NIS 2 in Luxembourg: Law of 5 May 2026 published—what to do before 10 May

Summary — Luxembourg’s law transposing NIS 2 was published on 5 May 2026 and enters into force on 10 May 2026. It broadens scope, strengthens governance, and requires 24 h/72 h incident alert/notification to ILR. Key sources and actions below.

The general rule

• EU framework (NIS 2). Directive (EU) 2022/2555 sets measures for a high common level of cybersecurity, distinguishes essential (EE) and important entities (EI), formalizes management bodies’ responsibilities (Art. 20), risk management measures (Art. 21), and incident reporting (early warning within 24 h, notification within 72 h, final report within 1 month; Art. 23), plus sanctions (Art. 34: up to €10m or 2% global turnover for EE; €7m or 1.4% for EI). Text: https://eur-lex.europa.eu/eli/dir/2022/2555/oj.
• Transposition in Luxembourg. The directive is transposed by the Law of 5 May 2026 “ensuring a high level of cybersecurity,” entering into force on 10 May 2026; NIS 1 and parts of the 17 December 2021 law are repealed. ILR page: https://www.ilr.lu/secteurs-activites/niss/nis-2/ and Legilux ELI: https://legilux.public.lu/eli/etat/leg/loi/2026/05/05/a225/jo.
• Competent authorities. ILR is competent for most sectors; CSSF for banking and financial market infrastructures (and, depending on activities, certain digital infrastructure and ICT service management under its prudential scope). ILR FAQ: https://www.ilr.lu/en/sectors/niss/nis-2/frequently-asked-questions-about-nis2-faq/.
• Incident reporting process. Early warning “without undue delay and at the latest within 24 h” after detection; notification within 72 h; final report within 1 month (interim report possible). ILR: https://www.ilr.lu/secteurs-activites/niss/nis-2/notification-incident-nis2/.

What the regulators say

• ILR (NIS authority)
  • Scope and size‑cap: entities in Annexes I/II are in scope by default if medium/large size thresholds are met, with exceptions (e.g., electronic communications providers, trust service providers, domain name registries). https://www.ilr.lu/secteurs-activites/niss/nis-2/champ-application/.
  • Governance and supervision: responsibilities of management bodies (Art. 20) and differentiated supervision for EE/EI (ex ante + ex post for EE; ex post for EI). https://www.ilr.lu/secteurs-activites/niss/nis-2/mesures-securite-nis2/.
  • Minimum measures (Art. 21): risk/incident management, business continuity, supply chain security, secure development, effectiveness assessment, cyber hygiene/training, encryption/MFA, etc. https://www.ilr.lu/secteurs-activites/niss/nis-2/mesures-securite-nis2/.
• CSSF (financial sector). Sectoral authority for credit institutions and market infrastructures; alignment with DORA and TIBER‑LU. https://www.cssf.lu/fr/tic-et-cyber-risque-pour-les-entites-dora/.
• EDPB and CNPD (GDPR). If a personal data breach poses a risk, notify CNPD within 72 h (Art. 33 GDPR). EDPB Guidelines 9/2022: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en; CNPD: https://cnpd.public.lu/fr/professionnels/obligations/violation-de-donnees.html.
• Implementing regulation. Commission Implementing Regulation (EU) 2024/2690 of 17 Oct 2024 clarifies reporting for certain providers (cloud, DNS, MSP/MSSP, etc.), directly applicable; see ILR NIS 2 page: https://www.ilr.lu/secteurs-activites/niss/nis-2/.

How to apply in practice

Case of an “important” entity (manufacturing/ICT B2B), week of 5–10 May 2026

1. Before 10 May (D‑3 to D‑0)
   • Governance and responsibility: appoint a “NIS 2 owner,” have management bodies approve risk management measures (Arts. 20–21), and schedule accelerated training. Basis: Arts. 20–21; ILR “Security measures NIS2” https://www.ilr.lu/secteurs-activites/niss/nis-2/mesures-securite-nis2/.
   • Status and registration: confirm Annex I/II sector and size‑cap; start ILR self‑registration. Basis: ILR “Scope” https://www.ilr.lu/secteurs-activites/niss/nis-2/champ-application/.
   • Day‑1 minimum measures: finalize an incident response plan (24 h early warning, 72 h notification via SERIMA), map points of contact (legal, CISO, DPO). Basis: ILR “Incident notification” https://www.ilr.lu/secteurs-activites/niss/nis-2/notification-incident-nis2/.
   • Key technical controls: enforce MFA on sensitive access, tested backups/restores, vulnerability disclosure process. Basis: Art. 21; ILR “Security measures NIS2” https://www.ilr.lu/secteurs-activites/niss/nis-2/mesures-securite-nis2/.
   • Supply chain: launch a supplier flash assessment on critical MSP/MSSP/ISVs: security clauses, 24 h/72 h contractual notification, MFA/encryption requirements. Basis: Art. 21(2)(f) https://www.ilr.lu/secteurs-activites/niss/nis-2/mesures-securite-nis2/.
2. During an incident (upon detection)
   • T0–24 h: send early warning to ILR (or CSIRT), open a SERIMA ticket, trigger crisis communication. Basis: ILR “Incident notification” https://www.ilr.lu/secteurs-activites/niss/nis-2/notification-incident-nis2/.
   • T0–72 h: submit formal notification (facts, impact, mitigation), provide interim updates if requested. https://www.ilr.lu/secteurs-activites/niss/nis-2/notification-incident-nis2/.
   • T+1 month: final report (or interim if ongoing; max 1‑month extension). https://www.ilr.lu/secteurs-activites/niss/nis-2/notification-incident-nis2/.
   • If personal data are involved with risk to individuals: notify CNPD within 72 h (GDPR) and, where required, the data subjects; coordinate NIS 2 and GDPR timelines. EDPB 9/2022: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en; CNPD: https://cnpd.public.lu/fr/professionnels/obligations/violation-de-donnees.html.
3. After (within 90 days)
   • Complete a risk analysis covering all networks/IS supporting the business; validate BCP/DRP; document controls for supervision (ex post for EI; ex ante + ex post for EE). Basis: ILR “Security measures NIS2” https://www.ilr.lu/secteurs-activites/niss/nis-2/mesures-securite-nis2/.
   • Update priority supplier contracts (security SLAs, escalation, notification, audit) and set regular follow‑up. Basis: Art. 21(2) https://www.ilr.lu/secteurs-activites/niss/nis-2/mesures-securite-nis2/.
   • Provide regular training to management bodies and record approval of cybersecurity measures. Basis: Art. 20; ILR “Security measures NIS2” https://www.ilr.lu/secteurs-activites/niss/nis-2/mesures-securite-nis2/.

Who is in scope (EE vs EI)

• Essential (Annex I): energy, transport, banks, financial market infrastructures, health, water, digital infrastructure (IXP, DNS, TLD registries, cloud, data centers, CDN, trust service providers, public communications operators), MSP/MSSP, public administration, space. Ref. ILR (FAQ, scope): https://www.ilr.lu/en/sectors/niss/nis-2/frequently-asked-questions-about-nis2-faq/.
• Important (Annex II): postal/courier, waste, chemicals, agri‑food, multiple manufacturing subsectors, digital providers, research. Ref. ILR: https://www.ilr.lu/en/sectors/niss/nis-2/frequently-asked-questions-about-nis2-faq/.
• Size‑cap rule: medium and large enterprises are in scope by default, with sectoral exceptions. Ref. ILR “Scope”: https://www.ilr.lu/secteurs-activites/niss/nis-2/champ-application/.

Sanctions

• NIS 2: EE up to €10m or 2% global turnover (whichever higher); EI up to €7m or 1.4%. Basis: Art. 34 NIS 2: https://eur-lex.europa.eu/eli/dir/2022/2555/oj.
• Supervision: EE (ex ante + ex post) and EI (ex post), with information requests, audits, and orders to comply. Ref. ILR: https://www.ilr.lu/secteurs-activites/niss/nis-2/mesures-securite-nis2/.

Common pitfalls

1. Limiting to “critical systems” as under NIS 1: NIS 2 covers all networks/IS supporting the business (Art. 21). https://www.ilr.lu/secteurs-activites/niss/nis-2/mesures-securite-nis2/.
2. Overlooking the supply chain (MSP/MSSP, SaaS): align contracts and evidence of controls (Art. 21(2)). https://www.ilr.lu/secteurs-activites/niss/nis-2/mesures-securite-nis2/.
3. Confusing NIS 2 and GDPR timelines: NIS 2 (24 h/72 h) does not remove the 72 h CNPD notification. ILR “Incident notification”; EDPB 9/2022; CNPD. https://www.ilr.lu/secteurs-activites/niss/nis-2/notification-incident-nis2/ — https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en — https://cnpd.public.lu/fr/professionnels/obligations/violation-de-donnees.html.
4. Neglecting management training (Art. 20) and their accountability. https://www.ilr.lu/secteurs-activites/niss/nis-2/mesures-securite-nis2/.
5. Waiting for “official lists”: NIS 2 relies on self‑identification/self‑registration; controls must be in place at entry into force. ILR FAQ: https://www.ilr.lu/en/sectors/niss/nis-2/frequently-asked-questions-about-nis2-faq/.

Official sources

• ILR – NIS 2 overview: https://www.ilr.lu/secteurs-activites/niss/nis-2/
• ILR – Scope: https://www.ilr.lu/secteurs-activites/niss/nis-2/champ-application/
• ILR – Security measures/supervision: https://www.ilr.lu/secteurs-activites/niss/nis-2/mesures-securite-nis2/
• ILR – Incident notification: https://www.ilr.lu/secteurs-activites/niss/nis-2/notification-incident-nis2/
• Luxembourg law (ELI): https://legilux.public.lu/eli/etat/leg/loi/2026/05/05/a225/jo
• EU NIS 2 (EUR‑Lex): https://eur-lex.europa.eu/eli/dir/2022/2555/oj
• ILR – NIS 2 FAQ: https://www.ilr.lu/en/sectors/niss/nis-2/frequently-asked-questions-about-nis2-faq/
• CSSF – ICT and cyber risk (DORA/TIBER‑LU): https://www.cssf.lu/fr/tic-et-cyber-risque-pour-les-entites-dora/
• EDPB – Guidelines 9/2022: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en
• CNPD – Data breach: https://cnpd.public.lu/fr/professionnels/obligations/violation-de-donnees.html

In brief — As of 7 May 2026, potentially in‑scope Luxembourg companies should assume they are covered based on activity and size, self‑register, formalize management bodies’ responsibility, secure the supply chain, and immediately enable 24 h/72 h incident alert/notification via SERIMA, coordinating GDPR notification to CNPD within 72 h where applicable. https://www.ilr.lu/secteurs-activites/niss/nis-2/

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.