NIS2 in Luxembourg: How the Law of 5 May 2026 Transposes the EU Directive

Who should read this: Compliance Officers, CIOs, CISOs, In-house Counsel, Risk Leaders, and Operations Leaders at organisations active in Luxembourg.

After more than two years of preparation, Luxembourg has transposed the NIS2 Directive (Directive (EU) 2022/2555) into national law. The Law of 5 May 2026 on measures to ensure a high level of cybersecurity (the “NIS2 Law”) was published in the Official Journal (Mémorial A 225) and takes effect immediately. It repeals the 2019 Law that transposed NIS1 and amends several adjacent texts, including the laws governing electronic commerce, the High Commission for National Protection (HCPN, Haut-Commissariat à la Protection nationale), and electronic communications networks and services.

For organisations operating in Luxembourg, the legal posture changes in three concrete ways. First, the scope of regulated entities is far wider than under NIS1: medium-sized and large undertakings across eighteen sectors are now covered by default. Second, the institutional architecture is clarified, with the Luxembourg Institute of Regulation (ILR, Institut Luxembourgeois de Régulation) confirmed as the lead competent authority. Third, the enforcement teeth are real: administrative fines reach EUR 10 million or 2% of worldwide turnover for essential entities, with daily penalty payments on top.

This article is a practical, business-reader guide to what the Luxembourg NIS2 Law requires. It maps each obligation to its EU directive counterpart, identifies which Luxembourg body you deal with for each interaction, and points to the source articles that go deeper on the underlying topic. It is not legal advice; for that, consult counsel. But it should give a leadership team enough to plan, budget, and assign owners.

For wider context on the directive itself, see our NIS2 Compliance guide.

The legislative path: from NIS1 to the Law of 5 May 2026

NIS1 was transposed into Luxembourg law by the Law of 28 May 2019. That law applied to a small set of “operators of essential services” identified by sectoral regulators, plus a handful of digital service providers. It served its purpose, but it left most of the economy outside the cybersecurity perimeter.

The Law of 5 May 2026 replaces that framework entirely. Article 30 of the new law expressly repeals the 2019 Law. Reference to the new text shall be made as the “Law of 5 May 2026 on measures to ensure a high level of cybersecurity”. Parliamentary documents file the bill under Parl. doc. 8364. The full text is available on Legilux at legilux.public.lu/eli/etat/leg/loi/2026/05/05/a225/jo.

If your organisation was already covered under NIS1, you do not get a clean slate: Article 11(1) point 7° carries previously designated operators of essential services over as essential entities under the new regime. New obligations apply from day one; the only carry-over is your designation status, not your compliance posture. For a recap of what changed between the two regimes, see NIS1 vs NIS2: Key Differences.

Who is in scope

Article 1 of the NIS2 Law mirrors the EU directive’s two-step scoping logic.

Sector plus size. First, the entity must be of a type listed in Annex I or Annex II of the Law. Annex I covers the eleven sectors of high criticality: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management (business-to-business), public administration, and space. Annex II covers seven other critical sectors: postal and courier services, waste management, manufacture and distribution of chemicals, production and distribution of food, manufacturing (medical devices, electronics, electrical equipment, machinery, motor vehicles, other transport equipment), digital providers (online marketplaces, search engines, social networking platforms), and research. Second, the entity must qualify as at least a medium-sized enterprise under Commission Recommendation 2003/361/EC, or exceed those ceilings.

Size-agnostic categories. Regardless of size, the Law applies to providers of public electronic communications networks and services, trust service providers, top-level domain name registries, DNS service providers, sole providers of services essential for critical societal or economic activities in Luxembourg, entities whose disruption could have a significant impact on public safety or generate systemic risk, entities critical at national or regional level, public administration entities, entities identified as critical under the Law of 5 May 2026 on the resilience of critical entities, and entities providing domain name registration services. Article 1(2) is the controlling text here.

If you are unsure whether the Law applies to your organisation, the fastest first check is our NIS2 scope checker, which walks through sector and size in three clicks. For a deeper read on how scoping works in the directive, see our guides on NIS2 scope and applicability and on the essential versus important distinction.

The financial sector deserves a separate note. Article 1(5) of the NIS2 Law excludes entities falling within the scope of Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector (“DORA”), in accordance with Article 2(4) of that Regulation. Where DORA applies, it applies in place of NIS2 for the same conduct. We unpack the boundary in NIS2 and the financial sector: how DORA overlaps with banking and in NIS2, DORA and CER: overlapping regulations explained.

The Luxembourg institutional architecture

The Law of 5 May 2026 names a small set of bodies and gives each a clear role. This is one of the most useful parts of the text for compliance teams: it tells you exactly who you talk to, in what circumstances.

Luxembourg Institute of Regulation (ILR, Institut Luxembourgeois de Régulation). ILR is the competent authority responsible for cybersecurity supervision and enforcement under the Law (Article 3). It covers all sectors in Annexes I and II by default, plus critical entities under the resilience law of 5 May 2026. Practical implication: ILR is the body that will inspect, audit, request information, issue binding instructions, and impose fines for most entities. The ILR’s NIS2 hub is published at ilr.lu/en/sectors/niss/nis-2.

Financial Sector Supervisory Commission (CSSF, Commission de surveillance du secteur financier). CSSF is the competent authority for the banking sector and the financial market infrastructures sector (Annex I points 3 and 4), and for the digital infrastructure and ICT service management sectors (Annex I points 8 and 9) in respect of activities falling under CSSF supervision. Most financial entities will of course be subject to DORA rather than NIS2, but where NIS2 still applies, CSSF supervises.

High Commission for National Protection (HCPN, Haut-Commissariat à la Protection nationale). HCPN is the national single point of contact for cross-border cooperation with other Member States, the European Commission and ENISA (Article 5), and the cyber crisis management authority representing Luxembourg in EU-CyCLONe (Article 6). HCPN is also the home of GOVCERT.LU.

GOVCERT.LU. Operated by HCPN, GOVCERT.LU is the CSIRT (Computer Security Incident Response Team) for State administrations and services, public establishments, and critical entities under the resilience law (Article 7(1)). It also runs MILCERT.LU for the army’s systems.

CIRCL (Computer Incident Response Center Luxembourg). Operated by the Luxembourg House of Cybersecurity GIE (groupement d’intérêt économique), CIRCL is the CSIRT for every other category not covered by GOVCERT.LU (Article 7(1)). For most private essential and important entities, CIRCL is the body that will receive incident notifications, provide technical assistance, run coordinated vulnerability disclosure (Article 9), and engage in the CSIRTs network at EU level.

If you want the EU-wide perspective on how these bodies fit into the directive’s design, our reference article on NIS2 institutional architecture: authorities, CSIRTs and contact points lays out the pattern.

National strategy and crisis plan

The Law amends the HCPN organisational law to require two strategic instruments.

The national cybersecurity strategy (new Article 9bis of the HCPN law) must set out objectives, governance, risk assessment mechanisms, preparedness measures, supply-chain security policies, vulnerability management, support for SMEs, and an awareness plan. The strategy is reviewed at least every five years. For background on why Article 7 of the directive requires this and what good strategies look like, see The national cybersecurity strategy: what Article 7 requires.

The national response plan for large-scale cybersecurity crises and incidents (new Article 9ter of the HCPN law) defines crisis management procedures, preparedness measures, and the arrangements for cross-border participation in coordinated EU-level responses. This anchors Luxembourg’s role in EU-CyCLONe and the CSIRTs network. See The Cooperation Group, EU-CyCLONe and the CSIRTs Network for the EU-level mechanics.

The ten cybersecurity risk-management measures (Article 12)

Article 12 of the NIS2 Law is the operational core. It requires essential and important entities to take “appropriate and proportionate technical, operational and organisational measures” based on an all-hazards approach. The text enumerates ten categories of measures, identical to Article 21(2) of the directive:

• policies on risk analysis and information system security;
• incident handling;
• business continuity, including backup management, disaster recovery, and crisis management;
• supply-chain security, including security-related aspects of relationships with direct suppliers and service providers;
• security in the acquisition, development, and maintenance of network and information systems, including vulnerability handling and disclosure;
• policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
• basic cyber-hygiene practices and cybersecurity training;
• policies and procedures regarding the use of cryptography and, where appropriate, encryption;
• human resources security, access-control policies, and asset management;
• multi-factor authentication or continuous authentication solutions, secure voice, video and text communications, and secure emergency communication systems within the entity, as appropriate.

For the deep dive on what each of these covers in practice, see The 10 cybersecurity measures of NIS2 Article 21. The all-hazards principle, which extends beyond cyber threats to the physical environment, is unpacked in The all-hazards approach: physical security under NIS2. Supply chain risk gets its own treatment in Supply-chain security and vendor risk under NIS2.

Two Luxembourg-specific notes. First, Article 12(3) requires essential entities to notify the competent authority of the measures they have taken, in a format set by ILR or CSSF by regulation or circular. This is not a one-line confirmation: expect a structured submission. Second, Article 12(4) requires entities to factor in the outcomes of the EU-level coordinated supply-chain security risk assessments carried out under Article 22 of the directive. Plan to track those assessments and document how you have integrated their findings.

Management body accountability (Article 13)

Article 13 of the NIS2 Law is short but consequential. The management bodies of essential and important entities must approve the cybersecurity risk-management measures, oversee their implementation, and may be held personally liable for infringements of Article 12. Members of the management body must follow regular training, and the entity must offer similar training to its staff.

For boards and executive committees, this means cybersecurity is no longer an “IT topic” delegated to the CISO. It is a board-level matter, with documented oversight, training records, and minute trails. Our article on Board accountability and governance under NIS2 walks through what a defensible governance posture looks like.

Incident reporting under Article 14

Article 14 reproduces the EU directive’s three-clock reporting regime, which is one of the most operational obligations in the Law.

Early warning, within 24 hours. Without undue delay, and in any event within 24 hours of becoming aware of a significant incident, the entity submits an early warning to the competent authority. The early warning indicates whether the incident is suspected to have been caused by unlawful or malicious acts and whether it could have a cross-border impact. Trust service providers operate on a single 24-hour notification clock (Article 14(4) second subparagraph).

Incident notification, within 72 hours. The notification updates the early warning and provides an initial assessment of severity, impact, and (where available) indicators of compromise.

Final report, within one month of the incident notification. The report covers a detailed description, the root cause, the mitigation measures applied and ongoing, and cross-border impact. If the incident is still being handled at the one-month mark, the entity provides a progress report and a final report within one month of incident handling closure.

The competent authority must provide an initial response to the early warning within 24 hours where possible, including guidance and operational advice. The CSIRT (CIRCL or GOVCERT.LU as applicable) provides technical support on request.

For the practical guide to running the clocks, see The NIS2 incident reporting timeline. For when an incident actually crosses the “significant” threshold (the hardest call in the first 24 hours), see What makes an incident significant under NIS2.

Certification and standards (Article 15)

Article 15 allows the competent authority, by way of regulation, to require essential and important entities to use ICT products, services, or processes certified under European cybersecurity certification schemes adopted under the Cybersecurity Act (Regulation (EU) 2019/881). It also encourages the use of qualified trust services.

This is not yet a hard mandate, but it signals direction: the competent authority can and likely will tie specific control families to certification over time. The relationship to ISO 27001 and other recognised standards is covered in NIS2, ISO 27001 and cybersecurity certification schemes.

Registration and entity duties (Articles 11 and 17)

Two registration tracks apply.

General registration (Article 11(4)). Within two months of the entry into force of the Law, in-scope entities must communicate to the competent authority their name, contact details, sector and subsector, the Member States in which they provide services, and their size. Changes must be notified within two weeks.

Digital-sector registration (Article 17). DNS service providers, top-level domain registries, domain name registration service providers, cloud and data centre providers, content delivery networks, managed service providers, managed security service providers, and providers of online marketplaces, search engines, and social networking platforms must submit a more detailed dataset (including IP ranges) to the competent authority. ILR forwards this to ENISA for the EU-wide registry under Article 27 of the directive.

If your business is a managed service provider or MSSP, see Are MSPs and MSSPs regulated under NIS2 for the implications. For cloud, data centre, and CDN providers, see Digital infrastructure under NIS2: cloud and data centre.

Supervision and enforcement

The Law draws a sharp line between essential entities (Article 22) and important entities (Article 23) in how they are supervised.

Essential entities are subject to ex-ante and ex-post supervision: on-site inspections, off-site supervision (including random checks), regular and targeted security audits, ad-hoc audits after significant incidents, security scans, and requests for information, data, and evidence. The competent authority can require audits by an independent body, with the costs borne by the audited entity.

Important entities are subject to ex-post supervision only. Inspections, targeted audits, scans, and information requests are still possible, but typically triggered by indications of non-compliance.

Both categories face the same toolkit of enforcement measures: warnings, binding instructions, orders to remedy deficiencies, orders to inform service recipients of cyber threats, orders to implement audit recommendations, designation of a monitoring officer, public disclosure of infringements, and administrative fines. For essential entities only, if those measures prove ineffective, the competent authority may go to the President of the District Court of Luxembourg (sitting as in summary proceedings) for two further measures: temporary suspension of a certification or authorisation, or temporary prohibition on the CEO or legal representative exercising managerial functions in the entity.

Our reference article on NIS2 enforcement powers, penalties, and fines walks through how authorities use these tools in practice.

Administrative fines (Articles 25 and 26)

The Law sets out two fine tracks.

Core operational breaches (Article 26). Infringements of Article 12 (the ten measures) or Article 14 (incident reporting) trigger the headline fines:

• Essential entities: up to EUR 10,000,000 or 2% of total worldwide annual turnover of the previous financial year of the undertaking, whichever is higher.
• Important entities: up to EUR 7,000,000 or 1.4% of total worldwide annual turnover of the previous financial year of the undertaking, whichever is higher.

These figures match the directive exactly and are intended to be effective, proportionate, and dissuasive. For deep treatment of how these caps are calibrated and applied, see Administrative fines under NIS2: the EUR 10M and EUR 7M framework.

Administrative breaches (Article 25). Other defined breaches (failures around registration under Article 11(4), management body duties under Article 13(1) and (2), certification under Article 15, digital-sector registration under Article 17(1) first subparagraph and (2), and DNS data accuracy under Article 18(1) to (6)) carry administrative fines up to EUR 250,000.

Periodic penalty payments (Article 26(7)). On top of any fine, the competent authority can attach a daily penalty payment to compel an entity to end an infringement: up to EUR 1,250 per day, capped at EUR 25,000 in total per established breach.

Recovery and appeal. The Administration of Registration, Domains, and VAT (AED, Administration de l’enregistrement, des domaines et de la TVA) recovers administrative fines on behalf of ILR, with an action for reformation available before the Administrative Court (Article 25(4)). The procedure is adversarial: the entity has the right to consult the file, submit observations, and be assisted or represented.

When deciding whether and how much to fine, the authority must weigh the gravity and duration of the infringement, prior infringements, material and non-material damage, intent versus negligence, mitigation measures taken, application of certification mechanisms, and the degree of cooperation. Repeated infringements, failure to report or remedy significant incidents, obstruction of audits, and provision of false information are considered serious in all circumstances (Article 22(7)).

Sectoral overlaps and exemptions

Two overlap areas deserve attention.

GDPR (Article 24). If a supervisory finding suggests a personal data breach within the meaning of GDPR Article 4(12), the NIS2 competent authority must inform the Luxembourg data protection authority (CNPD, Commission nationale pour la protection des données) without delay. Where CNPD imposes a GDPR fine under Article 58(2)(i) for the same conduct, ILR or CSSF cannot also impose a NIS2 fine under Article 26, but can still apply the non-monetary enforcement measures. The interaction is unpacked in NIS2 and GDPR overlap: cybersecurity and data protection.

DORA. Financial sector entities covered by DORA are excluded from the NIS2 Law per Article 1(5). For entities only partially in DORA scope, the NIS2 Law continues to apply to the residual. The boundary, and what it means for banks and financial market infrastructures, is the subject of NIS2 and the financial sector: how DORA overlaps with banking.

Equivalent sector-specific obligations (Article 1(8)). Where another EU legal act imposes equivalent cybersecurity risk-management and incident-notification duties (with notifications fed automatically to the CSIRTs and competent authorities), the corresponding provisions of the NIS2 Law (including Chapter 6 on supervision and enforcement) do not apply.

Sector-specific reading

If your organisation is in a regulated sector, the Annex categorisation maps directly to the corresponding sectoral guidance:

• Energy (Annex I §1): NIS2 in the energy sector.
• Transport (Annex I §2): NIS2 in transport: aviation, rail, maritime, road.
• Banking and financial market infrastructures (Annex I §3 and §4): see the DORA overlap above.
• Health (Annex I §5): NIS2 in healthcare: hospitals and pharmaceuticals.
• Digital infrastructure (Annex I §8): NIS2 for cloud and data centres.
• ICT service management (Annex I §9): Are MSPs and MSSPs regulated under NIS2.

What to do this quarter

For most leadership teams, the right first move is a short, disciplined gap assessment that maps the Law to current operations and produces a prioritised roadmap. A reasonable sequence:

1. Confirm scope. Use the NIS2 scope checker or commission a counsel review of Article 1 against your activities.
2. Identify your interlocutor. ILR for the default case; CSSF for banking, financial market infrastructures, and CSSF-supervised digital infrastructure and ICT service management activities.
3. Register. Prepare the Article 11(4) submission (and the Article 17 submission if applicable). The clock is two months from entry into force; do not wait for a reminder.
4. Brief the board. Article 13 personal liability is the single most important conversation to have at the management body level. Document approval of measures and training plans.
5. Stand up the incident regime. Map your detection, classification, and notification flow to the 24h, 72h, and one-month clocks under Article 14. Pre-register your contact data and your primary CSIRT (CIRCL or GOVCERT.LU).
6. Close the Article 12 gaps. Run a controls map against the ten categories. Where supply chain or MFA are weakest, prioritise those.
7. Document, document, document. Article 22(7) makes cooperation and demonstrable diligence material to the fine calculation. Build the evidence trail now, not after the first audit.

For a longer playbook, the NIS2 Compliance guide walks through each obligation in sequence.

Sources and references

Primary sources:

• Luxembourg, Law of 5 May 2026 on measures to ensure a high level of cybersecurity (Mémorial A 225). Full text on Legilux: legilux.public.lu/eli/etat/leg/loi/2026/05/05/a225/jo.
• Directive (EU) 2022/2555 (NIS 2 Directive). Reference page: digital-strategy.ec.europa.eu/en/policies/nis2-directive. Consolidated text on EUR-Lex: eur-lex.europa.eu/eli/dir/2022/2555/oj.
• Regulation (EU) 2022/2554 (DORA), and the related sectoral carve-out under Article 1(5) of the NIS2 Law.
• Commission Recommendation 2003/361/EC on the definition of micro, small, and medium-sized enterprises.

Luxembourg bodies:

• Luxembourg Institute of Regulation (ILR, Institut Luxembourgeois de Régulation), competent authority: ilr.lu/en/sectors/niss/nis-2.
• High Commission for National Protection (HCPN, Haut-Commissariat à la Protection nationale), single point of contact and cyber crisis authority.
• GOVCERT.LU (operated by HCPN), national and governmental CSIRT.
• CIRCL (operated by the Luxembourg House of Cybersecurity GIE), CSIRT for private essential and important entities and coordinator for vulnerability disclosure.
• Financial Sector Supervisory Commission (CSSF, Commission de surveillance du secteur financier), competent authority for banking, financial market infrastructures, and CSSF-supervised digital infrastructure and ICT service management.

This article reflects the Law as published on 5 May 2026. ILR and CSSF will publish implementing regulations and circulars over the coming months; check the ILR NIS2 hub for the latest official guidance before finalising operational decisions.