← All articles

consultant

ILR — CP/N26/2 consultation and NIS 2 24-hour notification

ILR opens consultation on national NIS 2 incident notification (CP/N26/2). Here are the rules, the 24/72/30 timeline, and the SIEM/SOC stack to report within 24 hours reliably.

On 6 July 2026, ILR opened public consultation CP/N26/2 on a draft regulation setting the “notification arrangements and criteria for incidents having a significant impact.” In parallel, on 26 May 2026, the NIS 2 Cooperation Group adopted EU‑wide common incident report templates. Here is the SIEM/SOC stack that enables stress‑free 24‑hour notification.

Key facts

• On 6 July 2026, the Luxembourg Institute of Regulation (ILR) launched consultation CP/N26/2 on a draft regulation governing notification of incidents “having a significant impact,” closing on 6 August 2026. It details required fields, “significance” criteria, and sequencing (early warning at 24 h, detailed notification at 72 h, final report within one month). Source: ILR — CP/N26/2 (06/07/2026).

• Since the law of 5 May 2026 transposing NIS 2 in Luxembourg, essential and important entities must file an early warning within 24 h via the national portal (SERIMA), then a 72 h notification and a final report within one month. ILR lists the expected fields (entity type, description, significance criteria: users affected, duration, geographical spread, financial losses, exfiltration, etc.) and SERIMA usage. Source: ILR — Incident notification (dedicated page).

• At EU level, on 26 May 2026, the NIS 2 Cooperation Group adopted common templates for incident reporting to harmonise content and ease cross‑border handling. Source: European Commission — NIS2 Cooperation Group templates (26/05/2026).

Applicable legal framework

NIS 2 (Directive 2022/2555), Art. 23: early warning “without undue delay and in any event within 24 hours” after becoming aware of a significant incident, 72 h notification, then final report within one month. The Luxembourg law of 5 May 2026 mirrors these requirements and designates ILR as competent authority for sectors under its remit. Practical reference: ILR — Incident notification. For an overview of the directive, see NIS 2 essentials.

EU harmonisation: the Cooperation Group’s common templates structure the minimum information to provide (timeline, impact indicators, likely causes, mitigation, cross‑border dimension). This improves consistency and reduces re‑entry where multiple authorities are involved. Source: Commission — NIS 2 notification templates.

National modalities under consultation: ILR’s CP/N26/2 clarifies “significance” criteria and operational arrangements in Luxembourg, consistent with the EU templates and SERIMA portal. Source: ILR — CP/N26/2.

The technical solution to deploy

To consistently meet the 24‑hour deadline with proper evidence, three building blocks converge:

  • Managed SIEM + 24/7 SOC: aggregates logs, correlates signals (EDR/XDR, firewalls, IAM, SaaS, cloud), provides continuous detection, qualifies the incident, and preserves initial evidence. Related controls: ISO 27001 Annex A.5.23 (Monitoring), A.5.10 (Logging), A.8.16 (Incident management); NIST CSF 2.0 — Detect/Respond; CIS Controls 8: 8 (Audit Log Management), 17 (Incident Response). For execution, a managed SOC focused on incident detection accelerates qualification and traceability.
  • “NIS 2 24/72/30” playbooks in your orchestration tool: - T0–2 h: triage, impact estimation, early‑warning decision (even if full impact is uncertain); - T2–24 h: consolidate the ILR‑required minimum (significance criteria, affected sector, presumed malicious nature, CSIRT support need) and submit via SERIMA; - T24–72 h: enrich (IoCs, likely causes, containment/mitigation); - D+30: final report (and, if needed, a one‑month extension request). Expected fields: ILR — Incident notification.
  • Asset/dependency mapping to quickly size the impact (users, critical services, cross‑border exposure) and pre‑populate EU templates. Useful link: NIS 2 EU templates.

Technical watch‑outs:

  • Log quality and retention: enable security logging by default on critical systems, set retention aligned with investigation and audit needs (ISO 27001 A.5.10).
  • SaaS/Cloud telemetry: API collectors (Microsoft 365, Google Workspace, Salesforce, AWS/Azure/GCP) into the SIEM to swiftly detect identity and multi‑tenant app compromise.
  • Escalation runbooks: “significance” thresholds aligned to CP/N26/2 (users affected, duration, losses, spread) to trigger early warning without delay, even with partial information.

How Luxgap delivers this

  • Our 24/7 managed SOC: we ingest your sources (EDR/XDR, firewalls, AD/Entra, SaaS/Cloud) into cloud or on‑prem SIEM. We configure NIS 2‑specific rules (detection of potentially “significant” incidents, automatic estimation of ILR criteria) and “24/72/30” playbooks that produce a SERIMA pre‑draft. For local context, see NIS 2 in Luxembourg (ILR).
  • Our ISO 27001 governance: our Lead Implementers/Auditors structure your incident policies and evidence (logging, roles, decision registers) so each ILR filing is traceable and repeatable (ISO 27001 A.5.16/17/23/10/8.16).
  • Our outsourced DPO and CISO: operational legal framing (Art. 23 NIS 2, alignment with GDPR/DORA where relevant), executive dashboards for management and audit readiness.

Concrete use case in Luxembourg or the EU

A Luxembourg fiduciary classified as an “important entity” (NIS 2) faces a SaaS incident (support account compromised, limited exfiltration). With the SIEM/SOC in place:

  • T+3 h: correlation flags “anomalous login + mass download” in Microsoft 365; incident opened, logs preserved, provisional impact estimated.
  • T+10 h: “early‑warning” playbook fills ILR fields (description, criteria, potentially malicious nature, CSIRT need: “no”), CISO validation, SERIMA filing before T+24 h.
  • T+48 h: 72‑hour notification enriched (IoCs, affected accounts, corrective actions, client comms) aligned with EU templates to facilitate any cross‑border exchanges.
  • D+25: final report consolidated, including SIEM evidence and ISO 27001 post‑mortem (planned improvements, risk tracking).

Practical first steps

  1. Map your critical log sources and verify SIEM ingestion (EDR/XDR, directories, VPN/SD‑WAN, SaaS/Cloud, firewalls, proxies, MDM). Set coherent retention and timestamps.
  2. Define “significant” thresholds (users, duration, finance, exfiltration, cross‑border) aligned with CP/N26/2 and the EU templates.
  3. Automate a “NIS 2 24/72/30” playbook: collect timestamps, affected scope, likely causes, first actions; generate a SERIMA draft for CISO/DPO validation.
  4. Test a half‑day incident drill with executives: early‑warning decision by T+12 h, legal validation, internal/external comms.
  5. Train teams on the exact content expected by ILR and the EU templates (who fills what, by when) and prepare a crisis kit (contacts, templates, checklists).

Official sources

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →