← All articles

consultant

DORA vs NIS 2 in Luxembourg: which regime prevails in an incident?

On 18/09/2023, the European Commission confirmed that sectoral acts prevail over NIS 2 as lex specialis where requirements are equivalent. DORA is one of them: in Luxembourg, the CSSF oversees incident notifications for financial entities.

Verified fact — On 18 September 2023, the European Commission clarified that where EU sectoral acts impose requirements at least equivalent to NIS 2, those acts prevail (the “lex specialis” rule), and DORA is one of them. In Luxembourg, this means financial entities follow CSSF/DORA for incident alerts/notifications, while the ILR applies NIS 2 to other sectors. See OJ C 328 of 18/09/2023 (guidelines on NIS 2 Article 4): eur-lex.europa.eu.

The case

On 18 September 2023, the Commission published guidelines on the application of Article 4 of Directive (EU) 2022/2555 (NIS 2), detailing the lex specialis mechanism between NIS 2 and sectoral acts. The annex lists Regulation (EU) 2022/2554 (DORA) as a sectoral act. Where a sectoral act’s requirements are “at least equivalent in their effects” to NIS 2 (risk management, notification of significant incidents), the relevant provisions of NIS 2 — including supervision and penalties (Chapter VII) — “do not apply” to the entities concerned. Refs: OJ C 328 of 18/09/2023; NIS 2 text (Art. 4): eur-lex.europa.eu.

Under DORA, Recital 16 states that the regulation “constitutes lex specialis in relation to Directive (EU) 2022/2555,” specifically for ICT risk management and ICT-related incident reporting. Ref: eur-lex.europa.eu.

In Luxembourg, the Law of 5 May 2026 (in force 10 May 2026) transposes NIS 2 and designates the ILR as competent authority for many sectors (energy, health, digital infrastructure, public administrations), with a duty to notify significant incidents. Official ILR pages: NIS 2 entry into force and Incident notification.

Legal reasoning

  • NIS 2, Article 4: if a sectoral act imposes at least equivalent requirements on cybersecurity measures and incident notifications, the relevant NIS 2 provisions (including supervision and enforcement) “do not apply.” Ref: eur-lex.europa.eu.
  • Commission Guidelines (18/09/2023): they explain how to assess “equivalence of effect” and require immediate access for CSIRTs/NIS authorities to notifications when a sectoral act prevails, to maintain national threat awareness. Ref: OJ C 328.
  • DORA (Regulation 2022/2554): Recital 16 sets primacy; Articles 5–15 cover ICT risk management; Article 19 and Level 2 acts set the notification of “major ICT-related incidents.” Timelines are set by Delegated Regulation (EU) 2025/301 (initial “as soon as possible and in any case within four hours from classification as major and no later than 24 hours after awareness”; intermediate ≤ 72 h; final per RTS) and templates by Implementing Regulation (EU) 2025/302. Refs: 2025/301 and 2025/302.
  • Luxembourg: the Law of 5 May 2026 and ILR pages confirm NIS 2 competence (duty to notify “significant incidents” and related supervision). Ref: ILR — NIS 2.

Diverging positions in practice

  • ILR / NIS 2: three-step alert/notification of a “significant incident” to the NIS authority (early warning ≤ 24 h, notification ≤ 72 h, final report ≤ 1 month) for ILR-supervised sectors. Ref. NIS 2, Art. 23: eur-lex.europa.eu.
  • CSSF / DORA: notification of a “major ICT-related incident” to the financial supervisor under DORA, with different technical deadlines, EU-harmonised templates, and transmission to the ESAs network, not to the ILR. Refs: DORA Art. 19; 2025/301; 2025/302.

What this changes in practice

  • Banks, investment firms, PSI/PSF, insurers, management companies, AIFMs, e-money issuers, etc. fall under DORA for ICT risk management and incident reporting. They notify the CSSF using DORA templates — not the ILR under NIS 2. The ILR must still be able to access the information per NIS 2 Article 4 and the Commission Guidelines. For the local framework, also see DORA in Luxembourg.
  • Critical non-financial providers within a NIS 2 sector (Annexes I/II) remain under NIS 2 with notifications to the ILR. Two parallel flows may thus exist (DORA for the financial entity, NIS 2 for the provider), with a duty to keep information consistent. Ref: ILR — NIS 2.
  • For cross-border groups, do not transpose other countries’ expectations: in Luxembourg, the ILR supervises NIS 2 (non-financial sectors) while the CSSF leads on DORA. Map “who notifies whom, when and how.” For local NIS supervision, see NIS 2 in Luxembourg.

Example

A Luxembourg bank suffers prolonged unavailability of digital services due to an ICT incident. If it meets DORA’s “major” thresholds (classification RTS), it triggers: initial notification within 4 hours after classification (and no later than 24 hours after awareness), an intermediate report ≤ 72 h after the initial one, then a final report using the 2025/302 templates. If a separate hosting provider in a NIS 2 sector is affected, it may have to notify the ILR — but the bank does not need to duplicate an ILR notification under NIS 2. Ref: 2025/302.

Common pitfalls

  1. Duplicate notifications: a DORA entity notifying both the CSSF and, in addition, the ILR under NIS 2 risks inconsistencies and delay. Base your internal playbook on NIS 2 Art. 4 and the Commission Guidelines (OJ C 328).
  2. Waiting for “ILR confirmation” for a DORA entity: unnecessary. DORA Recital 16 is clear; timelines and templates are set by 2025/301 and 2025/302.
  3. Misclassification: under DORA, obligations hinge on “major ICT-related incident” thresholds. Awareness starts the 24-hour clock.
  4. Forgetting CSIRT/NIS access: even where DORA prevails, mechanisms must enable sharing to CSIRTs/NIS points of contact (formats, confidentiality). Ref: Commission Guidelines.
  5. Mixing up scopes: a DORA parent may be covered for financial activities, but a non-financial subsidiary within a NIS 2 sector remains under ILR for its own incidents.

Next steps

To strengthen crisis handling and DORA-aligned operational resilience, anticipate your business continuity planning and notification processes.

Key official sources: NIS 2 Article 4 Guidelines; Directive (EU) 2022/2555; Regulation (EU) 2022/2554; 2025/301; 2025/302; ILR — entry into force; ILR — incident notification.

Need help mapping notification flows and sectoral obligations in Luxembourg? Get in touch.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →