Liechtenstein’s national strategy for protection against cyber risks 2025

February 2025

View the original document

Strategies and Action Plans

Liechtenstein’s National Strategy for Protection Against Cyber Risks 2025, effective from 1 February 2025, builds upon the previous national strategy (2020–2024) and reflects updated threats, technological advances, and the enactment of Liechtenstein’s Cyber Security Act (CSG). It aims to protect the country from cyber risks by ensuring that stakeholders across all sectors are aware, resilient, networked, and engaged.

Cyber risks are broadly defined to include threats to information and communication technologies (ICT), affecting the availability, integrity, authenticity, and confidentiality of data and systems. These risks also impact intangible assets like reputation and public trust.

Vision

Liechtenstein envisions a digitally advanced society where all areas—population, economy, and administration—benefit from secure digitalisation. The strategy underscores resilience, trust, personal responsibility, and collaboration, supporting the country’s continued attractiveness and stability.

Key stakeholders

The strategy addresses four broad stakeholder groups:

  • Population: All residents and workers in Liechtenstein.
  • Economy and financial centre: All businesses, including SMEs and financial institutions, which are critical to the national infrastructure.
  • Critical infrastructures: Entities whose failure would significantly impact public order, safety, health, or economic stability.
  • Government bodies: Including the Princely House, Parliament, government agencies, courts, and municipalities.

Goals

The strategy sets out four overarching goals:

  1. Risk awareness: All stakeholders know their cyber risks and monitor how they evolve.
  2. Resilience: Stakeholders take preventive and responsive measures to limit impact.
  3. Networking: Cooperation within and beyond national borders to tackle cyber risks.
  4. Active contribution: Each stakeholder takes appropriate, responsible action.

Core principles

The strategy is guided by five core principles:

  • Informing, educating, and raising awareness at all societal levels.
  • Pooling and strengthening resources through cooperation and dialogue.
  • Cross-border cooperation to tackle transnational cyber threats.
  • Efficiency and effectiveness in the use of resources and actions.
  • Measurable implementation through monitoring and evaluation frameworks.

Five strategic fields of activity

  1. Knowing risks and developments
    Includes periodic threat assessments, promoting information exchange, and supporting research and education. Liechtenstein aims to maintain updated situational awareness and share it with stakeholders.
  2. Informing, raising awareness, and networking
    Especially targets the population and SMEs. Actions include awareness campaigns, educational programs, public-private partnerships, and platforms for secure information sharing.
  3. Protecting essential and important entities
    Focuses on critical infrastructures. Involves promoting cyber hygiene, information sharing, supervisory activities, and the adoption of advanced technologies like AI for risk mitigation.
  4. Protecting the financial centre
    Recognises the high regulatory expectations and systemic importance of the financial sector. Supports secure communication, sharing of cyber threat intelligence, and promoting operational resilience.
  5. Overcoming crises
    Establishes a national crisis response organisation, supports stakeholders during cyber crises, promotes simulation exercises, and fosters transnational cooperation during incidents.

Implementation framework

  • National Cyber Security Unit (NCSU) coordinates the strategy’s implementation.
  • Advisory Board: A flexible, non-binding expert group supports strategy implementation by offering insights from practice and research.
  • Implementation and Action Plan: To be developed separately, detailing measures, resource allocation, and regulatory steps.

Validity and review

The strategy is valid from 1 February 2025 and will be evaluated within five years based on key performance indicators (KPIs). Updates will be made as necessary to respond to evolving risks and technologies