NIS 2 in Luxembourg: ILR expectations on the 10 measures (Art. 21)

Trigger. Since the entry into force of the 5 May 2026 law (NIS 2 transposition), the ILR has published a “Security measures and supervision” page detailing, point by point, the minimum requirements of Article 21 and the associated supervision regime. Takeaway: management must approve and evidence these measures, including MFA and supply chain controls. See ILR — Entry into force (May 2026) and ILR — Security measures and supervision. Legal text: EUR‑Lex — Directive (EU) 2022/2555 (Arts. 20 and 21).

The case

On 5 May 2026, Luxembourg transposed Directive (EU) 2022/2555 (NIS 2). The ILR, competent for many sectors, confirmed the entry into force and provides an operational “NIS 2” corpus including a structured “Security measures and supervision” page, reproducing the ten minimum measures under Article 21(2) and the responsibility of management bodies (Art. 20). The page highlights the requirement to use “multi-factor or continuous authentication” and “secure voice, video and text communications” within the entity, and differentiates ex ante/ex post supervision for essential versus important entities. References: ILR — Entry into force, ILR — Security measures and supervision.

Supporting this, ENISA published on 26 June 2025 a “NIS2 Technical Implementation Guidance” to operationalise these measures (expected evidence, examples, mappings). Non‑binding but recommended by authorities: ENISA — NIS2 Technical Implementation Guidance (26/06/2025). The ILR complements this with FAQs and clarifies supervision and notification tooling (SERIMA): ILR — NIS2 FAQ and ILR — SERIMA.

Legal reasoning

• Baseline. Article 21(1) requires “appropriate and proportionate technical, operational and organisational measures” to manage ICT risk and “prevent or minimise” incident impact. Article 21(2) lists ten areas: risk policies, incident handling, continuity/BCP backups and DRP, supply chain security, secure development lifecycle incl. vulnerability handling/disclosure, effectiveness assessment, cyber hygiene and training, cryptography/encryption, HR security/access control/asset management, MFA and secure communications. Reference: EUR‑Lex Art. 21.
• Governance. Article 20 makes the management body accountable: it approves the Article 21 measures, oversees execution, and may be held liable for non‑compliance. ILR reiterates this and expects regular training for management to assess cybersecurity risk. See “Management bodies responsibility”. To structure this oversight, consider virtual CISO support.
• Supervision. Differentiated regime: essential entities under “full” supervision (ex ante + ex post), important entities under ex post only. In practice, deliverables (e.g., security measures description, risk assessment) can be requested regularly for essentials; important entities provide them “after an incident and on request”. See ILR — Supervision.
• Method. ENISA guidance translates obligations into auditable controls and evidence (examples, mappings), notably for “digital infrastructure”, “ICT service management” and “digital providers”. Reference: ENISA — Guidance 2025.

For local framing, see the NIS 2 framework in Luxembourg and our NIS 2 Luxembourg page.

What changes in practice

• MFA and secure communications. Not “nice‑to‑have” but explicit requirements: “use of multi‑factor or continuous authentication” and “secure voice, video and text communications” within the entity (Art. 21(2)(j)). For a Luxembourg group: robust MFA for VPN/SSO, risk‑appropriate end‑to‑end encrypted messaging, and emergency procedures. Ref.: ILR — Security measures.
• Supply chain. Art. 21(2)(d) covers risks tied to direct suppliers and service providers. In practice: security due diligence, contractual clauses, SOC 2/ISO 27001 reviews, vulnerability disclosure expectations, and continuous monitoring evidence. Refs.: EUR‑Lex Art. 21(2)(d) and ENISA — Guidance 2025.
• Continuity and backups. Art. 21(2)(c) targets BCP/DRP and backup management. For executives: encrypted, isolated and tested backups; timestamped recovery plans; RTO/RPO aligned to scenarios. Ref.: EUR‑Lex Art. 21(2)(c). To accelerate implementation, leverage business continuity planning.
• Essential vs important. “Important” entities cannot opt out of measures: Art. 21 applies to all; only supervision differs. Expect ILR requests “after incident and on request” to evidence your measures. Ref.: ILR — Supervision.
• Local implementation. ILR clarifies NISS missions and use of SERIMA for incident handling/notification (mainly Art. 23): ILR — NISS missions and ILR — SERIMA.

Concrete examples

• Hospital (essential). Up‑to‑date asset inventory, MFA for remote clinical access, EDR/XDR, OT/IoT segmentation, tested immutable backups, IR playbooks and crisis exercises; provide ex ante a description of measures and, post‑incident, complete on request. Ref.: ILR — Ex ante/ex post supervision.
• MSP (important). Vulnerability disclosure policy, proof of regular patching, security clauses in client/supplier contracts, strong MFA/SSO; not exempt from measures, only from regular submissions unless requested/after incident. Ref.: EUR‑Lex Art. 21.

Common pitfalls

1. Equating “proportionate” with “optional”. Proportionality under Art. 21(1) does not allow skipping MFA, tested backups or vulnerability management where risk requires it; ILR lists these as expected. Ref.: ILR — Security measures.
2. Limiting supply chain scope to “critical” suppliers only. Art. 21(2)(d) targets relevant direct suppliers and service providers; an HR SaaS can expose sensitive data and must be covered (due diligence, clauses, evidence). Ref.: EUR‑Lex Art. 21(2)(d).
3. Failing to formally involve the management body. Art. 20 requires approval and oversight by management, with regular training. ILR makes this explicit: record decisions, trainings, and reviews. Ref.: Responsibility of management bodies. For reinforcement, see our NIS 2 Luxembourg overview.
4. Paper‑only continuity without evidence. ENISA expects verifiable artefacts: restoration test reports, exercise results, replication logs, evidence of backup isolation. Ref.: ENISA — Guidance 2025.
5. Blurring NIS 2 and GDPR without mapping. They may converge (encryption, access control) but differ in legal bases and evidence regimes; document shared controls and proof for each. For privacy compliance context, see GDPR in Luxembourg. Also consult the NIS 2 framework in Luxembourg.

These documents, published or updated between June 2025 and May–June 2026, set the reference baseline. For Luxembourg executives, the line is clear: have your board approve the measures (Art. 20), explicitly align them to the ten minimum requirements (Art. 21), and build a verifiable evidence dossier meeting ILR expectations. Need support? Reach out via our contact page.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.