Artificial Intelligence - Luxembourg

Regulation (EU) 2024/1689 applies directly in Luxembourg with no transposition needed. Its obligations phase in over time: prohibited AI practices banned from 2 February 2025, GPAI governance from 2 August 2025, high-risk obligations from 2 August 2026, and remaining provisions from 2 August 2027.

Tabled in Parliament on 23 December 2024, the bill designates competent authorities, sets enforcement/procedural rules and administrative penalties, and mandates regulatory sandboxes. It remained under discussion and not yet adopted by the Chamber of Deputies as of early 2026.

The National Commission for Data Protection (Commission nationale pour la protection des données, CNPD) is designated as the default market surveillance authority and single point of contact, coordinating across the other sectoral market surveillance authorities.

Existing regulators retain oversight within their remits: the CSSF for AI in financial services, the Commissariat aux Assurances for insurance, the ALIA for transparency of AI-generated synthetic media, and a Judicial Supervisory Authority for AI used by courts and prosecution.

Administrative fines of up to EUR 35 million or 7% of total worldwide annual turnover apply for prohibited AI practices, and up to EUR 15 million or 3% of turnover for breaches of high-risk AI system obligations.

Luxembourg's National Artificial Intelligence Strategy (2025) underpins its 'Accelerating Digital Sovereignty 2030' agenda alongside the National Data Strategy, and the implementing bill requires market surveillance authorities to set up AI regulatory sandboxes as controlled testing environments.