Cybersecurity - Luxembourg

The Law of 5 May 2026 'concerning measures to ensure a high level of cybersecurity' transposed Directive (EU) 2022/2555 (NIS2), was published in the Journal officiel on 6 May 2026 and entered into force on 10 May 2026, repealing the earlier NIS1 act. It originated as Bill 8364, after Luxembourg missed the 17 October 2024 EU deadline (Commission reasoned opinion of 7 May 2025).

The ILR (Institut Luxembourgeois de Régulation) is the operational supervisory authority for the majority of NIS2 sectors (energy, transport, water, digital services, etc.), the CSSF supervises banking and financial market infrastructure, and the HCPN handles national strategy, crisis management and acts as single point of contact for cross-border cooperation.

Entities must self-assess whether they qualify as 'essential' or 'important' entities (authorities no longer designate them individually) and register via the ILR's self-registration portal, which opened in April 2026; ILR inspections are expected from January 2027.

For significant incidents NIS2 imposes a phased duty: an early warning to the competent authority within 24 hours, a formal incident notification within 72 hours, and a final report within one month. The two designated national CSIRTs are GOVCERT.LU (state bodies, public establishments and critical entities) and CIRCL (all other entities).

Financial entities are governed by the directly applicable EU DORA Regulation (2022/2554), in application since 17 January 2025, with the CSSF and the Commissariat aux Assurances as competent authorities; major ICT-related incidents and significant cyber threats are reported to the CSSF via dedicated eDesk procedures.

Management bodies must approve and oversee cybersecurity risk-management measures and undergo mandatory training. Administrative fines reach up to EUR 10 million or 2% of worldwide annual turnover for essential entities and up to EUR 7 million or 1.4% for important entities.