Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
Automated patching: the answer to NIS 2, Article 21
Executives must prove vulnerabilities are remediated in a timely manner. Well-configured automated patching is the safest, most auditable way to meet NIS 2 Art. 21.
CNPD — Workplace video surveillance: proportionality, DPIA and employee rights
Workplace cameras are allowed in Luxembourg, but under strict rules: legal basis, proportionality, frequent DPIA, L.261‑1 information duties and employee rights. Document everything, camera by camera.
Cloud CSPM: the answer to CSSF Circular 22/806 on outsourcing
To remain compliant with CSSF in 2026, moving to the cloud is not enough. A CSPM continuously proves correct configuration, monitoring, and auditability as required.
GDPR – Article 28: the watertight processor contract
In 2026, every DPO/CISO must bulletproof processor contracts. Mandatory clauses, EDPB/CNPD guidance, and a practical audit playbook for a watertight Article 28.
TLPT (threat‑led red team): meeting DORA Articles 26‑27
DORA requires selected financial entities to run threat‑led penetration tests on production systems. This is how a structured TLPT implementation fulfils Articles 26‑27, step by step.
NIS 2 in Luxembourg: executives, mandatory training and personal risk
Under NIS 2, management bodies must approve and supervise cybersecurity measures (Art. 20), undergo regular training, and may be held personally liable for failures. The ILR has issued concrete guidance.
Phishing‑resistant MFA (FIDO2/WebAuthn): answering GDPR Article 32
GDPR Article 32 requires state‑of‑the‑art security. Phishing‑resistant MFA with FIDO2/WebAuthn is the most robust and pragmatic way to comply without unnecessary complexity.
NIS 2 and ICT supply chain: concrete obligations and certification
Securing the ICT supply chain is a first-order control under NIS 2. This guide outlines your obligations (Art. 21(2)(d)), the ILR’s role in Luxembourg, and when to use EU cybersecurity certification (Art. 24).
Immutable, isolated backups: meeting DORA on ransomware resilience
DORA requires restorable, isolated backups. Immutable backups and network isolation meet these obligations while reducing ransomware risk.
AI Act – Annex III: move to high-risk without getting it wrong
High-risk AI systems: how to decide if Annex III applies and build a compliant file (risk management, Annex IV, CE marking) in Luxembourg, as of May 2026.
NIS 2 – Article 21 in Luxembourg: what does the ILR actually check?
Article 21 of NIS 2 sets 10 families of minimum measures. The ILR announces ex ante/ex post supervision focused on these measures and management accountability. Here is how to comply efficiently.
NIS 2 in Luxembourg: Law of 5 May 2026 published—what to do before 10 May
Luxembourg’s law transposing NIS 2 was published on 5 May 2026 and enters into force on 10 May. Broader scope, stronger governance, incident reporting within 24 h/72 h to ILR via SERIMA. Priority actions and official sources.
