Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

81 articles found · #luxembourg

AI Act – Annex III: move to high-risk without getting it wrong

High-risk AI systems: how to decide if Annex III applies and build a compliant file (risk management, Annex IV, CE marking) in Luxembourg, as of May 2026.

NIS 2 – Article 21 in Luxembourg: what does the ILR actually check?

Article 21 of NIS 2 sets 10 families of minimum measures. The ILR announces ex ante/ex post supervision focused on these measures and management accountability. Here is how to comply efficiently.

NIS 2 in Luxembourg: Law of 5 May 2026 published—what to do before 10 May

Luxembourg’s law transposing NIS 2 was published on 5 May 2026 and enters into force on 10 May. Broader scope, stronger governance, incident reporting within 24 h/72 h to ILR via SERIMA. Priority actions and official sources.

NIS 2 in Luxembourg: how to notify ILR within 24h/72h/1 month

NIS 2 requires an early warning within 24h, a formal notification at 72h, and a final report within 1 month. In Luxembourg, ILR and the national CSIRT (CIRCL) are your key contacts.

CNIL approves a GDPR code of conduct for retail

On 28 April 2026, the CNIL approved a GDPR code of conduct for apparel/footwear retailers in France. A strong signal for retailers, with auditable requirements and third-party oversight.

Qilin claims cyberattack on Exclusive Networks

The Qilin ransomware group claims it compromised Exclusive Networks, a major European cybersecurity distributor. Claimed in late April 2026; supply-chain risk for customers in Luxembourg.

Ransomware at ChipSoft: alert for cross‑border care

Dutch EHR vendor ChipSoft said on April 29 that data stolen in an early‑April cyberattack had been “destroyed.” Cross‑border hospitals and insurers should take action this week.

Luxembourg referred to the CJEU for delay in transposing CER

The European Commission is referring Luxembourg to the Court of Justice for failing to transpose the Critical Entities Resilience (CER) Directive. Immediate implications for essential operators, linked to NIS2.

NIS2 Directive in Luxembourg: a new era of cyber accountability

Luxembourg has transposed the NIS2 Directive, fundamentally reshaping corporate cybersecurity obligations. Broader scope, strengthened governance, tougher sanctions: an overview of the key challenges and the first steps to take.

← Newer Page 7 / 7