NIS 2 in Luxembourg: how to notify ILR within 24h/72h/1 month

Excerpt — The NIS 2 Directive mandates a strict notification chain: early warning within 24h, formal notification at 72h, and a final report within 1 month. In Luxembourg, ILR and the national CSIRT (CIRCL) are your key counterparts.

The general rule

Article 23 of Directive (EU) 2022/2555 (“NIS 2”) governs the notification of incidents “having a significant impact” on the services of essential and important entities. The sequence is: (1) early warning within 24 hours, (2) notification within 72 hours, (3) final report no later than one month after the initial notification. The text also details the expected content at each step and clarifies cooperation among authorities, notably when an incident also amounts to a personal data breach under the GDPR. See the official text: Article 23, NIS 2.

In Luxembourg, ILR (Institut Luxembourgeois de Régulation) publicly sets out this three-step timeline and the scope of NIS 2 (Annexes I/II, the “size-cap” rule, and self-registration). Incident notification — ILR and Scope — ILR.

Financial sector caution: according to ILR’s NIS 2 FAQ, the Luxembourg draft law designates the CSSF as the competent authority for the banking sector, market infrastructures and certain digital activities under its supervision; ILR covers the vast majority of the other sectors. Check your competent authority before notifying. NIS 2 FAQ — ILR.

What the regulator says

• ILR — 24h/72h/1 month process: ILR describes the “3 key steps (early warning at 24h, formal notification at 72h, final report at 1 month)” and indicates that interim information may be requested by the competent authority or the CSIRT. NIS 2 Incident Notification — ILR.
• Role of the CSIRT (CIRCL): the national CSIRT receives reports and assists with incident handling. Contact channels and the anonymous form are public. CIRCL — Report an incident.
• NIS 2 — content and sequence: Article 23 sets obligations, deadlines and minimum information for the early warning, the 72h notification, and the 1‑month final report; it also details coordination with other regimes (e.g., GDPR) and that liability is not aggravated solely by notifying. Directive (EU) 2022/2555, Art. 23 — Publications Office.
• ENISA — good practices: the agency provides technical guidance to operationalize NIS 2 (Article 21 measures, incident handling, expected evidence), useful to structure proof and reports. ENISA — NIS2 Technical Implementation Guidance and the “Threats and Incidents” page (reminders on 24h/72h). ENISA — Threats and Incidents.

How to apply it in practice

Example: a digital infrastructure provider (Annex I) detects on 3 May 2026 at 09:00 a ransomware incident affecting a secondary DNS cluster.

Before (preparation)

1. Governance and designation: identify your competent authority (ILR or CSSF depending on activity) and the relevant CSIRT (CIRCL). Document 24/7 contacts. NIS 2 FAQ — ILR; CIRCL — Report.
2. Integrated notification procedure: align your incident playbook with Art. 23: minute “T0” = detection, T+24h early warning, T+72h notification, T+30 days (calendar) final report. Attach an internal template mirroring the required fields.
3. Convergence GDPR/DORA/EECC: prepare a “who-notifies-what” matrix: if the incident involves personal data, also trigger GDPR Art. 33 to the CNPD; if a financial entity, align with CSSF/DORA frameworks. Art. 23 foresees coordination among authorities where an incident may also be a data breach. Directive (EU) 2022/2555, recitals and Art. 23.

During (handling and notifications)

1. Within 24 hours (early warning): send to ILR (or CSSF) and/or the CSIRT (CIRCL) at least: incident summary, preliminary indicators (e.g., known IoCs), suspicion of unlawful act, potential impacts, cross-border nature, initial mitigation steps. Keep timestamp traceability. ILR — Incident notification; Directive Art. 23.
2. At 72 hours (notification): provide a structured update: confirmed scope, likely causes, intrusion vector, validated IoCs, affected systems/services, supply chain dependencies, measures taken and planned, need for assistance, user communications if needed. Directive Art. 23.
3. Continuous interaction: respond to ILR/CSIRT interim information requests. Responsibly share relevant IoCs (cf. NIS 2 on information sharing) to limit systemic effects. ILR — Incident notification.
4. At 1 month (final report): deliver a complete causal analysis (timeline, root cause, exploited flaw), impact assessment (availability/integrity/confidentiality), corrective and preventive measures, and lessons learned. Directive Art. 23.

After (closure and evidence)

1. Proof of compliance: archive correspondence, decisions, logs and technical artifacts (screenshots, hashes, intervention tickets) — ENISA provides “evidence” examples useful for audits. ENISA — NIS2 Technical Implementation Guidance.
2. Improvements: update dependency mapping, risk matrices, Article 21 controls (MFA, access management, encryption, continuity). ILR — Security measures and supervision.

Minimalist “template” for contents

• 24h early warning: detection date/time; brief description; suspected unlawful act; affected sectors/Member States; impacted services; preliminary indicators; immediate measures; 24/7 point of contact. Directive Art. 23; ILR — Notification.
• 72h notification: confirmed scope; technical analysis (TTPs, IoCs); affected systems and data; critical dependencies (suppliers/customers); deployed technical/organizational measures; user/customer communications; assistance/coordination needs.
• Final report (≤ 1 month): timestamped timeline; root cause; quantified impact; key evidence; corrective measures deployed and prevention plan; lessons learned; remaining items/residual risks.

In Luxembourg, prioritize ILR (or CSSF for financial entities) and the national CSIRT CIRCL, which publishes its reporting modalities. CIRCL — Report; NIS 2 FAQ — ILR.

Common audit pitfalls

1. Waiting for “certainty” before the early warning. Art. 23 requires a 24h alert “without undue delay” even with incomplete information; the 72h update is precisely to complement it. Directive Art. 23.
2. Notifying the wrong counterpart. Verify your competent authority (ILR vs CSSF) according to the actual activity covered by NIS 2. NIS 2 FAQ — ILR.
3. Forgetting GDPR coordination. If personal data are affected, also trigger GDPR Art. 33 to the CNPD; NIS 2 foresees information bridges between authorities. NIS 2 — Art. 23 (cooperation with GDPR authorities).
4. Poor evidence and timestamps. Reports without logs, IoCs, hashes or detailed timelines hinder assessment and the defense of proportionality of measures.
5. Underestimating the supply chain. NIS 2 strengthens supplier risk management obligations (Art. 21); document critical dependencies and cascading impacts. ENISA — NIS2 Technical Implementation Guidance.

Official sources

• Directive (EU) 2022/2555 (“NIS 2”), Article 23 — incident notification obligations, deadlines and expected content. Publications Office: https://op.europa.eu/en/publication-detail/-/publication/20207a5f-c57c-11ee-95d9-01aa75ed71a1/language-en.
• ILR — NIS 2 incident notification (24h/72h/1 month process): https://www.ilr.lu/secteurs-activites/niss/nis-2/notification-incident-nis2/.
• ILR — Scope (Annexes I/II, size‑cap, self‑registration): https://www.ilr.lu/secteurs-activites/niss/nis-2/champ-application/.
• ILR — Security measures and supervision (Arts. 20/21, ex ante/ex post): https://www.ilr.lu/en/sectors/niss/nis-2/security-measures-and-supervision-under-nis2/.
• ILR — NIS 2 FAQ (ILR/CSSF allocation by sectors; deadline reminders): https://www.ilr.lu/faq/niss/.
• CIRCL — national CSIRT, reporting channels: https://www.circl.lu/report/.
• ENISA — NIS2 Technical Implementation Guidance (evidence, implementation): https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance.
• ENISA — Threats and Incidents (practical reminders on 24h/72h): https://www.enisa.europa.eu/topics/state-of-cybersecurity-in-the-eu/threats-and-incidents.

Timeline note: as of 3 May 2026, some ILR pages still refer to the national draft law, but ILR already publishes the 24h/72h/1‑month process and targeted sectors. Check your sector obligations (ILR vs CSSF) and prepare your notification templates accordingly.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.