On 5 May 2026, Luxembourg took a major step in reshaping its cybersecurity framework by adopting the law transposing Directive (EU) 2022/2555 ("NIS2 Directive") into national law. This new law, which entered into force on 10 May 2026 ("NIS2 Law"), represents a significant evolution of the Grand Duchy's approach to cybersecurity. It replaces the regime introduced by the 2019 law implementing the original NIS Directive.
A Broader and More Ambitious Framework
The NIS2 Law establishes a more extensive and operational framework, bringing a much wider range of entities within its scope. Whereas the original NIS regime focused on "operators of essential services", the new law distinguishes between "essential entities" and "important entities", as set out in Annexes I and II of the NIS2 Law.
The NIS2 Law applies to entities listed in those annexes that qualify as at least medium-sized.
Certain entities fall within scope irrespective of their size. This is the case, for example, for providers of public electronic communications networks or publicly available electronic communications services, trust service providers, top-level domain name registries, and domain name system service providers. Other entities may be designated as essential or important on the basis of specific criteria, such as being the sole supplier in a given field of activity.
In total, NIS2 now covers 17 sectors, including:
energy
transport
banking
financial market infrastructures
health
drinking water and wastewater
digital infrastructure
ICT service management
public administration entities
space
postal and courier services
waste management
manufacture, production, and distribution of chemicals
food production, processing, and distribution
manufacturing
digital providers (online marketplaces, search engines, social networking platforms)
research
Key Obligations for In-Scope Entities
Entities caught by the NIS2 Law are subject to reinforced cybersecurity governance and risk management duties. They must implement appropriate technical, operational, and organisational measures to manage risks to their network and information systems.
Essential entities must also notify the competent authority of the measures they have put in place, with further details to be set out in secondary legislation.
The management body of an in-scope entity is required to approve and oversee the implementation of cybersecurity risk management measures and may incur direct liability in the event of non-compliance.
The NIS2 Law also introduces a structured incident notification regime. Entities must notify significant incidents to the competent authorities in three stages:
an early warning within 24 hours
a more detailed incident notification within 72 hours
a final report within one month
Enhanced Supervision and Enforcement
Supervision is shared between several authorities:
the Institut Luxembourgeois de Régulation (ILR)
the Commission de Surveillance du Secteur Financier (CSSF), which is competent by way of derogation for financial entities
the Haut-Commissariat à la Protection nationale (HCPN), which is responsible for cyber-crisis management and cooperation with competent authorities in other Member States
Essential entities are subject to proactive, ex ante supervision, whereas important entities are generally supervised ex post, in particular following incidents, indications of non-compliance, or on the basis of risk-based assessments.
The NIS2 Law also introduces a strengthened sanctions regime. Administrative fines can reach up to the higher of EUR 10 million or 2% of the worldwide annual turnover for essential entities and up to the higher of EUR 7 million or 1.4% of the worldwide annual turnover for important entities.
Navigating Overlapping Regulatory Regimes
The entry into force of the NIS2 Law adds another layer to Luxembourg's already dense regulatory landscape. The interaction between NIS2, the General Data Protection Regulation (GDPR), the Digital Operational Resilience Act (DORA), and various sector-specific rules means that organisations will need to adopt an integrated approach to governance, risk management, and incident response.
For financial entities, DORA will generally prevail in relation to ICT risk management and incident reporting. However, NIS2 will still apply in areas not fully covered by DORA, such as certain aspects of supply chain security, cross-sector cooperation, and broader national cybersecurity obligations. Careful mapping of obligations and alignment of processes will therefore be essential.
Practical Next Steps for Luxembourg Organisations
The immediate priority for organisations is to determine whether they fall within the scope of the NIS2 Law. If they do, they must self-register by 10 July 2026.
Given the expanded scope and heightened obligations, organisations should review their cybersecurity frameworks, update their incident response plans, and ensure that governance structures are aligned with the new requirements.
The adoption of the NIS2 Law represents a decisive move towards a more resilient and harmonised cybersecurity environment in Luxembourg, reflecting the country's commitment to safeguarding its digital infrastructure and critical services in an increasingly complex threat landscape.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
