Luxembourg
(a) What is the NIS2 implementation status?
The NIS2 Directive has been implemented in Luxembourg by the law of 5 May 2026 on measures to ensure a high level of cybersecurity (the “NIS2 Law”). The NIS2 Law entered into force on 10 May 2026.
(b) What is the envisaged NIS2 implementation timeline?
Companies falling within the scope of NIS2 are required to register with the Luxembourg Institute of Regulation ("l'Institut luxembourgeois de Régulation" - the "ILR") via the ILR online portal by 10 July 2026 (two months after entry into force).
Outside the initial registration phase, other obligations under the NIS2 Law apply as from 10 May 2026.
(c) What does the NIS2 mean for other national cybersecurity legislation?
The NIS2 Law repeals the NIS1 Law. It also repeals Articles 42 and 43 of the Law of 17 December 2021 on electronic communications networks and services, which previously contained the security and incident notification obligations for providers of electronic communication services and/or networks.
(d) Who will be the supervisory authority and how are they preparing the market?
The main supervisory authority for Luxembourg is the Luxembourg Institute of Regulation (the ILR). The ILR is responsible for cybersecurity supervision and enforcement under the NIS2 Law for most sectors covered by Annexes I and II. By derogation, the Financial Supervisory Authority (“Commission de surveillance du secteur financier” – the “CSSF”) is the competent authority for the banking sector, financial market infrastructure entities, and digital infrastructure/ICT service management entities falling under its supervision.
The ILR has launched a self-registration online portal for in-scope entities and has published guidance on its website (ilr.lu). The SERIMA platform (serima.lu) is available for risk assessment and incident notification.
(e) What should you be doing/on the lookout for?
The first step is to verify whether your organisation falls within the scope of the NIS2 Law, and whether it qualifies as an essential or important entity based on its sector and size (assessed at group level).
In-scope entities must self-register with the ILR by 10 July 2026 via the ILR online portal. Failure to register is a standalone sanctionable breach.
A gap analysis can help identify where and how the level of cybersecurity needs to be raised, having regard to the ten security measure families required under Article 12 of the NIS2 Law (including risk analysis, incident handling, business continuity, supply chain security and cybersecurity training).
Monitor ILR website regularly for implementing regulations and further guidance from the ILR on compliance requirements.
Contact
Hervé Wolff E: hw@lgavocats.lu
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page