NIS2 in Luxembourg

1. Quick SME Applicability Snapshot in Luxembourg

Does NIS2 apply to SMEs in Luxembourg?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Luxembourg and, in certain cases, foreign digital providers serving the Luxembourg market.

SMEs should assess qualification under Luxembourg's national cybersecurity framework based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Luxembourg

Luxembourg is transposing NIS2 through Bill 8364 (Projet de loi n° 8364 concernant des mesures destinées à assurer un niveau élevé de cybersécurité), introduced in the Chamber of Deputies on 13 March 2024. As of April 2026, the Bill has not yet been enacted — Luxembourg missed the EU transposition deadline of 17 October 2024 and received an EC reasoned opinion in May 2025 for failure to notify full transposition.

The Council of State issued a complementary opinion in December 2025 partially validating government amendments; the Bill is awaiting final adoption. The existing NIS1 framework continues to apply in the interim.

When enacted, the Bill will replace the NIS1 law and introduce a significantly expanded scope — from approximately 1,000 entities under NIS1 to an estimated 6,000–8,000 under NIS2, including mid-sized manufacturers and municipalities with more than 50,000 residents. The proposed supervisory model is a split authority structure: the Institut Luxembourgeois de Régulation (ILR) will be the competent authority for the vast majority of sectors, while the Commission de Surveillance du Secteur Financier (CSSF) will supervise banking, financial market infrastructure, digital infrastructure, and ICT service management as they relate to financial entities. The HCPN retains strategic coordination responsibility. ILR has launched the SERIMA platform as a centralised incident notification and, eventually, registration portal.

3. Scope of Application in Luxembourg

Luxembourg's scope reflects Directive minimum sector categories without confirmed structural expansion.

4. Size Thresholds and SME Applicability in Luxembourg

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors are automatically within scope.

Small and micro enterprises may be designated if considered critical to national security, economic stability, or essential service continuity.

Luxembourg authorities retain formal designation powers where systemic risk justifies inclusion.

5. Entity Classification Framework in Luxembourg

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including inspections and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Luxembourg follows the Directive's two-tier supervisory structure.

6. Cybersecurity Risk Management Requirements in Luxembourg

Luxembourg's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Luxembourg risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and Luxembourg cybersecurity guidance is encouraged.

7. Management Liability and Governance in Luxembourg

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Luxembourg's framework:

• Boards are accountable for compliance oversight.
• Senior management must ensure sufficient cybersecurity competence.
• Administrative sanctions may address governance failures.
• Temporary suspension of managerial functions may be available under Directive-aligned enforcement mechanisms.

NIS2 management liability Luxembourg expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Luxembourg

9. Supervisory Authorities and Enforcement Model in Luxembourg

Primary competent authority (proposed under Bill 8364, not yet enacted): Institut Luxembourgeois de Régulation (ILR) for the vast majority of sectors; Commission de Surveillance du Secteur Financier (CSSF) for banking, financial market infrastructure, and related digital infrastructure and ICT service management. The HCPN (Haut-Commissariat à la Protection nationale) retains strategic coordination responsibility for national cybersecurity policy but is not the primary enforcement authority.

Luxembourg's proposed model under Bill 8364 is a split supervisory structure: ILR leads for most sectors and CSSF for financial entities, with HCPN providing strategic national coordination. This structure is not yet legally operative — the NIS1 framework and its current supervisory arrangements continue to apply pending enactment.

Supervisory powers include:

• Requests for documentation and information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination mechanisms

The proposed enforcement structure aligns with Directive-level cooperation requirements. These supervisory and enforcement powers are not yet legally operative pending enactment of Bill 8364.

10. NIS2 Fines and Sanctions in Luxembourg

Luxembourg applies Directive-aligned administrative penalties.

NIS2 fines Luxembourg enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of authorizations or certifications
• Managerial suspension powers

Important Entities: up to €7 million or 1.4% of total global annual turnover (whichever is higher).

11. NIS2 Supply Chain and Vendor Security in Luxembourg

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Luxembourg's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Luxembourg

Entities within scope must:

• Under Bill 8364 (not yet enacted), entities will self-register via the ILR's SERIMA platform. Entities already covered under NIS1 will be automatically classified as essential entities, though self-registration is still recommended. There is currently no NIS2 registration obligation in Luxembourg — the NIS1 framework applies pending enactment.
• Provide corporate identification details
• Disclose sector classification
• Maintain updated reporting contacts

Registration deadlines and compliance timelines will be set following enactment of Bill 8364. Based on available guidance, registration via the ILR portal is expected within months of enactment, with governance controls and full technical compliance phased over subsequent periods.

Self-identification will be mandatory under the enacted law. Entities should conduct scope assessments now using the ILR's published guidance and FAQ to determine likely classification as essential or important, in preparation for when the Bill is enacted.

13. Interaction With GDPR and Other Laws in Luxembourg

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Luxembourg cybersecurity legislation

A cyber incident may trigger reporting obligations under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in Luxembourg are supervised by Luxembourg authorities for cross-border services.

Foreign digital providers offering services in Luxembourg may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Luxembourg market.

15. Implementation Timeline in Luxembourg

• Directive adoption: 2022
• National legislative amendments: Bill 8364 (Projet de loi n° 8364) introduced in Chamber of Deputies 13 March 2024; government amendment published 13 March 2025; Council of State complementary opinion issued December 2025 — partially validating amendments while requesting further adjustments; Bill awaiting final adoption.
• Entry into force: Not yet enacted as of April 2026; enactment expected during 2026; NIS1 law remains in force in the interim.
• Commission notification: EC reasoned opinion issued 7 May 2025 for failure to notify full transposition; referral to the Court of Justice of the EU remains possible if enactment is further delayed.
• Compliance milestone: No NIS2 compliance deadlines currently active; registration, organisational, and technical compliance milestones will be set following enactment and are expected to be phased over 2026–2028.

Luxembourg missed the EU NIS2 transposition deadline of 17 October 2024 and remains under EC infringement proceedings. Bill 8364 is awaiting final adoption by the Chamber of Deputies. NIS1 continues to apply to existing regulated entities. Enactment and the launch of the ILR registration portal are expected during 2026; entities should complete scope assessments now in preparation.

16. Key Takeaways for SMEs in Luxembourg

• Medium-sized entities in covered sectors will automatically be within scope once Bill 8364 is enacted. Luxembourg's proposed scope is significantly broader than NIS1 — expanding from approximately 1,000 to an estimated 6,000–8,000 entities, including mid-sized manufacturers and municipalities with more than 50,000 residents.
• Small entities may be designated if critical to national or economic stability.
• Board-level governance oversight is mandatory.
• Incident reporting will follow 24h / 72h / 1 month deadlines once Bill 8364 is enacted. Reports will be submitted via the ILR's SERIMA platform — to ILR for most sectors and to CSSF for financial sector entities.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is required.
• Bill 8364 has not yet been enacted, but enactment is expected during 2026. Entities should conduct scope assessments now using ILR's published guidance and FAQ, determine whether they fall under ILR or CSSF supervision, and prepare registration information for the SERIMA portal.

FAQ: NIS2 Luxembourg SME Guide