Luxembourg referred to the CJEU for delay in transposing CER

Lead (who, what, where, when)

On 29 April 2026, the European Commission Representation in Luxembourg announced that it would refer the Grand Duchy to the Court of Justice of the European Union for failure to transpose Directive (EU) 2022/2557, the Critical Entities Resilience (CER) Directive. This directive requires Member States to identify and protect entities providing essential services (energy, transport, health, drinking water, digital infrastructure, etc.). Source

Regulatory context

The CER Directive complements NIS2: it addresses the physical and organizational resilience of critical entities against natural and man‑made risks (including cyber threats), and explicitly provides for coordination with NIS2 competent authorities to share information, risks, and supervisory outcomes. Member States must adopt a national resilience strategy and conduct a national risk assessment (initial deadline: 17 January 2026), then identify critical entities (indicative deadline: 17 July 2026). Failure to transpose may, after judgment, lead to financial penalties under Article 260 TFEU. CER text

What this changes for companies in Luxembourg

• Immediate regulatory pressure: the infringement action accelerates alignment between CER and NIS2 requirements. Essential and important entities (including critical subcontractors) should anticipate coordinated requests from Luxembourg authorities (ILR/ANSSI‑LU for NIS, sectoral ministries for CER, CSSF/CAA for financial via DORA), with strengthened documentary checks (mapping of essential services, multi‑hazard risk analyses, testing and continuity plans, incident notification affecting service continuity). Details
• Broad sectoral scope: CER covers 11 sectors (energy, transport, health, drinking water, wastewater, digital infrastructure, public administration, space, etc.). Cross‑border groups BE/FR/DE operating in Luxembourg will need to align their (LU site) resilience programmes with converging expectations across the EU. CER annex
• Converging EU timelines: the CER acceleration comes as AI Act transparency obligations arrive in August 2026, while NIS2/DORA supervisory expectations continue to be clarified. For executives, the priority is to run a unified “operational resilience” programme rather than silos (cyber, physical, third parties, continuity). AI Act context

Concrete actions to take this week

• Establish (or update) your “essential services” register in Luxembourg: identify by site/process the services whose interruption would have major impact; link owners, critical dependencies (energy, telecoms, data centres), third‑party contracts, and tolerated recovery window. Align taxonomy with the CER annex and your NIS2 classification. CER reference
• Launch a flash “all‑hazards” risk review: consolidate an analysis covering physical threats (fire, flooding, sabotage), logistics (supplier disruption), and cyber (ransomware) with cascading scenarios; map each scenario to prevention/detection/response measures, tests and evidence (exercises, test reports, lessons learned). EU guidance
• Check your cross‑framework governance: appoint an executive “resilience” sponsor; harmonise alert/notification processes and playbooks across CER, NIS2 and (if applicable) DORA; prepare an audit‑ready compliance pack (strategy, risk assessment, BIA, continuity plans, test evidence, supplier clauses) and a board dashboard. Reference

Sources

• The Commission decides to refer Luxembourg to the CJEU for failure to transpose the CER Directive
• Directive (EU) 2022/2557 – Critical Entities Resilience

Timeline notes

Commission publication on 29 April 2026; CER deadlines recalled (national strategy and risk assessment by 17 January 2026; identification of entities by 17 July 2026). These dates help prioritise work and prepare for potential authority requests. Context

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.