NIS2 has been law in Luxembourg since early 2024. Enforcement is active. And yet most of the firms we speak to — fiduciaries, law practices, managed service providers — are still not sure whether it applies to them, let alone what to do about it.
This post is a plain-language summary. Not legal advice. Not a full compliance guide. Just the facts you need to know to have an honest conversation with your management team this week.
Who NIS2 actually applies to in Luxembourg
NIS2 divides organisations into two tiers: essential entities and important entities. The short version of the scope test is this: if your organisation has 50 or more employees, or €10 million or more in annual turnover, and you operate in one of the directive's listed sectors, you are probably in scope.
The listed sectors include digital infrastructure and services, financial services, legal services provided to businesses, postal and courier services, and managed service providers (MSPs). For Luxembourg specifically, the ILR (Institut Luxembourgeois de Régulation) is the competent authority for most of these sectors.
One thing that catches firms by surprise: you may be in scope even if you consider cybersecurity entirely out of your industry. A 60-person fiduciary firm with €12M turnover that handles client funds and tax structures? Very likely in scope as a provider of important services to the financial sector.
What NIS2 actually requires
NIS2's core requirements come from Article 21. There are 10 of them. At a practical level, they require you to:
- Conduct a formal information security risk assessment and document it
- Have written incident response procedures
- Apply basic access controls, patch management, and encryption
- Review your key suppliers for security risks
- Have the capability to detect and respond to incidents
- Be able to notify the competent authority within 24 hours of a significant incident
None of these require you to hire a full security team or deploy enterprise tools. They require you to have a documented, systematic approach to managing security risk. The emphasis is on evidence — that you thought about it, put measures in place, and can show what they are.
The director liability piece
This is the part that tends to focus minds quickly. NIS2 Article 20 is explicit: management bodies must approve the organisation's security measures and are personally liable if the organisation fails to comply. This is not the IT manager's problem. It is the board's problem.
Fines for essential entities reach €10 million or 2% of global annual turnover. For important entities the ceiling is €7 million or 1.4%. These are maximums, not averages — but regulators have made clear they intend to use them.
What you should do now
The right first step is to know where you stand. Before you invest in controls, technology, or consultants, you need a clear picture of whether you're in scope, what your actual gaps are, and what the remediation looks like in terms of time and cost.
That's exactly what a NIS2 readiness review is for — a fixed-price assessment that gives you a plain-language report on your current position and a prioritised list of what to do next.
If you already know you're in scope and want to move directly to a compliance programme, our NIS2 compliance service takes you through the full process at a fixed price, from scope confirmation to board-ready documentation.