Skip to content
World Watch/Luxembourg/Artificial Intelligence

Artificial Intelligence Β· Luxembourg

AI regulation in Luxembourg: the EU AI Act (2026)

Comprehensive lawEU Artificial Intelligence Act (Regulation (EU) 2024/1689), directly applicable in Luxembourg, supplemented by national implementing Bill of Law No. 8476 (designating competent authorities and penalties; still pending adoption). National AI Strategy (2025) provides the policy framework.Country index 90 Β· A+

Luxembourg shaded by its artificial intelligence status

AI in Luxembourg: comprehensive law, anchored by EU Artificial Intelligence Act (Regulation (EU) 2024/1689), directly applicable in Luxembourg, supplemented by national implementing Bill of Law No. 8476 (designating competent authorities and penalties; still pending adoption). National AI Strategy (2025) provides the policy framework..

As an EU member state, Luxembourg is governed by the directly-applicable EU AI Act (Regulation (EU) 2024/1689), whose phased obligations are already in force (prohibited practices since 2 February 2025; general-purpose AI rules since 2 August 2025). National Bill of Law No. 8476, tabled on 23 December 2024, designates the competent national authorities and administrative penalties but had not yet been adopted by the Chamber of Deputies as of early 2026. The bill makes the data-protection regulator (CNPD) the lead authority, with sectoral regulators retaining oversight within their existing remits.

The EU AI Act in Luxembourg

In Luxembourg, artificial intelligence is governed by the EU AI Act, the first comprehensive AI law, which applies directly as an EU regulation.

Framework
the EU AI Act (Regulation (EU) 2024/1689)
Approach
risk-based: unacceptable-risk AI is banned, high-risk AI faces strict duties, limited-risk AI has transparency rules
General-purpose AI
transparency duties for all GPAI models; systemic-risk models add safety and evaluation obligations
Timeline
phased: prohibitions from Feb 2025, GPAI rules from Aug 2025, most high-risk obligations from Aug 2026
Maximum fine
€35 million or 7% of global annual turnover for prohibited-AI breaches
Oversight
national market-surveillance authorities, coordinated by the EU AI Office

The AI Act is an EU regulation applied directly in Luxembourg; national market-surveillance authorities handle enforcement.

The EU AI Act in Luxembourg: FAQ

Does the EU AI Act apply in Luxembourg?

Yes. As an EU member, Luxembourg is covered by the EU AI Act (Regulation (EU) 2024/1689), which applies directly.

What does the EU AI Act regulate in Luxembourg?

It uses a risk-based approach: unacceptable-risk AI is banned, high-risk AI faces strict obligations, and general-purpose AI models carry transparency duties.

When does the EU AI Act take effect in Luxembourg?

It is phased: prohibitions applied from February 2025, general-purpose-AI rules from August 2025, and most high-risk obligations from August 2026.

What are the penalties under the EU AI Act in Luxembourg?

Up to €35 million or 7% of global annual turnover for breaching the prohibited-AI rules, with lower tiers for other breaches.

Key points

EU AI Act is the binding baseline

Regulation (EU) 2024/1689 applies directly in Luxembourg with no transposition needed. Its obligations phase in over time: prohibited AI practices banned from 2 February 2025, GPAI governance from 2 August 2025, high-risk obligations from 2 August 2026, and remaining provisions from 2 August 2027.

National implementing Bill No. 8476

Tabled in Parliament on 23 December 2024, the bill designates competent authorities, sets enforcement/procedural rules and administrative penalties, and mandates regulatory sandboxes. It remained under discussion and not yet adopted by the Chamber of Deputies as of early 2026.

CNPD as lead authority

The National Commission for Data Protection (Commission nationale pour la protection des donnΓ©es, CNPD) is designated as the default market surveillance authority and single point of contact, coordinating across the other sectoral market surveillance authorities.

Sectoral market surveillance authorities

Existing regulators retain oversight within their remits: the CSSF for AI in financial services, the Commissariat aux Assurances for insurance, the ALIA for transparency of AI-generated synthetic media, and a Judicial Supervisory Authority for AI used by courts and prosecution.

Penalties under the AI Act

Administrative fines of up to EUR 35 million or 7% of total worldwide annual turnover apply for prohibited AI practices, and up to EUR 15 million or 3% of turnover for breaches of high-risk AI system obligations.

National AI strategy and innovation

Luxembourg's National Artificial Intelligence Strategy (2025) underpins its 'Accelerating Digital Sovereignty 2030' agenda alongside the National Data Strategy, and the implementing bill requires market surveillance authorities to set up AI regulatory sandboxes as controlled testing environments.

Timeline - major decisions & events

Jan 20, 2026guidanceofficial
Government and CNPD host 'AI Act in Action' conference on implementation

Minister Elisabeth Margue and the CNPD convened stakeholders to bridge AI Act policy and practice, signalling the move from legislation to operational enforcement as the national supervisory architecture takes shape. It marks Luxembourg's shift toward active oversight ahead of the high-risk regime in August 2026.

Luxembourg Government (gouvernement.lu) β†—
Sep 1, 2025guidanceofficial
CNPD 2024 annual report puts AI at the heart of its mission

The data protection authority's annual report formalised AI governance as a core supervisory priority, reflecting its expanded mandate as Luxembourg's prospective national AI authority. It documents the regulator's pivot from pure GDPR enforcement toward AI Act readiness.

CNPD β†—
Aug 2, 2025lawofficial
AI Act obligations on general-purpose AI and governance take effect

New EU AI Act obligations (notably for general-purpose AI models) became applicable, the date by which member states had to designate competent authorities. Luxembourg's CNPD is positioned as the default market surveillance authority and single point of contact.

CNPD β†—
May 19, 2025guidanceofficial
Luxembourg launches national AI strategy 'Accelerating Digital Sovereignty 2030'

Ministers Margue, Obertin and Delles presented coordinated national strategies on data, AI and quantum, with the AI strategy targeting trustworthy, human-centric AI, a national AI Factory, regulatory sandboxes and sector adoption. It sets Luxembourg's policy roadmap and budget commitments through 2030.

Luxembourg Government (gouvernement.lu) β†—
Feb 2, 2025lawofficial
First AI Act bans and AI-literacy duties become applicable in Luxembourg

As an EU member, Luxembourg became bound by the AI Act's prohibitions on 'unacceptable risk' practices (e.g. social scoring, subliminal manipulation) and operator AI-literacy requirements. The CNPD issued thematic guidance on the impact of prohibited systems on data protection.

CNPD β†—
Dec 23, 2024lawofficial
Bill 8476 designates the CNPD as national AI authority

The government tabled draft law nΒ°8476 to supplement the EU AI Act, naming the CNPD as default market surveillance authority and coordinator of sectoral regulators, with administrative penalties for non-compliance. It chose to extend existing bodies rather than create a new regulator.

CNPD β†—
May 24, 2019guidanceofficial
Luxembourg publishes 'Artificial Intelligence: a strategic vision'

The government released its first national AI strategy, framing a human-centric, ethics-led and data-driven vision aligned with EU values. It laid the foundational policy direction later built upon by the 2025 'Digital Sovereignty 2030' strategy.

Luxembourg Government (gouvernement.lu) β†—
May 22, 2019guidanceofficial
Luxembourg adheres to the OECD AI Principles

Luxembourg joined the OECD Recommendation on Artificial Intelligence, committing to trustworthy, human-centric AI principles. This international anchor shaped the country's subsequent alignment with the EU's trustworthy-AI agenda.

OECD β†—
Aug 1, 2018lawofficial
Luxembourg Data Protection Law establishes the CNPD and GDPR framework

The law of 1 August 2018 organised the CNPD and implemented the GDPR nationally, granting broad investigatory powers. This data-protection foundation became the institutional base from which Luxembourg later built its AI supervisory mandate.

CNPD / Official Gazette (MΓ©morial A) β†—

Luxembourg - other topics

Artificial Intelligence in other countries

Last verified 5/23/2026 Β· Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite Β· Explore the full world map β†’