NIS2 Directive

In the context of the TMT industry, the NIS2 Directive (EU) 2022/2555 serves as the cornerstone of European cybersecurity legislation. While DORA is a lex specialis (specific law) tailored for the financial sector, NIS2 is the lex generalis (general law) that captures a much broader range of "Essential" and "Important" entities - including telecommunications providers, cloud computing services, data centers, and managed service providers (MSPs).

The Digital Omnibus: Strategic Scope Re-calibration

As part of the Digital Omnibus Package (tabled in late 2025 and currently under negotiation), the European Commission has initiated targeted amendments to streamline the EU’s digital rulebook and alleviate administrative burdens for mid-sized organizations. A central element of these discussions is the introduction of a "small mid-cap" (SMC) category - aimed at entities with fewer than 750 employees and an annual turnover under €150 million.

Potential Impact on Classification in Luxembourg

Under these "Omnibus" proposals, organizations meeting this new size cap that would otherwise be classified as "Essential" under NIS2 would instead be reclassified as "Important" entities.

This shift would be decisive for the Luxembourgish TMT landscape, where the majority of key players fall within this proposed SMC bracket. If adopted, it would move these companies from a regime of proactive, "ex-ante" supervision to a reactive, "ex-post" model. This is intended to significantly reduce the immediate regulatory pressure and the heavy costs associated with constant, discretionary audits.

N.B.: As these amendments are not yet finalized, please refer to the current list of sectors and scope criteria on the NIS2 webpage of the FEDIL .

The Three Pillars of NIS2 Requirements

1. Governance (Art. 20)

• Management Liability: The management bodies of both essential and important entities must formally approve and oversee the implementation of cybersecurity measures. They can be held personally liable for infringements.
• Mandatory Training: Members of management must undergo specialized training to identify risks and assess cybersecurity practices. Organizations are encouraged to extend this training to all employees.

2. Cybersecurity Risk Management (Art. 21)

Entities must adopt an "All-Hazards Approach" to protect their network and physical environment. This involves technical and organizational measures including:

• Core Policies: Risk analysis, incident handling, business continuity, and basic cyber hygiene.
• Supply Chain Security: Entities must assess the cybersecurity practices and quality of their direct suppliers and service providers.
• Technical Controls: Use of cryptography/encryption, multi-factor authentication (MFA), and secure communication systems.

3. Reporting Obligations (Art. 23)

Organizations must notify the competent authority (or CSIRT) of significant incidents - those causing severe operational disruption or material/ non-material damage - following a strict timeline:

• 24 Hours: Initial "Early Warning."
• 72 Hours: Formal Incident Notification (severity and impact assessment).
• 1 Month: Final Report (root cause and mitigation measures).

Supervision and Enforcement

Authorities have broad powers to ensure compliance, including on-site inspections, security scans, and ad-hoc audits. Failure to comply can result in substantial administrative fines:

Legislative Framework Reference

The following table provides direct links to the primary texts and local transposition.