Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
80 articles found · #luxembourg
CNIL vs Free: €42M — why a 24/7 SOC is vital to meet NIS 2 Art. 23
After the €42M fine against Free/Free Mobile, slow detection proves costly. Under NIS 2 Art. 23, detecting and notifying within 24 hours is now an operational obligation in Luxembourg.
DORA — TLPT framed by Delegated Regulation (EU) 2025/1190
The Commission clarified TLPT under DORA via Delegated Regulation (EU) 2025/1190. In Luxembourg, the CSSF is the TLPT authority: timeline, scope, and method are now clear.
NIS 2 audit: method, pitfalls and quality criteria for measures
7-phase NIS 2 audit method, the 5 most common pitfalls, and the 6-criteria grid to distinguish a real SOC from a marketing product. For the 1,200+ Luxembourg entities concerned.
Google Groups abused: Lumma Stealer/Ninja Browser campaign
CTM360 warns of a campaign abusing Google Groups to deliver Lumma (Windows) and “Ninja Browser” (Linux). NIS 2-aligned controls, DMARC/SPF/DKIM, and an email security gateway are advised.
NIS 2 Luxembourg: 5 May 2026 law published, ILR self-registration window until 10 July 2026
Luxembourg's 5 May 2026 law transposing the NIS 2 directive entered into force on 10 May. Essential and Important Entities must self-register with the ILR by 10 July 2026.
DPIA (Art. 35 GDPR) in Luxembourg: when to trigger and how to succeed
When is a DPIA mandatory in Luxembourg and how to do it right? GDPR framework, CNPD list, EDPB method, prior consultation (Art. 36) and best practices.
Automated patching: the answer to NIS 2, Article 21
Executives must prove vulnerabilities are remediated in a timely manner. Well-configured automated patching is the safest, most auditable way to meet NIS 2 Art. 21.
CNPD — Workplace video surveillance: proportionality, DPIA and employee rights
Workplace cameras are allowed in Luxembourg, but under strict rules: legal basis, proportionality, frequent DPIA, L.261‑1 information duties and employee rights. Document everything, camera by camera.
NIS 2 in Luxembourg: executives, mandatory training and personal risk
Under NIS 2, management bodies must approve and supervise cybersecurity measures (Art. 20), undergo regular training, and may be held personally liable for failures. The ILR has issued concrete guidance.
NIS 2 and ICT supply chain: concrete obligations and certification
Securing the ICT supply chain is a first-order control under NIS 2. This guide outlines your obligations (Art. 21(2)(d)), the ILR’s role in Luxembourg, and when to use EU cybersecurity certification (Art. 24).
Immutable, isolated backups: meeting DORA on ransomware resilience
DORA requires restorable, isolated backups. Immutable backups and network isolation meet these obligations while reducing ransomware risk.
AI Act – Annex III: move to high-risk without getting it wrong
High-risk AI systems: how to decide if Annex III applies and build a compliant file (risk management, Annex IV, CE marking) in Luxembourg, as of May 2026.