NIS 2 – Article 21 in Luxembourg: what does the ILR actually check?

The general rule

Directive (EU) 2022/2555 (NIS 2) requires essential and important entities to implement “appropriate and proportionate” technical, organizational and operational measures to manage risks to network and information systems security and to reduce incident impact. These measures cover at least 10 areas listed in Article 21(2) (information security risk policy, incident handling, business continuity, supply chain, secure development, effectiveness assessment, cyber hygiene/training, cryptography, HR security/access controls/asset management, MFA/secure communications). See the official text on EUR‑Lex, Article 21. (eur-lex.europa.eu)

In Luxembourg, the ILR clarifies that Article 20 of NIS 2 makes management bodies accountable: they “approve” the risk management measures under Article 21, supervise their implementation, and may be held liable in case of non-compliance. The ILR also outlines the supervisory model: reinforced ex ante supervision for “essential entities,” ex post for “important entities.” (ilr.lu)

Sector note: for financial entities (under CSSF), NIS 2 acknowledges DORA and avoids duplication; some NIS 2 obligations do not apply or are articulated with DORA. See NIS 2 recitals and cross-references. (nis2resources.eu)

What the regulator says

• ILR – “Security measures and supervision under NIS 2.” The ILR restates Article 21(1) and (2), recalls management accountability (Art. 20), and announces the possibility to request additional information on implemented measures after an incident. The page also describes the supervision mechanics (ex ante for essential; ex post for important). (ilr.lu)
• ILR – NIS 2 FAQ. The ILR confirms its role as competent authority (based on Bill 8364) for most sectors (CSSF remains competent for certain financial perimeters and digital infrastructure). The FAQ explains that Article 21(2)(h) and (j) require an “all‑hazards” approach to cryptography and MFA and recommends alignment with European and international standards. (ilr.lu)
• ENISA – NIS 2 Technical Implementation Guidance. ENISA provides a practical guide to implement Article 21 measures for “digital infrastructure, ICT service management and digital providers,” with evidence examples and requirement mappings. (enisa.europa.eu)
• EU text – EUR‑Lex. For exact requirements and responsibilities (Articles 20 and 21), refer to the consolidated version of NIS 2. (eur-lex.europa.eu)

How to apply it in practice

Before you start, determine whether you are an “essential” or “important” entity under Annex I/II and the size‑cap (with exceptions for electronic communications providers, trust service providers, TLD, DNS, etc.). The ILR details these criteria and exceptions. (ilr.lu)

1) Before – scope and document

• Governance and accountability (Art. 20): have the board/executive approve a cyber risk management policy covering the 10 domains of Art. 21(2). Plan regular training for directors and their oversight role. Expected evidence: board minutes, IS policy charter, directors’ training plan. (ilr.lu)
• All‑hazards risk analysis (21(1)): run an EBIOS/ISO 27005 covering cyber and physical threats affecting critical systems, including providers and OT where applicable. Evidence: asset register, dependency mapping, risk report and treatment plan. (eur-lex.europa.eu)
• Supply chain (21(2)(d)): tier suppliers by criticality, require security clauses, pentests/third‑party assurance for managed services/MSSP, validate data location and remote access. Evidence: criticality matrices, clauses, audit results. (eur-lex.europa.eu)
• MFA and encryption (21(2)(h) and (j)): define a crypto policy (algorithms, key sizes, lifecycle, KMS/HSM) and an MFA standard by use case (admin, remote access, sensitive transactions). ILR recommends aligning to EU/international best practices; ENISA provides technical guidance. Evidence: policies, configurations, exception logs. (ilr.lu)

2) During – operate and monitor

• Incident handling (21(2)(b)): establish a SOC/CSIRT process with escalation and notification procedures. For NIS 2 timelines (early warning 24h, notification 72h, final report 1 month), the ILR provides a detailed guide and uses SERIMA as the central portal. Evidence: playbooks, alert logs, exercises. (ilr.lu)
• Business continuity and recovery (21(2)(c)): test restores of encrypted backups, DR/BCP, crisis management with secure communications (explicit requirement under 21(2)(j)). Evidence: test reports, failover logs, crisis cell minutes. (eur-lex.europa.eu)
• Secure development and vulnerability management (21(2)(e)): integrate SAST/DAST, SBOM, and a coordinated vulnerability disclosure (CVD) policy. ENISA provides mappings and evidence examples. Evidence: CI/CD pipelines, remediation tickets, CVD program. (enisa.europa.eu)
• Effectiveness assessment and cyber hygiene/training (21(2)(f) and (g)): implement KPIs/KRIs, anti‑phishing campaigns, hardening, and patching. Evidence: dashboards, compliance reports, training attestations. (eur-lex.europa.eu)

3) After – improve and respond to the supervisor

• Ex ante/ex post: if you are an “essential entity,” anticipate ILR requests on your measures (ex ante). “Important entities” may be contacted after an incident or upon specific request. The ILR states this on its site and in the FAQ. Prepare an “evidence file” aligned to the 10 domains. (ilr.lu)
• ENISA leverage: use the “Technical Implementation Guidance” to structure your controls and artifacts (policies, logs, test reports, execution evidence). (enisa.europa.eu)

Concrete example

“Important” SME in the energy sector:

• Before: management approves an IS policy, a crypto policy (AES‑256/GCM at rest, TLS 1.3 in transit, 12‑month key rotation), and an MFA standard (FIDO2 for admins, TOTP for users).
• During: external SOC with a 15‑minute SLA for critical incident detection; immutable backups 7/14/30; semi‑annual DR tests; SBOM for internal apps; published CVD.
• After: following a phishing incident, ILR notification via SERIMA within 72h; upon ILR request, provide the privileged access register, MFA activation evidence, and the supplier criticality matrix. Controls and evidence structured per ENISA. (ilr.lu)

Common pitfalls

• Assuming “MFA = everywhere, anyhow”. ILR stresses an all‑hazards approach and alignment with standards: without a risk‑based, use‑case‑specific MFA policy, you may fail the “appropriateness/proportionality” test under Article 21. (ilr.lu)
• Overlooking the digital supply chain (MSSP, cloud, M365). Article 21(2)(d) explicitly cites the supply chain: lack of due diligence, cyber clauses and audit evidence is a common reason for ILR requests. (eur-lex.europa.eu)
• Equating continuity with backups only. NIS 2 also targets crisis management and secure emergency communications (21(2)(c) and (j)). Without a comms plan and out‑of‑band encrypted channel, resilience is incomplete. (eur-lex.europa.eu)
• Forgetting management accountability. ILR puts Art. 20 front and center: no director training and no formal approval of measures = potential non‑compliance and liability. (ilr.lu)
• Confusing NIS 2 with DORA/CSSF scope. Financial entities must articulate their controls: NIS 2 recognizes DORA to avoid duplication. Ignoring this articulation creates gaps or unnecessary redundancies. (nis2resources.eu)

Official sources

• Directive (EU) 2022/2555 (NIS 2) – Articles 20 and 21 – EUR‑Lex: https://eur-lex.europa.eu/eli/dir/2022/2555/oj (eur-lex.europa.eu)
• ILR – Mesures de sécurité et supervision sous NIS 2 (FR): https://www.ilr.lu/secteurs-activites/niss/nis-2/mesures-securite-nis2/ (ilr.lu)
• ILR – Security measures and supervision under NIS2 (EN): https://www.ilr.lu/en/sectors/niss/nis-2/security-measures-and-supervision-under-nis2/ (ilr.lu)
• ILR – NIS 2 FAQ (EN and FR): https://www.ilr.lu/en/sectors/niss/nis-2/frequently-asked-questions-about-nis2-faq/ and https://www.ilr.lu/faq/niss/ (ilr.lu)
• ILR – Incident notification under NIS2 (FR/EN): https://www.ilr.lu/secteurs-activites/niss/nis-2/notification-incident-nis2/ and https://www.ilr.lu/en/sectors/niss/nis-2/incident-notification-under-nis2/ (ilr.lu)
• ENISA – NIS2 Technical Implementation Guidance: https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance (enisa.europa.eu)

Luxembourg context note (May 2026): the ILR indicates on its NIS 2 pages that its explanations may evolve “particularly depending on transposition,” and confirms, via its FAQ, the ILR/CSSF roles as foreseen by Bill 8364. Check ILR updates regularly. (ilr.lu)

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.