ILR — NIS 2 Incident Notification: 24h to alert

Key facts

On 5 May 2026, Luxembourg’s law transposing Directive (EU) 2022/2555 (“NIS 2”) entered into force. The Luxembourg Regulatory Institute (ILR) published an operational guide “Incident notification under NIS 2” describing a harmonised three-step process: early warning within 24 hours of detection, formal notification within 72 hours, and a final report no later than one month after (with a possible one‑month extension if the incident remains open). The guide details the information required at each milestone and refers to the national portal SERIMA for submissions.

The ILR “Cybersecurity – NISS” site confirms transposition by the law of 5 May 2026 and centralises resources (SERIMA, FAQ, guides, MONARC risk modules) for essential and important entities under supervision in Luxembourg (ILR – NISS). The ILR also details scope and notification modalities in its NIS 2 FAQ.

This tightening of reporting requirements comes amid heightened EU cyber tensions: the pan‑European “Cyber Europe 2026” exercise led by ENISA on 13 June 2026 simulated coordinated attacks on ports and rail networks to test technical, operational and political coordination in a crisis (Agence Europe).

Applicable legal framework

NIS 2 — Article 23: mandatory early warning “without undue delay and at the latest within 24 hours” after detecting a significant incident, followed by formal notification within 72 hours and a final report within one month. In Luxembourg, ILR specifies these milestones and contents: NIS 2 notification guide, SERIMA portal and practical “Incident notification” notice summarising the 24h pre‑notifications and the duty to update. For a consolidated overview of obligations, see our NIS 2 directive page.

Role of the ILR: as the competent authority for sectors under its supervision, it receives notifications, provides initial feedback within 24h (when feasible) and may request interim information (ILR).

The technical solution to deploy

To hit 24h / 72h / 1‑month without panic, the decisive building block is not a form: it is a managed SIEM/SOC that detects fast, qualifies correctly and documents the incident continuously. See how our managed SOC structures these capabilities:

• Collection and correlation: real‑time ingestion of system logs (Windows, Linux), directories (AD/Entra), VPN, firewalls, proxies, EDR/XDR, SaaS (O365, Salesforce), and cloud (AWS/Azure/GCP). MITRE ATT&CK correlation rules and behavioural detections to spot “living off the land” attack chains.
• “Significant vs non‑significant” qualification: playbooks aggregating impact, availability, integrity, confidentiality, geographic reach and affected service to decide quickly whether the NIS 2 threshold is met (traceable for ILR).
• Timeline and evidence: reliable time‑stamping, immutable retention of relevant logs, hashing and digital sealing (chain of custody) to feed the initial notification, 72h update and final report.
• Reporting orchestration: templates aligned with SERIMA fields (description, IOCs, measures taken, dependencies, impacts, contacts) and an internal approval workflow to publish on time.
• Lessons learned: closure with corrective actions, takeaways and resilience tests.

Good practice references: ISO/IEC 27001:2022 Annex A — A.5.24 (incident management planning and preparation), A.5.25 (event assessment/decision), A.5.26 (response), A.5.27 (lessons learned), A.5.28 (evidence collection), A.8.15 (logging) and A.8.16 (monitoring activities). For local support on certification and ISMS, see our ISO 27001 Luxembourg page. A managed SOC/SIEM also naturally aligns with the Detect and Respond functions of the NIST CSF 2.0.

How Luxgap deploys this

• Our managed SOC (24/7): we integrate critical sources (networks, identities, endpoints, cloud/SaaS) in 2–6 weeks, implement detection rules and publish a “NIS 2 – ILR” runbook mapping each alert to a scenario, criticality threshold and milestone (24h/72h/1‑month). An on‑call L1/L2/L3 validates qualification and prepares the pre‑notification.
• Our ISO 27001 governance: our Lead Implementers/Auditors frame escalation policies, log retention (A.8.15), evidence collection (A.5.28) and notification responsibilities (A.5.24–A.5.26), with SERIMA‑compatible document templates.
• Our outsourced CISO/DPO consultants: they decide “significant or not”, steer communications with ILR, coordinate IT, legal and business, and ensure the notification accurately reflects technical progress. For outsourced cyber leadership, explore our outsourced CISO service.

Concrete case in Luxembourg or the EU

An essential infrastructure company operating in Luxembourg deployed a SIEM in six weeks with 18 sources (VPN, firewalls, O365, EDR, AD, cloud workloads) and NIS 2 playbooks. During an anomalous VPN authentication incident, the SOC established the impact (non‑critical service, rapid containment, no exfiltration) and filed an early warning within 18 hours via SERIMA, followed by a 72h update documenting IOCs and secret rotation. The final report, filed within 30 days, closed the incident with no further remarks from the authority. Outcome: demonstrated compliance, calmer crisis governance.

First concrete steps

1. Register on SERIMA and verify access, roles and your internal validation procedure (who signs the 24h alert?). Run a dry‑run this week. SERIMA – ILR
2. Set the 24h trigger: define a clear rule for when the clock starts (moment of detection vs first alert) and the impact levels that make an incident “significant”. For local context and supervised sectors, see our NIS 2 Luxembourg page.
3. Enable baseline logging on AD/Entra, VPN, firewalls, EDR and O365, centralised in a SIEM. Target immutable retention and synchronised time‑stamping (ISO 27001 A.8.15, A.8.16).
4. Prepare notification templates (24h/72h/1‑month) aligned with ILR guide fields, with a checklist of IOCs, measures taken and critical dependencies.
5. Exercise: a 90‑minute tabletop to chain detection → “significant” decision → pre‑notification, including Legal/Comms. Leverage recent EU‑level crisis scenarios (Cyber Europe 2026).

Official sources

• ILR — « La notification incident sous NIS 2 » (FR)
• ILR — “Incident notification under NIS 2” (EN)
• ILR — SERIMA: notification and risk management portal
• ILR — Cybersecurity (NISS): law of 5 May 2026 and resources
• ILR — Incident notification (practical notice)
• Agence Europe — “Cyber Europe 2026” (13 June 2026)

Contact us to assess your 24h alert and 72h notification readiness.