NIS 2 Status Luxemburg

NIS 2 status in Luxembourg

What the directive requires, how Luxembourg transposes it, and which authority sits where.

Simon OrzelSimon Orzel·

Overview

The NIS 2 Directive is the EU layer. It binds every Member State, including Luxembourg, to a common minimum level of cybersecurity for essential and important entities. Luxembourg has to bring that level into national law and run supervision underneath it.

Luxembourg missed the 17 October 2024 transposition deadline. The European Commission sent a reasoned opinion on 7 May 2025 for failure to notify full transposition. The national law followed later: the Law of 5 May 2026 on measures to ensure a high common level of cybersecurity, which entered into force on 15 May 2026.

The Institut Luxembourgeois de Régulation (ILR) is the lead competent authority and single point of contact under NIS 2. The CSSF retains supervision in finance under DORA as lex specialis. GOVCERT.LU is the CSIRT for the public sector. CIRCL (Computer Incident Response Center Luxembourg) is the CSIRT for the private sector, municipalities and non-governmental entities.

Where the rules sit
Three layers anyone reading the Luxembourg NIS 2 situation needs to keep apart.

EU Directive

Directive (EU) 2022/2555 (NIS 2)

The EU-wide cybersecurity directive. It sets the obligations every Member State has to transpose, including the size and sector test for essential and important entities.

EU Implementing Regulation

Implementing Regulation (EU) 2024/2690

Technical and methodological measures for digital infrastructure providers. Directly applicable in Luxembourg without national transposition.

Luxembourg transposition

Law of 5 May 2026 on measures to ensure a high common level of cybersecurity

Luxembourg's NIS 2 transposition. Entered into force on 15 May 2026. The text designates the competent authority and CSIRTs, sets reporting channels, sanctions and registration duties. Implementing texts from ILR fill the operational detail.

Three points to know
What changes for entities with activity in Luxembourg.
Transposition

Law of 5 May 2026

Brings the NIS 2 obligations into Luxembourg law. Defines essential and important entities, the supervisory powers of ILR, reporting duties and sanctions. Operational detail follows through ILR rules and sector-specific texts.

Supervision

ILR as lead competent authority

The Institut Luxembourgeois de Régulation supervises NIS 2 across most sectors and serves as the single point of contact toward the EU cooperation group. The CSSF keeps supervision over the financial sector under DORA. Incident response is split between GOVCERT.LU for the public sector and CIRCL for everyone else.

Deadlines

Late transposition, but obligations apply

Luxembourg did not meet the 17 October 2024 EU deadline. The Commission opened infringement proceedings and issued a reasoned opinion on 7 May 2025. The Law of 5 May 2026 closed the formal gap. Significant incident reporting follows the directive: early warning within 24 hours, incident notification within 72 hours, final report within one month.

Two principles that settle every edge case
Read these before any Luxembourg commentary on NIS 2.

On Luxembourg soil, Luxembourg law applies

Activities on Luxembourg territory follow the Luxembourg transposition. A German group with a Luxembourg subsidiary reads the Law of 5 May 2026 for that subsidiary, not the BSIG. The directive obligations are identical. Procedure, portal and sanctions sit in Luxembourg law.

Luxembourg may not fall below the EU floor

The directive is a minimum harmonisation. Luxembourg may go stricter. It may not fall below the directive, neither on obligations for essential and important entities, nor on reporting deadlines, nor on management body accountability.

Who does what in Luxembourg
Three institutions that surface in almost every NIS 2 question.
LU

ILR

Institut Luxembourgeois de Régulation. Lead competent authority for NIS 2, single point of contact, and operator of the myilr.lu portal used for regulated-entity interactions. Sector regulators such as the CSSF remain in charge where lex specialis applies.

LU

GOVCERT.LU and CIRCL

Luxembourg runs two CSIRTs. GOVCERT.LU, attached to the Haut-Commissariat à la Protection nationale, handles the public sector. CIRCL, hosted at the Luxembourg House of Cybersecurity, handles the private sector, municipalities and non-governmental entities. Which one you talk to depends on who you are.

EU

ENISA

The EU cybersecurity agency. Publishes guidelines, runs the European vulnerability database and coordinates across borders. No direct supervision over Luxembourg entities. That sits with ILR.

Pitfalls
Mistakes we see when Luxembourg entities read NIS 2 for the first time.

  • We follow our German parent, so the BSIG covers us.

    The Luxembourg subsidiary is supervised under the Law of 5 May 2026 by ILR, not by the BSI under the BSIG. Internal group policies can be shared, but registration, incident reporting and the management body sign-off happen against the Luxembourg authority on Luxembourg territory.

  • There is no Luxembourg registration, so the rules do not bite yet.

    The Law of 5 May 2026 is in force since 15 May 2026. ILR runs the regulated-entity interactions through myilr.lu. Even where implementing texts are still rolling out, the directive obligations on risk management, incident reporting and management body accountability apply now.

  • ILR only regulates electronic communications, so NIS 2 must sit elsewhere.

    ILR's remit covers electronic communications, electricity, gas, postal services, transport, radio spectrum and now NIS 2 across most sectors. Finance is the main carve-out, where the CSSF supervises under DORA. For everyone else in scope, the NIS 2 channel goes through ILR.

From practice

Most Luxembourg mid-market operators we meet still treat NIS 2 as a future obligation. The deadline slipped twice, first at EU level on 17 October 2024, then in the national law that only entered into force on 15 May 2026. That created the impression that nothing is binding yet. It is. The directive obligations on risk management and incident reporting bite from the date the national law took effect, and ILR is supervising under it.

The practical step is the same as everywhere in the EU: check applicability against the directive, register with the competent authority (here ILR via myilr.lu), set up the four continuous duties (keep registration data current, report incidents, manage supply chain risk, ensure management body oversight) and document the minimum. The financial sector reads DORA in parallel under CSSF supervision.

What the platform delivers

We build the NIS 2 obligation register on the EU layer, not on a single national transposition. The same checklist fits a Luxembourg subsidiary under the Law of 5 May 2026, a German parent under the BSIG and a Dutch sister under the Cyberbeveiligingswet. The article references change per country, the substance of the obligations does not.

For the Luxembourg scope, you start with the applicability check, then incident cadence, supply chain clauses and management body sign-off. Where ILR publishes sector guidance, we link to it. We do not copy it.

Sources
  • Directive (EU) 2022/2555 (NIS 2), EUR-Lex
  • Implementing Regulation (EU) 2024/2690
  • Law of 5 May 2026 on measures to ensure a high common level of cybersecurity, Legilux
  • European Commission, reasoned opinion to Luxembourg on NIS 2 transposition, 7 May 2025
  • ILR, Institut Luxembourgeois de Régulation, official site and myilr.lu portal
  • GOVCERT.LU, governmental CSIRT operated by the Haut-Commissariat à la Protection nationale
  • CIRCL, Computer Incident Response Center Luxembourg, Luxembourg House of Cybersecurity
  • CSSF, Commission de Surveillance du Secteur Financier, DORA supervision in finance
Clarify the Luxembourg scope in under five minutes
The applicability check runs the directive's size and sector test. If the Luxembourg entity is in scope, the next step is registration with ILR via myilr.lu.
Start applicability check