NIS 2 Luxembourg: 9 days to ILR self‑registration
Essential and important entities in Luxembourg must self‑register with the ILR by 10 July 2026. Legal basis, risks, and this week’s action plan.
Deadline: in Luxembourg, “essential” (EE) and “important” (EI) entities must self‑register with the ILR by 10 July 2026. This brief covers the legal basis, risks, and this week’s action plan. For local context, see NIS 2 Luxembourg.
Key facts
- Who: Institut luxembourgeois de régulation (ILR), NIS 2 competent authority for most sectors in Luxembourg; “essential” (EE) and “important” (EI) entities under the Law of 5 May 2026.
- What: Mandatory self‑registration with the ILR and submission of information to build the official list of supervised EE/EI entities.
- Where: Luxembourg (ILR – NISS portal, self‑registration form).
- When: The NIS 2 Law entered into force on 10 May 2026. Article 11(4) sets a two‑month deadline to submit information to the competent authority, i.e., by 10 July 2026. The ILR confirms self‑registration on its NIS 2 website.
- How much: NIS 2 sanctions may reach up to €10m or 2% of worldwide turnover for EE, and up to €7m or 1.4% for EI, depending on gravity and category.
Legal framework
- National law: Law of 5 May 2026 “ensuring a high level of cybersecurity” (in force since 10 May 2026). Article 11(4) requires entities within scope to submit, within two months, the information needed by the competent authority to establish the list of essential and important entities (deadline: 10 July 2026).
- Competent authority: ILR for most sectors; CSSF supervises certain financial entities by exception.
- Self‑registration: confirmed by the ILR (“Self‑registration of your entity”).
- EU Directive: Directive (EU) 2022/2555 (NIS 2). Key obligations post‑registration: Art. 20 (management bodies’ responsibility), Art. 21 (10 minimum risk‑management measures), Art. 23 (incident notification: early warning 24h, notification 72h, final report ≤ 1 month), Art. 34 (sanctions). See our overview of NIS 2 obligations for internal mapping.
What changes for Luxembourg companies
- Immediate exposure: Any entity meeting the law’s criteria (Annex I/II sectors and size, with sectoral exceptions) may qualify as EE/EI. Missing the deadline risks formal non‑compliance as of 11 July 2026 and closer supervision, RFIs, or corrective measures.
- Trigger effect: Self‑registration launches EE/EI classification and frames supervision (ex ante + ex post for EE; ex post for EI), the incident notification process via SERIMA, and documentary verification of security measures (board‑approved policy, MFA, backups, supply‑chain security, etc.). A swift review of your security controls can accelerate this.
- Operational clock: 9 days remain (as of 1 July 2026) to: 1) confirm eligibility (sector/size/exceptions); 2) collect ILR‑requested data (identity, sectors, contacts, etc.); 3) file the self‑registration form; 4) verify capacity to notify within 24/72h (SERIMA) and align GDPR if personal data is involved. Coordinate with the CNPD notification (72h GDPR) where applicable.
Concrete actions for this week
1) Check eligibility and complete ILR self‑registration
- Map your activities against NIS 2 Annex I/II and the Luxembourg law; if in scope, complete the ILR “Self‑registration of your entity” form without delay. Prepare: legal name, relevant sectors, contacts (technical, legal, communications), critical subsidiaries/providers.
2) Close the “governance + incident” minimum
- Have the board approve the cybersecurity policy (Art. 20/21) and validate the 24h/72h/1‑month incident workflow (SERIMA). Run a tabletop notification: who alerts, who completes forms, what evidence; synchronize with CNPD (72h GDPR) if personal data is affected. Outsourced CISO leadership can speed up decision‑making and compliance.
3) Secure the critical supply chain
- List ICT providers (MSP/MSSP/Cloud/SaaS) and review contracts: security clauses, 24/72h incident notice, MFA, encryption, tested backups. Schedule contract updates and evidence of control (periodic reviews).
Sources
- ILR – NIS 2 (overview + self‑registration + SERIMA): ilr.lu
- Elvinger Hoss – “NIS2 is now in force in Luxembourg!” (10 July 2026 deadline, Art. 11(4))
- Official Journal (ELI) – Law of 5 May 2026
Note: the ILR centralizes practical documentation (FAQ, security measures, incident notification). If you are a financial entity, check CSSF supervision and DORA overlaps.
Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →