← All articles

Veille reglementaire

NIS 2 Luxembourg: 5 May 2026 law published, ILR self-registration window until 10 July 2026

Luxembourg's 5 May 2026 law transposing the NIS 2 directive entered into force on 10 May. Essential and Important Entities must self-register with the ILR by 10 July 2026.

By Veille Luxgap 15/05/2026

Luxembourg's law of 5 May 2026 transposing Directive (EU) 2022/2555 (NIS 2) was published in the Memorial on 10 May 2026 (Memorial A No. 225) and entered into force on the same day. For affected organisations, the legal countdown has begun.

The bottom line

Key point: a two-month statutory window has opened for self-registration with the Luxembourg Institute of Regulation (ILR), the designated competent authority for NIS 2 operators. The deadline is 10 July 2026. All in-scope entities must register via the dedicated portal: ilr.lu/secteurs-activites/niss/nis-2.

Self-registration is more than a formality: it triggers official classification as an Essential Entity (EE) or Important Entity (IE), and determines the scope of inspections, incident reporting obligations and the basis for calculating sanctions.

Who is in scope?

The law distinguishes two categories of obligated entities based on the directive's criteria:

  • Essential Entities: large companies (>250 employees or >EUR 50M turnover) in 11 critical sectors (energy, transport, banking, financial markets, healthcare, drinking water and waste water, digital infrastructure, ICT service management B2B, public administration, space, manufacture of chemical and pharmaceutical products).
  • Important Entities: medium-sized companies (50-250 employees or EUR 10-50M turnover) in the same sectors, plus 7 additional sectors (postal and courier services, waste management, manufacturing, food production and distribution, research, digital services).

The ILR has already identified over 1,200 Luxembourg companies as potentially in scope, who should receive an individual notification. But self-registration remains a positive obligation: not having received a letter from the ILR does not exempt an organisation from the requirement if it meets the criteria.

What to prepare for registration

In practical terms, the ILR form requires:

  • Company identification (RCS, NACE activity code, headcount, turnover).
  • Details of a security point of contact (often the CISO), reachable by email and phone 24/7.
  • List of critical services provided and operating sites in Luxembourg.
  • Where applicable, identification of the European representative (for entities not established in the EU).

Before filling in the form, plan a formal internal nomination of the cyber officer, or appointment of an external CISO mandate if the function is not staffed. The law engages the personal liability of senior management for breaches (Article 20 of the directive).

After registration: triggered obligations

Self-registration is only the entry point. Once identified, the operator must:

  • Implement a cyber risk management policy (Article 21 of the directive) covering 10 minimum measures: risk analysis, incident handling, business continuity, supply chain security, acquisition and development security, effectiveness assessment, cyber hygiene and training, cryptography, HR security and access, MFA.
  • Implement an incident notification system to the ILR within 24 hours for initial alert, 72 hours for intermediate report, 1 month for final report.
  • Have the cyber policy validated by the governance body (board or executive management). Directors must complete cyber training.
  • Audit the ICT supply chain and insert NIS 2 clauses in contracts with critical providers.

Penalties for breach

The transposition law replicates the ceilings set by the directive. For Essential Entities: administrative fine up to EUR 10 million or 2% of annual worldwide turnover, whichever is higher. For Important Entities: up to EUR 7 million or 1.4% of worldwide turnover.

To these are added immediate corrective measures (injunctions, temporary suspension of certification or activity) and the personal liability of senior management (individual sanctions, temporary prohibition from holding executive positions in the affected sector).

How Luxgap helps

Eight weeks is a tight window for organisations starting from scratch. Our External CISO approach covers the full sequence: nomination of a cyber officer declared to the ILR, drafting of the risk management policy, deployment of the 24h incident alert system, supply chain audit, board cyber training.

For financial sector entities (banks, PSF, funds, insurance), NIS 2 obligations stack with those of DORA (in force since 17 January 2025). The CSSF coordinates with the ILR on this dual regulation. Our CISO Luxembourg mandate addresses both frameworks in a single programme.

Useful links

nis-2 luxembourg ilr transposition auto-enregistrement ciso
LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →