Artificial Intelligence Β· Luxembourg
AI regulation in Luxembourg: the EU AI Act (2026)
Luxembourg shaded by its artificial intelligence status
AI in Luxembourg: comprehensive law, anchored by EU Artificial Intelligence Act (Regulation (EU) 2024/1689), directly applicable in Luxembourg, supplemented by national implementing Bill of Law No. 8476 (designating competent authorities and penalties; still pending adoption). National AI Strategy (2025) provides the policy framework..
As an EU member state, Luxembourg is governed by the directly-applicable EU AI Act (Regulation (EU) 2024/1689), whose phased obligations are already in force (prohibited practices since 2 February 2025; general-purpose AI rules since 2 August 2025). National Bill of Law No. 8476, tabled on 23 December 2024, designates the competent national authorities and administrative penalties but had not yet been adopted by the Chamber of Deputies as of early 2026. The bill makes the data-protection regulator (CNPD) the lead authority, with sectoral regulators retaining oversight within their existing remits.
The EU AI Act in Luxembourg
In Luxembourg, artificial intelligence is governed by the EU AI Act, the first comprehensive AI law, which applies directly as an EU regulation.
- Framework
- the EU AI Act (Regulation (EU) 2024/1689)
- Approach
- risk-based: unacceptable-risk AI is banned, high-risk AI faces strict duties, limited-risk AI has transparency rules
- General-purpose AI
- transparency duties for all GPAI models; systemic-risk models add safety and evaluation obligations
- Timeline
- phased: prohibitions from Feb 2025, GPAI rules from Aug 2025, most high-risk obligations from Aug 2026
- Maximum fine
- β¬35 million or 7% of global annual turnover for prohibited-AI breaches
- Oversight
- national market-surveillance authorities, coordinated by the EU AI Office
The AI Act is an EU regulation applied directly in Luxembourg; national market-surveillance authorities handle enforcement.
The EU AI Act in Luxembourg: FAQ
Yes. As an EU member, Luxembourg is covered by the EU AI Act (Regulation (EU) 2024/1689), which applies directly.
It uses a risk-based approach: unacceptable-risk AI is banned, high-risk AI faces strict obligations, and general-purpose AI models carry transparency duties.
It is phased: prohibitions applied from February 2025, general-purpose-AI rules from August 2025, and most high-risk obligations from August 2026.
Up to β¬35 million or 7% of global annual turnover for breaching the prohibited-AI rules, with lower tiers for other breaches.
Key points
Regulation (EU) 2024/1689 applies directly in Luxembourg with no transposition needed. Its obligations phase in over time: prohibited AI practices banned from 2 February 2025, GPAI governance from 2 August 2025, high-risk obligations from 2 August 2026, and remaining provisions from 2 August 2027.
Tabled in Parliament on 23 December 2024, the bill designates competent authorities, sets enforcement/procedural rules and administrative penalties, and mandates regulatory sandboxes. It remained under discussion and not yet adopted by the Chamber of Deputies as of early 2026.
The National Commission for Data Protection (Commission nationale pour la protection des donnΓ©es, CNPD) is designated as the default market surveillance authority and single point of contact, coordinating across the other sectoral market surveillance authorities.
Existing regulators retain oversight within their remits: the CSSF for AI in financial services, the Commissariat aux Assurances for insurance, the ALIA for transparency of AI-generated synthetic media, and a Judicial Supervisory Authority for AI used by courts and prosecution.
Administrative fines of up to EUR 35 million or 7% of total worldwide annual turnover apply for prohibited AI practices, and up to EUR 15 million or 3% of turnover for breaches of high-risk AI system obligations.
Luxembourg's National Artificial Intelligence Strategy (2025) underpins its 'Accelerating Digital Sovereignty 2030' agenda alongside the National Data Strategy, and the implementing bill requires market surveillance authorities to set up AI regulatory sandboxes as controlled testing environments.
Timeline - major decisions & events
Minister Elisabeth Margue and the CNPD convened stakeholders to bridge AI Act policy and practice, signalling the move from legislation to operational enforcement as the national supervisory architecture takes shape. It marks Luxembourg's shift toward active oversight ahead of the high-risk regime in August 2026.
Luxembourg Government (gouvernement.lu) βThe data protection authority's annual report formalised AI governance as a core supervisory priority, reflecting its expanded mandate as Luxembourg's prospective national AI authority. It documents the regulator's pivot from pure GDPR enforcement toward AI Act readiness.
CNPD βNew EU AI Act obligations (notably for general-purpose AI models) became applicable, the date by which member states had to designate competent authorities. Luxembourg's CNPD is positioned as the default market surveillance authority and single point of contact.
CNPD βMinisters Margue, Obertin and Delles presented coordinated national strategies on data, AI and quantum, with the AI strategy targeting trustworthy, human-centric AI, a national AI Factory, regulatory sandboxes and sector adoption. It sets Luxembourg's policy roadmap and budget commitments through 2030.
Luxembourg Government (gouvernement.lu) βAs an EU member, Luxembourg became bound by the AI Act's prohibitions on 'unacceptable risk' practices (e.g. social scoring, subliminal manipulation) and operator AI-literacy requirements. The CNPD issued thematic guidance on the impact of prohibited systems on data protection.
CNPD βThe government tabled draft law nΒ°8476 to supplement the EU AI Act, naming the CNPD as default market surveillance authority and coordinator of sectoral regulators, with administrative penalties for non-compliance. It chose to extend existing bodies rather than create a new regulator.
CNPD βThe government released its first national AI strategy, framing a human-centric, ethics-led and data-driven vision aligned with EU values. It laid the foundational policy direction later built upon by the 2025 'Digital Sovereignty 2030' strategy.
Luxembourg Government (gouvernement.lu) βLuxembourg joined the OECD Recommendation on Artificial Intelligence, committing to trustworthy, human-centric AI principles. This international anchor shaped the country's subsequent alignment with the EU's trustworthy-AI agenda.
OECD βThe law of 1 August 2018 organised the CNPD and implemented the GDPR nationally, granting broad investigatory powers. This data-protection foundation became the institutional base from which Luxembourg later built its AI supervisory mandate.
CNPD / Official Gazette (MΓ©morial A) βLuxembourg - other topics
Artificial Intelligence in other countries
Last verified 5/23/2026 Β· Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite Β· Explore the full world map β