning computing, data storage and innovation support. Separately, between 2021 and 2026 the Ministry of the Economy and Innovation allocated 42.35 million euros to develop 23 Lithuanian-language AI resources for business, and the government established GovAI, a public-sector AI competence centre offering consulting, training and sandbox opportunities.
Timeline and penalties
The EU AI Act's obligations apply in phases: prohibited practices and AI literacy duties from February 2025, general-purpose model rules from August 2025, and high-risk system obligations from August 2026, with remaining provisions following by August 2027. Note that the European Commission has proposed a digital Omnibus package that could defer some high-risk obligations, so these dates should be read as the current legal position rather than a settled certainty. Penalties are set at EU level and enforced nationally by the RRT, reaching up to 35 million euros or 7 percent of worldwide annual turnover for the most serious breaches such as deploying prohibited practices, with lower tiers for other non-compliance and for supplying misleading information to the regulator.
Examples
A medtech startup developing a high-risk diagnostic tool applies to the Innovation Agency sandbox. It works through the AI Academy modules on risk management and data governance, then receives tailored consultation while testing the system with access to high-performance computing. Because the RRT participates in the sandbox, the startup builds an early relationship with the market surveillance authority, and when it later seeks conformity assessment it engages a notified body that the Innovation Agency has designated, smoothing its path to placing a certified product across the European Economic Area.
A multinational deploying a customer-service AI in Lithuania treats the RRT as its single point of contact for AI Act market-surveillance questions, while recognising that the VDAI supervises the personal-data processing the system relies on. Following the VDAI's published guidance, it documents a lawful basis for processing, informs callers before any recording, applies data minimisation and ensures meaningful human review is available where the system materially affects individuals.
A public-sector body building a Lithuanian-language assistant draws on the state-funded Lithuanian-language AI resources and engages GovAI for methodological support and a sandbox slot. It plans to run sensitive workloads on the LitAI national infrastructure once operational, keeping data within sovereign computing capacity rather than relying solely on offshore commercial services, and coordinates with the RRT and VDAI on transparency and data-protection duties.
Common misunderstandings
"Lithuania has its own AI law."
It does not have a standalone substantive AI code. The binding rules are the EU AI Act; Lithuania's January 2025 amendments designate national authorities and connect AI oversight to the existing market-surveillance system.
"A single Lithuanian regulator handles all AI."
Responsibilities are split: the RRT is market surveillance authority and single point of contact, the Innovation Agency is the notifying authority, and the VDAI supervises data protection. The division between the RRT and existing sectoral authorities is still being settled.
"The sandbox is only for large companies."
It is aimed primarily at micro, small and medium enterprises, with open public consultation for any business and a selective track for high and medium-risk system developers.
"Entering the sandbox guarantees certification."
It does not. The sandbox provides guidance, testing and early regulator contact, but high-risk systems still require formal conformity assessment by a notified body designated through the Innovation Agency.
"Designating authorities early means all obligations are already in force."
Lithuania designated its authorities early, but the AI Act's substantive duties still phase in on the EU timeline through to 2027, and some high-risk dates may be affected by the proposed EU digital Omnibus.
Risks and boundaries
Lithuania's framework is an implementation and enforcement layer over the EU AI Act, not a separate rulebook, so reading the national amendments in isolation will mislead: the substantive duties, definitions and risk classes are set at EU level. The most live uncertainty, flagged by the ministry itself, is the precise division of functions between the RRT as national competent authority and existing sectoral market surveillance authorities for areas such as financial services, health and data protection, so the supervising body for a given high-risk use case is not always settled in advance.
The phased timeline (February 2025 through August 2027) is the current legal position but is exposed to the proposed EU digital Omnibus, which could defer some high-risk obligations. The sandbox and infrastructure programmes are promotional and developmental, not safe harbours: participation does not waive the Act's requirements, and certification of high-risk systems still depends on formal conformity assessment. Much of the LitAI infrastructure and several funding programmes are recent or not yet operational, with the AI Factory expected to begin only in early 2027, so capabilities described as planned should be treated as such. None of this is legal advice; specific classification and supervisory questions should be confirmed with the RRT, the VDAI or qualified counsel.
What to do next
Treat the RRT as your first point of contact for AI Act market-surveillance questions, and map which of your AI uses may instead fall to a sectoral authority or to the VDAI for data protection, recognising that this division is still being clarified.
If you are developing or testing a high or medium-risk system, apply to the Innovation Agency sandbox early. The AI Academy curriculum, expert consultation and high-performance computing access reduce the cost and time of reaching compliance, and early regulator contact can ease later certification.
For any high-risk system, plan for formal conformity assessment by a notified body designated through the Innovation Agency, and do not treat sandbox participation as a substitute for certification.
Build your data-protection compliance in parallel using the VDAI's published guidance, including documenting a lawful basis, applying data minimisation and ensuring meaningful human oversight where systems materially affect individuals.
If you handle sensitive or sovereign workloads, factor in the LitAI national computing infrastructure and the state-funded Lithuanian-language AI resources as alternatives to offshore commercial services, while noting the AI Factory is not expected to operate until early 2027.
Track the EU phased timeline and the proposed digital Omnibus, since the high-risk obligations most relevant to many deployers fall in the 2026 to 2027 window and some dates may move.
FAQs
Does Lithuania have its own AI law?
The substantive rules come from the EU AI Act. Lithuania's January 2025 amendments to the Law on Technology and Innovation and the Law on Information Society Services designate national authorities rather than create separate AI rules.
Who is the AI regulator in Lithuania?
The Communications Regulatory Authority (RRT) is the market surveillance authority and single point of contact. The Innovation Agency is the notifying authority, and the State Data Protection Inspectorate (VDAI) supervises data protection.
Was Lithuania early to implement the AI Act?
Yes. It was among the first three EU member states to designate both the market surveillance authority and the notifying authority, doing so in January 2025.
What is the Lithuanian AI sandbox?
An AI regulatory sandbox run by the Innovation Agency with RRT participation, aimed at small and medium enterprises. It offers an AI Academy curriculum, expert consultation and access to high-performance computing, with the first cohort expected in early 2026.
What is LitAI?
A national AI Factory worth 130 million euros, half co-financed by the EuroHPC Joint Undertaking, led by Vilnius University and hosted in Vilnius. It is intended to provide sovereign AI computing and is expected to begin operating in early 2027.
What are the penalties for breaching the AI Act in Lithuania?
Penalties are set at EU level and enforced by the RRT, reaching up to 35 million euros or 7 percent of worldwide annual turnover for the most serious breaches, with lower tiers for other non-compliance.
Does entering the sandbox mean my system is certified?
No. The sandbox provides guidance, testing and regulator contact, but high-risk systems still require formal conformity assessment by a notified body designated through the Innovation Agency.