Artificial Intelligence · Luxembourg
AI regulation in Luxembourg (2026)
Luxembourg shaded by its artificial intelligence status
As an EU member state, Luxembourg is governed by the directly-applicable EU AI Act (Regulation (EU) 2024/1689), whose phased obligations are already in force (prohibited practices since 2 February 2025; general-purpose AI rules since 2 August 2025). National Bill of Law No. 8476, tabled on 23 December 2024, designates the competent national authorities and administrative penalties but had not yet been adopted by the Chamber of Deputies as of early 2026. The bill makes the data-protection regulator (CNPD) the lead authority, with sectoral regulators retaining oversight within their existing remits.
Key points
Regulation (EU) 2024/1689 applies directly in Luxembourg with no transposition needed. Its obligations phase in over time: prohibited AI practices banned from 2 February 2025, GPAI governance from 2 August 2025, high-risk obligations from 2 August 2026, and remaining provisions from 2 August 2027.
Tabled in Parliament on 23 December 2024, the bill designates competent authorities, sets enforcement/procedural rules and administrative penalties, and mandates regulatory sandboxes. It remained under discussion and not yet adopted by the Chamber of Deputies as of early 2026.
The National Commission for Data Protection (Commission nationale pour la protection des données, CNPD) is designated as the default market surveillance authority and single point of contact, coordinating across the other sectoral market surveillance authorities.
Existing regulators retain oversight within their remits: the CSSF for AI in financial services, the Commissariat aux Assurances for insurance, the ALIA for transparency of AI-generated synthetic media, and a Judicial Supervisory Authority for AI used by courts and prosecution.
Administrative fines of up to EUR 35 million or 7% of total worldwide annual turnover apply for prohibited AI practices, and up to EUR 15 million or 3% of turnover for breaches of high-risk AI system obligations.
Luxembourg's National Artificial Intelligence Strategy (2025) underpins its 'Accelerating Digital Sovereignty 2030' agenda alongside the National Data Strategy, and the implementing bill requires market surveillance authorities to set up AI regulatory sandboxes as controlled testing environments.
Timeline - major decisions & events
Minister Elisabeth Margue and the CNPD convened stakeholders to bridge AI Act policy and practice, signalling the move from legislation to operational enforcement as the national supervisory architecture takes shape. It marks Luxembourg's shift toward active oversight ahead of the high-risk regime in August 2026.
Luxembourg Government (gouvernement.lu) ↗The data protection authority's annual report formalised AI governance as a core supervisory priority, reflecting its expanded mandate as Luxembourg's prospective national AI authority. It documents the regulator's pivot from pure GDPR enforcement toward AI Act readiness.
CNPD ↗New EU AI Act obligations (notably for general-purpose AI models) became applicable, the date by which member states had to designate competent authorities. Luxembourg's CNPD is positioned as the default market surveillance authority and single point of contact.
CNPD ↗Ministers Margue, Obertin and Delles presented coordinated national strategies on data, AI and quantum, with the AI strategy targeting trustworthy, human-centric AI, a national AI Factory, regulatory sandboxes and sector adoption. It sets Luxembourg's policy roadmap and budget commitments through 2030.
Luxembourg Government (gouvernement.lu) ↗As an EU member, Luxembourg became bound by the AI Act's prohibitions on 'unacceptable risk' practices (e.g. social scoring, subliminal manipulation) and operator AI-literacy requirements. The CNPD issued thematic guidance on the impact of prohibited systems on data protection.
CNPD ↗The government tabled draft law n°8476 to supplement the EU AI Act, naming the CNPD as default market surveillance authority and coordinator of sectoral regulators, with administrative penalties for non-compliance. It chose to extend existing bodies rather than create a new regulator.
CNPD ↗The government released its first national AI strategy, framing a human-centric, ethics-led and data-driven vision aligned with EU values. It laid the foundational policy direction later built upon by the 2025 'Digital Sovereignty 2030' strategy.
Luxembourg Government (gouvernement.lu) ↗Luxembourg joined the OECD Recommendation on Artificial Intelligence, committing to trustworthy, human-centric AI principles. This international anchor shaped the country's subsequent alignment with the EU's trustworthy-AI agenda.
OECD ↗The law of 1 August 2018 organised the CNPD and implemented the GDPR nationally, granting broad investigatory powers. This data-protection foundation became the institutional base from which Luxembourg later built its AI supervisory mandate.
CNPD / Official Gazette (Mémorial A) ↗Luxembourg - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →