Skip to content
World Watch/Luxembourg/Cybersecurity

Cybersecurity · Luxembourg

Cybersecurity law in Luxembourg: NIS2 compliance (2026)

Comprehensive lawLaw of 5 May 2026 on measures to ensure a high level of cybersecurity (transposing EU Directive 2022/2555, 'NIS2'); supervised by the Institut Luxembourgeois de Régulation (ILR), with the CSSF as competent authority for the financial sector and the Haut-Commissariat à la Protection nationale (HCPN) as strategic coordinator and single point of contact.Country index 90 · A+

Luxembourg shaded by its cybersecurity status

Cybersecurity in Luxembourg: comprehensive law, anchored by Law of 5 May 2026 on measures to ensure a high level of cybersecurity (transposing EU Directive 2022/2555, 'NIS2'); supervised by the Institut Luxembourgeois de Régulation (ILR), with the CSSF as competent authority for the financial sector and the Haut-Commissariat à la Protection nationale (HCPN) as strategic coordinator and single point of contact..

Luxembourg has a comprehensive, cross-sector cybersecurity regime built on the Law of 5 May 2026, which transposed the EU NIS2 Directive (replacing the prior NIS1 law) and entered into force on 10 May 2026. The ILR is the lead competent authority for most sectors, while the CSSF (with the Commissariat aux Assurances) supervises the financial sector under the directly applicable EU DORA Regulation. Essential and important entities face risk-management, governance and tiered incident-reporting duties, backed by fines up to EUR 10 million or 2% of global turnover.

NIS2 & cybersecurity law in Luxembourg

In Luxembourg, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.

Framework
the NIS2 Directive (EU) 2022/2555, transposed into national law
Approach
cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
Applies to
medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
Incident reporting
an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
Maximum fine
up to €10 million or 2% of global annual turnover for essential entities
Oversight
the national competent authority and CSIRT designated under NIS2

NIS2 is a directive, so Luxembourg implements it through national law; exact scope and deadlines can vary slightly by transposition.

NIS2 in Luxembourg: FAQ

Does NIS2 apply in Luxembourg?

Yes. As an EU member, Luxembourg has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.

Who must comply with NIS2 in Luxembourg?

Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.

What are the NIS2 incident-reporting deadlines in Luxembourg?

An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.

What are the penalties under NIS2 in Luxembourg?

Up to €10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.

Key points

Comprehensive NIS2 law in force

The Law of 5 May 2026 'concerning measures to ensure a high level of cybersecurity' transposed Directive (EU) 2022/2555 (NIS2), was published in the Journal officiel on 6 May 2026 and entered into force on 10 May 2026, repealing the earlier NIS1 act. It originated as Bill 8364, after Luxembourg missed the 17 October 2024 EU deadline (Commission reasoned opinion of 7 May 2025).

Competent authorities

The ILR (Institut Luxembourgeois de Régulation) is the operational supervisory authority for the majority of NIS2 sectors (energy, transport, water, digital services, etc.), the CSSF supervises banking and financial market infrastructure, and the HCPN handles national strategy, crisis management and acts as single point of contact for cross-border cooperation.

Self-classification and registration

Entities must self-assess whether they qualify as 'essential' or 'important' entities (authorities no longer designate them individually) and register via the ILR's self-registration portal, which opened in April 2026; ILR inspections are expected from January 2027.

Incident-reporting / breach-notification duties

For significant incidents NIS2 imposes a phased duty: an early warning to the competent authority within 24 hours, a formal incident notification within 72 hours, and a final report within one month. The two designated national CSIRTs are GOVCERT.LU (state bodies, public establishments and critical entities) and CIRCL (all other entities).

Financial sector overlay (DORA)

Financial entities are governed by the directly applicable EU DORA Regulation (2022/2554), in application since 17 January 2025, with the CSSF and the Commissariat aux Assurances as competent authorities; major ICT-related incidents and significant cyber threats are reported to the CSSF via dedicated eDesk procedures.

Governance duties and sanctions

Management bodies must approve and oversee cybersecurity risk-management measures and undergo mandatory training. Administrative fines reach up to EUR 10 million or 2% of worldwide annual turnover for essential entities and up to EUR 7 million or 1.4% for important entities.

Timeline - major decisions & events

May 10, 2026lawofficial
NIS2 transposition law enters into force

The Law of 5 May 2026 on measures to ensure a high level of cybersecurity transposed EU Directive 2022/2555 (NIS2), expanding obligations (risk management, 24-hour incident reporting, management-body liability) from ~1,000 to an estimated 6,000-8,000 entities. ILR is the lead competent authority; fines reach €10M or 2% of worldwide turnover for essential entities.

ILR (Institut Luxembourgeois de Régulation)
Apr 1, 2026guidanceofficial
ILR opens single NIS2 self-registration portal

Ahead of the law's entry into force, ILR launched the single self-registration portal for essential and important entities, with on-site inspections planned from January 2027. It operationalizes Luxembourg's NIS2 supervision framework.

ILR
Apr 9, 2025guidanceofficial
CSSF aligns ICT/outsourcing circulars with DORA

The CSSF published circulars (incl. 25/880, 25/882, 25/883) updating Luxembourg's national ICT-risk and outsourcing framework to dovetail with the directly applicable DORA regime, including registers of ICT third-party arrangements.

CSSF
Jan 17, 2025lawofficial
DORA enters into application in the financial sector

The EU Digital Operational Resilience Act (Regulation 2022/2554) became directly applicable, placing the CSSF at the centre of Luxembourg's framework for ICT risk management, incident reporting, resilience testing and third-party oversight for financial entities.

CSSF
Mar 13, 2024lawofficial
NIS2 draft law (Projet de loi 8364) deposited

The government tabled the bill transposing NIS2 in the Chamber of Deputies, beginning the parliamentary process that would replace the 2019 NIS regime; Luxembourg ultimately missed the 17 October 2024 EU deadline.

Chambre des Députés
Jul 16, 2021enforcement
CNPD issues record €746M GDPR fine against Amazon

Luxembourg's data protection authority fined Amazon €746 million over consent for personalised advertising, the largest GDPR penalty to date, underscoring the CNPD's role enforcing data-security and privacy obligations; the fine was later overturned by a Luxembourg court in 2026 and remanded.

National Law Review (reporting CNPD decision)
Feb 12, 2021guidanceofficial
Luxembourg presents its first Cyber Defence Strategy

Defence Minister François Bausch unveiled the country's inaugural national cyber defence strategy, formalizing the armed forces' role in cyberspace alongside the civilian cybersecurity framework.

Government of Luxembourg
Jan 1, 2021guidanceofficial
National Cybersecurity Strategy IV adopted

The HCPN published the fourth national cybersecurity strategy (2021-2025), building on prior strategies to strengthen resilience, trust in digital tools, and the national cybersecurity ecosystem.

HCPN
May 28, 2019lawofficial
NIS Directive transposed (Law of 28 May 2019)

Luxembourg's first dedicated cybersecurity law transposed EU Directive 2016/1148 (NIS1), imposing security and incident-notification duties on operators of essential services and digital service providers, and designating ILR (and CSSF for finance) as competent authorities.

Légilux (Journal officiel)
Jan 1, 2018guidanceofficial
National Cybersecurity Strategy III published

The third national strategy refreshed Luxembourg's cybersecurity priorities, deepening protection of critical infrastructure and the digital economy ahead of EU NIS implementation.

HCPN
Jan 1, 2015guidanceofficial
ANSSI established under second national strategy

Luxembourg's second cybersecurity strategy created the National Agency for the Security of Information Systems (ANSSI), housed within the HCPN, to set state information-security policy and support administrations and critical operators.

NATO CCDCOE
Jan 1, 2012guidanceofficial
First National Cybersecurity Strategy and Government CERT

Luxembourg's inaugural cybersecurity strategy established the Government CERT (GOVCERT.LU) and set the foundational axes, infrastructure protection, legal framework, international cooperation, awareness and security standards, that shape today's governance.

Government of Luxembourg (Infocrise)

Luxembourg - other topics

Cybersecurity in other countries

Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →