Luxembourg Transposes NIS2: A Pragmatic Approach and Key Local Stakeholders

On 6 May 2026, the Luxembourg government published the law that brings the EU’s NIS2 Directive into national law. The law enters into force on 10 May 2026. It sets clear cybersecurity rules for essential and important businesses operating in the Grand Duchy.

For organizations working on their compliance, the main message is positive: the new law provides clear rules without adding unexpected local barriers.

Here is how Luxembourg has applied the new law and who the local regulators are.

© Chambre des Députés

A Practical Approach: No “Gold-Plating”

When EU directives become national law, countries sometimes add stricter rules, wider scopes, or higher fines. This is called “gold-plating.” Luxembourg chose not to do this. The national law closely follows the European text.

• Same Scope: The Luxembourg law uses the exact “Essential” and “Important” company categories defined in Annexes I and II of the EU Directive. It does not add extra local sectors.

• Same Fines: The maximum fines are the same as the EU limits (up to €10M or 2% of global turnover for Essential entities, and €7M or 1.4% for Important entities).

• Same Rules: The core duties for managing risks and reporting incidents are exactly what the EU requires. This ensures that international companies do not have to learn a completely different set of rules just for Luxembourg.

The Local Regulators: Who Supervises You?

Luxembourg is using its existing authorities to manage the new rules. Depending on your sector, it is easy to know who your supervisor is:

• ILR (Institut Luxembourgeois de Régulation): The ILR is the main authority for most sectors covered by the law. They will supervise and enforce the rules for most essential and important companies.

• CSSF (Commission de Surveillance du Secteur Financier): The financial sector keeps its dedicated regulator. The CSSF is the authority for banks, financial market infrastructures, and related IT management services. These IT services correspond to “Support PFS” (Professionals of the Financial Sector) - the service providers working for the banking, payment, investment, and insurance sectors that the CSSF already supervises.

• HCPN (Haut-Commissariat à la Protection nationale): The HCPN has several roles. It is the national contact point for working with other EU countries. It also manages major national cyber crises. In addition, acting as GOVCERT.LU, the HCPN is the cyber incident response team (CSIRT) for the government, public groups, and specific critical entities.

• CIRCL (Computer Incident Response Center Luxembourg): For the rest of the private sector, CIRCL is the main incident response team. They help companies manage incidents and monitor threats. CIRCL is also the official middleman for reporting software vulnerabilities between the people who find them and the vendors who need to fix them.

Next Steps and the Self-Registration Rule

With the law starting on May 10, 2026, companies must focus on practical steps:

• Mandatory Self-Registration: Companies must register themselves with the ILR (see their ‘NIS2 Entity self-registration’ form). You must submit your company’s information within two months of the law entering into force (by July 10, 2026).
• Upgrading Cyber Resilience: Your focus should then shift to integrating the core requirements of the directive by strengthening board-level governance, implementing comprehensive cybersecurity risk management (including supply chain security), and establishing rapid reporting obligations for significant incidents.

For a deep dive into implementing these three pillars, understanding management liabilities, and seeing how the upcoming Digital Omnibus package might impact your classification, explore our NIS2 Directive page here.