Luxembourg has transposed the EU NIS2 Directive through the Law of 5 May 2026 (Mémorial A No. 225), which entered into force on 10 May 2026. It repeals the previous NIS1 law of 28 May 2019, extends regulated cybersecurity to 15 sectors and imposes on essential and important entities: (i) harmonised risk-management measures, (ii) incident notification to the ILR via SERIMA following a 24h/72h/1-month timeline, (iii) direct liability of management bodies, and (iv) mandatory self-registration. Administrative fines reach EUR 10 million or 2 % of global turnover for essential entities.
1. What is Luxembourg’s new NIS2 law?
The Law of 5 May 2026 on measures designed to ensure a high level of cybersecurity transposes Directive (EU) 2022/2555 of 14 December 2022 (NIS2) into Luxembourg law. Published in Mémorial A No. 225 on 6 May 2026, it became applicable on 10 May 2026.
The transposition produces three structural effects:
- It repeals the NIS1 law of 28 May 2019 and articles 42 and 43 of the law of 17 December 2021 on electronic communications networks and services;
- It amends three existing texts: the law of 14 August 2000 on electronic commerce (as amended), the law of 23 July 2016 establishing the High Commissioner for National Protection (as amended) and the law of 17 December 2021 mentioned above;
- It operates together with Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024, which is directly applicable and specifies technical requirements for certain entity types (DNS providers, registries, cloud services, data centres, etc.).
The competent authority remains the Luxembourg Institute of Regulation (ILR), through its NISS department, supported by the SERIMA platform for incident notifications.
2. Is your business in scope? Sectors and the size-cap rule
The Luxembourg NIS2 law applies to entities operating in one of the sectors listed in its Annexes I and II. These 15 sectors group operators considered critical for the proper functioning of the internal market: energy, transport, health, drinking water, wastewater, digital infrastructure, B2B ICT services management, public administration, space, postal and courier services, waste management, chemical manufacturing, food production, manufacturing, digital providers and research.
To fall within the default scope, an entity must cross the « size-cap » threshold derived from Recommendation 2003/361/EC:
- Medium-sized entity: 50 to 249 employees OR turnover between EUR 10 M and 50 M OR balance-sheet total between EUR 10 M and 43 M;
- Large entity: any threshold exceeded;
- Calculation is performed at group level (entity under review + 100 % of linked enterprises + pro rata of partner enterprises).
Three nuances deserve attention. First, some sectors are subject to the law regardless of size: providers of public electronic communications, trust service providers, top-level domain registries and DNS service providers. Second, an entity may be specifically designated as essential or important on other grounds (critical entity under the CER Directive, sole provider in its field, etc.). Third, the essential vs. important qualification determines the supervisory regime.
3. Key obligations to meet
3.1. Technical and organisational measures (Article 21 of the Directive)
Essential and important entities must implement « appropriate and proportionate » measures covering at least ten areas: policies on risk analysis and information system security; incident handling; business continuity (backups, recovery, crisis management); supply-chain security; security in acquisition, development and maintenance; effectiveness assessment of cybersecurity risk-management measures; basic cyber hygiene and training; cryptography and encryption; HR security, access control and asset management; multi-factor authentication and secured communications.
3.2. Incident notification: the 24h / 72h / 1-month timeline
The Luxembourg law mirrors the harmonised European process, triggered through the SERIMA platform:
- Early warning – 24 hours after detection: notify without undue delay, even if the impact is not yet fully assessed;
- Incident notification – 72 hours after detection (Art. 23(4)(b) of the Directive): structured update of the information, initial assessment of severity and impact, indicators of compromise where available;
- Final report – 1 month after the formal notification, with a possible 1-month extension (interim report required in the meantime).
3.3. Direct liability of management bodies (Article 20)
This is the most structural novelty for boards and executives: management bodies must approve cybersecurity risk-management measures, oversee their implementation and may be held personally liable for breaches. They are also subject to a duty of regular cybersecurity training. The ILR has published dedicated NIS2 Guidelines for management bodies which boards should audit without delay.
3.4. Mandatory self-registration
Any in-scope entity must register itself with the ILR through the dedicated online form. This declarative process places the responsibility on the entity to determine its own qualification (essential / important).
4. What are the penalties for non-compliance?
NIS2 — and therefore the Luxembourg transposition — imposes substantial administrative fines:
- Essential entities (Art. 34(4) of the Directive): administrative fines with a maximum amount of at least EUR 10,000,000 or 2 % of total worldwide annual turnover of the previous financial year, whichever is higher;
- Important entities (Art. 34(5)): administrative fines with a maximum amount of at least EUR 7,000,000 or 1.4 % of total worldwide annual turnover, whichever is higher.
Additional corrective measures may apply (injunctions, mandatory audits, temporary suspension of certifications, or even temporary bans on management functions). The supervisory regime differs by category: ex ante and ex post for essential entities (full supervision), ex post only for important entities (with the option for the ILR to request additional information after an incident).
5. Timeline and immediate actions: the compliance checklist
Recommended operational order:
- Qualification (weeks 1-2) – Map your activities against Annexes I/II and apply the consolidated size-cap test at group level;
- Self-registration (week 2) – Complete the ILR/NISS form via guichet.ilr.lu and designate a point of contact;
- Gap analysis (weeks 3-6) – Assess the delta between current controls and the ten Article 21 measures (ideally benchmarking against ISO/IEC 27001, NIST CSF, or the Belgian CyFun framework if you have BE subsidiaries);
- Governance (weeks 4-8) – Have the board approve the compliance roadmap; schedule mandatory cyber training for directors;
- Supply chain (weeks 6-12) – Audit IT vendor contracts (security clauses, audit rights, incident notification, GDPR Art. 28 alignment);
- Incident procedures (weeks 8-10) – Build the 24h/72h/1-month runbook, create the SERIMA account, test through tabletop exercises;
- Documentation (continuous) – Maintain a register of cyber decisions and actions taken (evidence of due diligence in case of ILR inspection).
6. FAQ – Questions our clients ask
Our Luxembourg subsidiary belongs to a foreign group: who must comply?
The law applies to the entity established in Luxembourg. However, the size-cap calculation aggregates group data (linked enterprises + pro rata partners). An isolated SME can therefore become in-scope if its group exceeds the thresholds.
How does NIS2 interact with the GDPR?
Notification obligations are cumulative: a single incident can trigger NIS2 notification to the ILR (24h/72h) and GDPR notification to the CNPD (72h, Art. 33 GDPR). Records of processing activities (GDPR Art. 30) and the cyber NIS2 register must be kept separately but consistently. However, Article 35(2) of the NIS2 Directive sets an anti-cumulation rule for administrative fines: if the CNPD imposes a GDPR fine (Art. 58(2)(i) GDPR) for the same conduct, the ILR cannot stack a NIS2 fine (but retains its other corrective measures).
What about DORA?
For financial entities subject to DORA (Regulation (EU) 2022/2554), DORA prevails as lex specialis on the cybersecurity aspects it covers. The Luxembourg NIS2 law remains relevant for areas not addressed by DORA.
How long do we have to comply?
The law has been in force since 10 May 2026 with no general transitional period. The ILR adopts a pragmatic stance during the early enforcement phase, but the obligations are legally enforceable today — particularly self-registration.
Do we need both a DPO and a CISO?
The law does not formally require a named CISO, but operational responsibility for cyber measures must be assigned. In practice, CISO and DPO operate as a pair. The DPO retains exclusive responsibility for personal data matters.
Conclusion: a paradigm shift in cybersecurity
The Law of 5 May 2026 is not a mere technical update: it elevates cybersecurity to the highest level of corporate governance, significantly expands the perimeter of regulated entities and introduces a deterrent sanctions regime. For Luxembourg organisations and groups with a Grand-Duchy presence, the time has come to convert this regulatory framework into a strategic resilience advantage.
This article was prepared by Lawgitech, the first Belgian law firm dedicated to artificial intelligence, digital and cybersecurity law (Brussels & Luxembourg). We advise SMEs, large enterprises and public institutions on their NIS2, DORA, GDPR and AI Act compliance. Contact us for a NIS2 exposure audit.
📚 Going further: our Lawgitech Academy platform offers a certified NIS2 training programme (continuing legal education credits).