NIS2 in Luxembourg: the law just passed. The clock now starts for everyone else.

Sixty votes in favour. Zero against. Zero abstentions.

On 28 April 2026, the Chamber of Deputies adopted Projet de loi 8364 at first constitutional reading, with a request for dispensation from the second vote. After more than two years of parliamentary work, three opinions from the Conseil d'État, two complementary opinions, an opinion from the Tribunal d'Arrondissement, and one round of parliamentary amendments, Luxembourg has finally transposed the NIS2 Directive (EU) 2022/2555 into national law.

The political phase is effectively over. The compliance phase is just beginning.

Why this took so long, and why it matters now

The original transposition deadline expired on 17 October 2024. Luxembourg missed it, alongside most of the EU. The European Commission opened infringement proceedings against 23 Member States in November 2024 and escalated to a reasoned opinion against 19 of them, including Luxembourg, on 7 May 2025.

The delay was not idle. Bill 8364 was deposited on 13 March 2024 and went through substantial reshaping. The original title amended four national laws, including the 2019 NIS1 transposition law. After the May 2025 governmental amendment, the 2019 law disappears entirely, replaced by a single coherent cybersecurity statute. The Conseil d'État and the professional chambers pushed back on multiple points across two opinion cycles. The final text reflects that scrutiny.

For entities in scope, none of that procedural history changes the operational reality: the obligations apply as soon as the law enters into force, with no transitional grace period built into the text for cybersecurity risk management measures or incident notification.

Who is in scope, and how the law decides

The law applies to public and private entities of a type listed in Annex I or Annex II that qualify as medium-sized enterprises under EU Recommendation 2003/361/CE, or that exceed those thresholds. Annex I covers highly critical sectors (energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space). Annex II covers other critical sectors (postal services, waste management, manufacturing of chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles, digital providers, research).

Size-cap exemptions disappear in several cases. Public electronic communications providers, trust service providers, top-level domain name registries, DNS service providers, and domain name registrars fall in scope regardless of size. So do entities deemed by the competent authority to be the sole national provider of a critical service, or where a service disruption would have significant cross-border or systemic impact. Public administration entities are caught explicitly.

This expansion is the operational headline. NIS1 covered roughly 1,000 entities in Luxembourg. NIS2 is expected to bring the number to several thousand, with mid-market manufacturers, MSPs, MSSPs, data centres, and B2B digital service providers facing first-time obligations.

The law splits scoped entities into two categories:

• Essential entities: large enterprises in Annex I sectors, qualified trust service providers, TLD registries, DNS providers regardless of size, public administration entities, and entities recognised as critical under the CER Directive (EU) 2022/2557. These face proactive ex ante supervision.
• Important entities: everything else in Annex I or II that does not qualify as essential. These face reactive ex post supervision, triggered by evidence of non-compliance.

The distinction matters because it drives the supervisory regime, the maximum fines, and the audit posture. Essential entities can be subjected to scheduled security audits, on-site inspections, and random checks at any time. Important entities only face inspections when something has gone wrong, or when credible evidence suggests it has.

The ten security measure categories

Article 12 is the operational core of the law. Every essential and important entity must implement appropriate and proportionate technical, operational, and organisational measures, based on an all-hazards approach, covering at minimum:

1. Information system risk analysis and security policies
2. Incident handling
3. Business continuity, including backup management, disaster recovery, and crisis management
4. Supply chain security, including security aspects of relationships with direct suppliers and service providers
5. Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures
7. Basic cyber hygiene practices and cybersecurity training
8. Cryptography and, where appropriate, encryption policies
9. Human resources security, access control policies, and asset management
10. Multi-factor authentication or continuous authentication, secured voice/video/text communications, and secure emergency communications systems where relevant

Two observations on the list. First, it tracks the NIS2 Directive verbatim. Second, it is broader and more prescriptive than what most Luxembourg SMEs currently document. Items 4 (supply chain) and 6 (effectiveness assessment) are where audits will find the most gaps, because both require evidence rather than policy statements.

Management bodies do not get to delegate this away. Article 13 makes governing bodies personally responsible for approving the cybersecurity risk management measures and supervising their implementation. They can be held liable for breaches. They must also follow regular cybersecurity training themselves, and ensure their staff receives equivalent training. Boards that have historically treated cybersecurity as an IT line item now have a personal exposure.

Incident notification: a 24-hour clock with teeth

Article 14 sets the notification cadence for any significant incident affecting service delivery. The schedule is fixed:

• Within 24 hours of becoming aware: a preliminary notification to the competent authority, indicating whether the incident is suspected to result from unlawful or malicious acts and whether it could have cross-border impact.
• Within 72 hours: an incident notification updating the preliminary information, with an initial assessment of severity, impact, and indicators of compromise where available.
• One month after the incident notification: a final report covering detailed description, severity, root cause, mitigation measures, and any cross-border impact.

Trust service providers face a hard 24-hour deadline for the incident notification itself. For incidents still ongoing at the one-month mark, a progress report substitutes for the final report, with the final report due one month after incident handling ends.

A "significant incident" is one that has caused or is likely to cause severe operational disruption or financial losses, or has affected (or could affect) other natural or legal persons by causing considerable material, bodily, or moral damage. The threshold is deliberately broad. The competent authority can specify the parameters by regulation or circular, and almost certainly will.

Authorities, registration, and the one-stop shop

The Institut Luxembourgeois de Régulation (ILR) is the main competent authority for sectors in Annexes I and II, and for entities classified as critical under the CER Directive. The CSSF retains competence for the banking sector and financial market infrastructures, consistent with the DORA regulation regime.

The Haut-Commissariat à la Protection nationale (HCPN) acts as the strategic coordinator and the single point of contact with EU institutions. CIRCL (Computer Incident Response Center Luxembourg, operated by the Luxembourg House of Cybersecurity GIE) is designated as the CSIRT.

Entities must register themselves through a national mechanism the competent authorities will set up. The registration data includes name, contact details, IP ranges, telephone numbers, sector and sub-sector classification, list of Member States where services are provided, and entity size. Updates are due within two weeks of any change. The competent authority confirms each entity's classification as essential or important after registration.

Self-registration is the operational priority for the next several months. Entities that wait for ILR to find them are starting from a worse posture than entities that proactively engage.

What non-compliance costs

Article 26 sets the administrative fines that align with the NIS2 maxima:

• Essential entities: up to €10,000,000 or 2% of total worldwide annual turnover of the prior financial year, whichever is higher.
• Important entities: up to €7,000,000 or 1.4% of worldwide annual turnover, whichever is higher.

These apply specifically to violations of Article 12 (security measures) and Article 14 (incident notification). A separate, lower fine track under Article 25 (up to €250,000) applies to violations of registration, governance, certification, and information obligations.

The supervisory toolkit is significant beyond fines. ILR can issue binding instructions, order public disclosure of breaches, designate a monitoring officer to supervise compliance, and (for essential entities) request the temporary suspension of certifications or the temporary prohibition for senior managers from exercising managerial duties in the entity. Those last two measures cannot be applied to public administration entities, but they apply to private essentials.

A daily penalty payment of up to €1,250 per day, capped at €25,000 per breach, can be attached to compelling decisions. The cap is relatively low compared to other EU jurisdictions, but the reputational cost of a public order to remediate is the larger problem for most SMEs.

What entities should do this quarter

The text has passed. Promulgation and publication in the Mémorial will follow shortly. Once published, the law enters into force per its own provisions, and the obligations under Articles 12, 13, and 14 attach to entities in scope.

Five concrete priorities for the next 90 days, in this order:

1. Confirm scope status. Map your entity against Annex I and Annex II sub-sectors and the size thresholds. The "sole national provider" and "critical for the sector at national level" criteria catch entities that look out of scope on a quick read. If there is any plausible inclusion path, assume scope and prepare accordingly.
2. Watch for the ILR self-registration portal opening. Have the registration data ready: legal name, RCS number, NACE code, contact details, IP ranges, sector classification, designated cybersecurity contact, list of EU Member States served, and entity size figures. ILR has signalled an online status checker will accompany the portal.
3. Run a gap assessment against Article 12. The ten measure categories are the only structure that matters. Map existing controls (ISO/IEC 27001, NIST CSF, CIS Controls, ENISA baseline) onto the ten categories and identify the unfilled cells. Supply chain security and effectiveness assessment are where most Luxembourg SMEs will find their largest gaps. A fixed-price readiness review is the fastest way to get a documented baseline.
4. Build the 24-72-30 incident notification process. Most organisations cannot meet the 24-hour preliminary notification deadline today, because nobody owns the decision to notify. Designate the role, document the decision criteria, draft the template, and rehearse it. Managed detection closes the awareness gap that makes the 24-hour clock achievable.
5. Brief the management body. Article 13 personal liability is real. Boards need a written briefing covering scope, the ten measure categories, the notification timeline, the training obligation, and the supervisory regime. The training requirement applies to them too, on a recurring basis.

A note on what the law does not do

NIS2 does not prescribe specific technologies, vendors, or certifications. Article 15 allows ILR to require certified ICT products, services, or processes under European cybersecurity certification schemes, but no such scheme is mandated by the law itself today. Entities retain discretion in how they implement the ten measure categories, provided the choices are appropriate and proportionate to the risk, the size of the entity, and the probability and severity of incidents.

That discretion is also the trap. "Appropriate and proportionate" is decided in retrospect, by the supervisor, after an incident or during an audit. Documented risk-based decisions hold up. Undocumented assumptions do not.

---

The Chamber of Deputies sources for this article are the deposit document of 13 March 2024 and the parliamentary dossier 8364 (chd.lu/fr/dossier/8364), updated through the first constitutional vote of 28 April 2026.

Where does your organisation sit on the essential / important / out-of-scope spectrum, and which of the ten Article 12 measure categories will your next audit cycle struggle to evidence?