Cybersecurity · Luxembourg
Cybersecurity regulation in Luxembourg (2026)
Luxembourg shaded by its cybersecurity status
Luxembourg has a comprehensive, cross-sector cybersecurity regime built on the Law of 5 May 2026, which transposed the EU NIS2 Directive (replacing the prior NIS1 law) and entered into force on 10 May 2026. The ILR is the lead competent authority for most sectors, while the CSSF (with the Commissariat aux Assurances) supervises the financial sector under the directly applicable EU DORA Regulation. Essential and important entities face risk-management, governance and tiered incident-reporting duties, backed by fines up to EUR 10 million or 2% of global turnover.
Key points
The Law of 5 May 2026 'concerning measures to ensure a high level of cybersecurity' transposed Directive (EU) 2022/2555 (NIS2), was published in the Journal officiel on 6 May 2026 and entered into force on 10 May 2026, repealing the earlier NIS1 act. It originated as Bill 8364, after Luxembourg missed the 17 October 2024 EU deadline (Commission reasoned opinion of 7 May 2025).
The ILR (Institut Luxembourgeois de Régulation) is the operational supervisory authority for the majority of NIS2 sectors (energy, transport, water, digital services, etc.), the CSSF supervises banking and financial market infrastructure, and the HCPN handles national strategy, crisis management and acts as single point of contact for cross-border cooperation.
Entities must self-assess whether they qualify as 'essential' or 'important' entities (authorities no longer designate them individually) and register via the ILR's self-registration portal, which opened in April 2026; ILR inspections are expected from January 2027.
For significant incidents NIS2 imposes a phased duty: an early warning to the competent authority within 24 hours, a formal incident notification within 72 hours, and a final report within one month. The two designated national CSIRTs are GOVCERT.LU (state bodies, public establishments and critical entities) and CIRCL (all other entities).
Financial entities are governed by the directly applicable EU DORA Regulation (2022/2554), in application since 17 January 2025, with the CSSF and the Commissariat aux Assurances as competent authorities; major ICT-related incidents and significant cyber threats are reported to the CSSF via dedicated eDesk procedures.
Management bodies must approve and oversee cybersecurity risk-management measures and undergo mandatory training. Administrative fines reach up to EUR 10 million or 2% of worldwide annual turnover for essential entities and up to EUR 7 million or 1.4% for important entities.
Timeline - major decisions & events
The Law of 5 May 2026 on measures to ensure a high level of cybersecurity transposed EU Directive 2022/2555 (NIS2), expanding obligations (risk management, 24-hour incident reporting, management-body liability) from ~1,000 to an estimated 6,000–8,000 entities. ILR is the lead competent authority; fines reach €10M or 2% of worldwide turnover for essential entities.
ILR (Institut Luxembourgeois de Régulation) ↗Ahead of the law's entry into force, ILR launched the single self-registration portal for essential and important entities, with on-site inspections planned from January 2027. It operationalizes Luxembourg's NIS2 supervision framework.
ILR ↗The CSSF published circulars (incl. 25/880, 25/882, 25/883) updating Luxembourg's national ICT-risk and outsourcing framework to dovetail with the directly applicable DORA regime, including registers of ICT third-party arrangements.
CSSF ↗The EU Digital Operational Resilience Act (Regulation 2022/2554) became directly applicable, placing the CSSF at the centre of Luxembourg's framework for ICT risk management, incident reporting, resilience testing and third-party oversight for financial entities.
CSSF ↗The government tabled the bill transposing NIS2 in the Chamber of Deputies, beginning the parliamentary process that would replace the 2019 NIS regime; Luxembourg ultimately missed the 17 October 2024 EU deadline.
Chambre des Députés ↗Luxembourg's data protection authority fined Amazon €746 million over consent for personalised advertising — the largest GDPR penalty to date — underscoring the CNPD's role enforcing data-security and privacy obligations; the fine was later overturned by a Luxembourg court in 2026 and remanded.
National Law Review (reporting CNPD decision) ↗Defence Minister François Bausch unveiled the country's inaugural national cyber defence strategy, formalizing the armed forces' role in cyberspace alongside the civilian cybersecurity framework.
Government of Luxembourg ↗The HCPN published the fourth national cybersecurity strategy (2021–2025), building on prior strategies to strengthen resilience, trust in digital tools, and the national cybersecurity ecosystem.
HCPN ↗Luxembourg's first dedicated cybersecurity law transposed EU Directive 2016/1148 (NIS1), imposing security and incident-notification duties on operators of essential services and digital service providers, and designating ILR (and CSSF for finance) as competent authorities.
Légilux (Journal officiel) ↗The third national strategy refreshed Luxembourg's cybersecurity priorities, deepening protection of critical infrastructure and the digital economy ahead of EU NIS implementation.
HCPN ↗Luxembourg's second cybersecurity strategy created the National Agency for the Security of Information Systems (ANSSI), housed within the HCPN, to set state information-security policy and support administrations and critical operators.
NATO CCDCOE ↗Luxembourg's inaugural cybersecurity strategy established the Government CERT (GOVCERT.LU) and set the foundational axes — infrastructure protection, legal framework, international cooperation, awareness and security standards — that shape today's governance.
Government of Luxembourg (Infocrise) ↗Luxembourg - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →