Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
EDR/XDR: Continuous detection aligned with NIS 2 (Art. 21) and DORA (Art. 10)
Executives must demonstrate continuous and effective incident detection. A well‑deployed EDR/XDR stack meets NIS 2 Art. 21 and DORA Art. 10 requirements with auditable technical evidence.
DPIA (Art. 35 GDPR) in Luxembourg: when to trigger and how to succeed
When is a DPIA mandatory in Luxembourg and how to do it right? GDPR framework, CNPD list, EDPB method, prior consultation (Art. 36) and best practices.
Automated patching: the answer to NIS 2, Article 21
Executives must prove vulnerabilities are remediated in a timely manner. Well-configured automated patching is the safest, most auditable way to meet NIS 2 Art. 21.
CNPD — Workplace video surveillance: proportionality, DPIA and employee rights
Workplace cameras are allowed in Luxembourg, but under strict rules: legal basis, proportionality, frequent DPIA, L.261‑1 information duties and employee rights. Document everything, camera by camera.
Cloud CSPM: the answer to CSSF Circular 22/806 on outsourcing
To remain compliant with CSSF in 2026, moving to the cloud is not enough. A CSPM continuously proves correct configuration, monitoring, and auditability as required.
GDPR – Article 28: the watertight processor contract
In 2026, every DPO/CISO must bulletproof processor contracts. Mandatory clauses, EDPB/CNPD guidance, and a practical audit playbook for a watertight Article 28.
TLPT (threat‑led red team): meeting DORA Articles 26‑27
DORA requires selected financial entities to run threat‑led penetration tests on production systems. This is how a structured TLPT implementation fulfils Articles 26‑27, step by step.
NIS 2 in Luxembourg: executives, mandatory training and personal risk
Under NIS 2, management bodies must approve and supervise cybersecurity measures (Art. 20), undergo regular training, and may be held personally liable for failures. The ILR has issued concrete guidance.
Phishing‑resistant MFA (FIDO2/WebAuthn): answering GDPR Article 32
GDPR Article 32 requires state‑of‑the‑art security. Phishing‑resistant MFA with FIDO2/WebAuthn is the most robust and pragmatic way to comply without unnecessary complexity.
NIS 2 and ICT supply chain: concrete obligations and certification
Securing the ICT supply chain is a first-order control under NIS 2. This guide outlines your obligations (Art. 21(2)(d)), the ILR’s role in Luxembourg, and when to use EU cybersecurity certification (Art. 24).
Immutable, isolated backups: meeting DORA on ransomware resilience
DORA requires restorable, isolated backups. Immutable backups and network isolation meet these obligations while reducing ransomware risk.
AI Act – Annex III: move to high-risk without getting it wrong
High-risk AI systems: how to decide if Annex III applies and build a compliant file (risk management, Annex IV, CE marking) in Luxembourg, as of May 2026.
