NIS2 is now in force in Luxembourg!

On 5 May 2026, Luxembourg transposed Directive (EU) 2022/2555 (the “NIS2 Directive”) into national law, marking a significant expansion of the Grand Duchy’s cybersecurity regulatory framework. 

1. Background

The Luxembourg law of 5 May 2026 on measures for a high level of cybersecurity entered into force on 10 May 2026 (the “NIS2 Law”).¹ While modifying other pieces of legislation, the new law modernises the national cybersecurity framework initially established by the Law of 28 May 2019 implementing the original NIS1 Directive. In practical terms, the reform replaces the narrower NIS1 approach with a broader and more operational regime imposing cybersecurity governance, risk management, incident reporting, and supervisory obligations on a significantly larger number of entities operating in Luxembourg.

The reform pursues three principal objectives:

1. to expand the categories of regulated entities;
2. to harmonise cybersecurity risk-management requirements across the EU; and
3. to strengthen supervisory and enforcement mechanisms.

You will find below a summary of the main features and requirements of the new regime.

2. Scope of application

2.1 Essential and important entities

Consistent with the architecture of the NIS2 Directive, the new regime moves away from the model of sector-specific “operators of essential services” towards a broader framework. Subject to size-cap rules and certain exceptions², the NIS2 Law distinguishes between “essential entities” and “important entities” falling within Annexes I and II of the NIS2 Law respectively.

The NIS2 Law applies to public and private entities whose type is listed in Annex I or II and that qualify at least as medium-sized entities as per EU law.

It also applies to the entities listed in Annex I or II, irrespective of their size, where they provide certain services such as public electronic communications networks or services or if they are the sole provider in the Grand Duchy of a service essential for maintaining critical societal or economic activities.

In addition, the NIS2 Law applies, regardless of their size, where entities are considered “critical” under the Luxembourg law of 5 May 2026 transposing Directive 2022/2557 on the resilience of critical entities  into Luxembourg law (the “CER Law”).³ The CER Law, which deals with physical and operational resilience against non-cyber threats, does not apply to the topics covered by the NIS2 Law.

2.2 Covered sectors

The scope of the NIS2 Law is significantly broader than under NIS1 and includes, among others:

2.3 Competent Authorities

The principal competent authorities include:

• the Institut Luxembourgeois de Régulation (ILR), by default;
• the Commission de Surveillance du Secteur Financier (CSSF) by derogation for financial-sector entities; and
• the Haut-Commissariat à la Protection nationale (HCPN), which coordinates cybersecurity policy and cyber-crisis management.

3. Core cybersecurity-related obligations

3.1 Risk-management measures

The NIS2 Law imposes extensive cybersecurity risk-management obligations on in-scope entities. These entities must implement “appropriate and proportionate technical, operational and organisational measures” to manage risks affecting network and information systems.

At a minimum, those measures must include:

• policies on risk analysis and information system security; 
• incident handling;
• business continuity, such as backup management and recovery, and crisis management;
• supply-chain security, including security of relations between each entity and its direct vendors or service providers;
• secure acquisition, development and maintenance of networks and information systems, including vulnerability processing and disclosure;
• policies and procedures for assessing the effectiveness of cybersecurity risk-management measures;
• basic cyber hygiene practices and cybersecurity training;
• policies and procedures related to the use of cryptography and, as applicable, encryption;
• human resources security, policies on access controls and asset management;
• the use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications and secure emergency communication systems within the entity, where appropriate.

These obligations apply to both essential and important entities. That said, only essential entities are required to notify those measures to the competent authority. The detailed modalities for such notification are expected to be specified by regulation or circular.

3.2 Incident Notification Obligations

The NIS2 Law introduces a multi-stage incident reporting framework.

In-scope entities must notify significant incidents through:

1. an early warning within 24 hours;
2. an incident notification within 72 hours; and
3. a final report within one month.

Notifications are required where incidents:

• significantly disrupt services;
• create severe operational impacts;
• generate substantial financial losses; or
• affect other natural or legal persons.

3.3 Governance 

The NIS2 Law expressly strengthens the accountability of management bodies. 

Senior management must:

• approve cybersecurity risk-management measures;
• oversee their implementation; and
• receive cybersecurity training.

This governance-oriented approach aligns the NIS2 framework with broader EU operational resilience initiatives such as the Digital Operational Resilience Act (“DORA”). See some insight about the interplay between NIS2 and DORA below.

4. Supervision and sanctions

4.1 Supervisory powers

The NIS2 Law grants broad supervisory powers to competent authorities.

Authorities may:

• conduct inspections;
• request information and documentation;
• order security audits;
• require remediation measures;
• issue binding instructions; and
• impose temporary operational restrictions.

Essential entities are subject to proactive supervision (ex ante and ex post), while important entities are generally supervised ex post, typically following incidents or indications of non-compliance. 

4.2 Administrative Sanctions

The Luxembourg regime introduces substantial administrative fines aligned with the minimum thresholds set by the NIS2 Directive (in addition to other administrative measures such as a warning or a reprimand). Administrative fines must be effective, proportionate and dissuasive, considering the circumstances of each case.

For essential entities, administrative fines may reach up to:

• EUR 10 million; or
• 2% of the undertaking’s total worldwide annual turnover,
  whichever is higher.

For important entities, administrative fines may reach up to:
•    EUR 7 million; or
•    1.4% of the undertaking’s total worldwide annual turnover, whichever is higher.

5. Practical implications for in-scope Luxembourg organisations

The NIS2 Law is a sector-specific transversal legislation that coexists notably with:

• the General Data Protection Regulation (“GDPR”);
• DORA;
• the Law of 17 December 2021 on networks and electronic communications (transposing the European Electronic Communications Code);⁴ and
• the CER Law.

Their interaction is particularly important in Luxembourg because of:

• the concentration of financial institutions;
• the prevalence of outsourcing and cloud infrastructures;
• cross-border critical infrastructure dependencies; and
• the convergence of cyber and physical threats.

By way of illustration, in practice, cybersecurity incidents may trigger parallel obligations under multiple regimes, notably:

• NIS2 incident notification;
• GDPR personal data breach notification;
• DORA major ICT incident reporting; and
• contractual notification duties.

Luxembourg entities therefore face increasing regulatory overlap and will need integrated governance and incident-response frameworks.

In this context, for financial entities, DORA constitutes a lex specialis regarding ICT risk management and ICT-related incident reporting. Accordingly, financial entities subject to DORA are generally expected to comply with DORA’s incident-reporting rules for ICT-related incidents while DORA’s harmonised reporting framework prevails over NIS2.⁵ However, this does not entirely exclude the relevance of NIS2 as financial entities may still be indirectly affected through obligations relating to the broader cybersecurity ecosystem, including ICT supply-chain relationships,⁶ or non-ICT infrastructures, that are not explicitly covered by DORA, such as general cross-sector cooperation or certain aspects of physical infrastructure security.

Furthermore, pursuant to article 11(4) of the NIS2 Law, in-scope entities have two months following the law’s entry into force (i.e. until 10 July 2026) to communicate certain information to the competent authority, enabling that authority to establish a list of the essential and important entities under its supervision.

Should you wish to discuss the above or assess how the NIS2 Law may affect your organisation, please feel free to reach out to our dedicated ICT and data protection team.