AI Act · NIS 2 · GDPR · DORA · Whistleblowing

Your legal obligations, without the jargon.

Five laws now structure digital compliance in Luxembourg. Below: who is in scope, key obligations, deadlines and sanctions for each. To know exactly what applies to you, build your quote or write to us.

Build my quote → Contact us

🛡️ GDPR, General Data Protection Regulation

In scope: Any organisation processing personal data of European residents. No size exception.
Obligations: Records of processing, DPO appointment if large-scale processing, DPIAs for high-risk processing, breach notification within 72 hours, data subject rights.
Deadline: In force since May 2018. The Luxembourg CNPD enforces actively.
Sanctions: Up to €20M or 4% of global turnover. Over €30M in fines issued in Luxembourg.

How Luxgap helps: Our external DPO mandate covers all these obligations.

Everything about this law →

⚔️ NIS 2, Network and Information Security

In scope: Essential or important entities: energy, transport, banking, health, water, digital infrastructure, postal services, government, research, manufacturing, food (over 50 staff or €10M turnover).
Obligations: Cyber risk management policy, identified security officer, board training, incident reporting within 24 hours, supply chain security.
Deadline: Transposed in Luxembourg in 2024. ILR/HCPN inspections have started.
Sanctions: Up to €10M or 2% of global turnover. Personal liability for directors for governance failure.

How Luxgap helps: Our external CISO mandate covers the full programme.

Everything about this law →

🏦 DORA, Digital Operational Resilience Act

In scope: Financial sector: banks, insurers, asset managers, funds, market infrastructure, crypto-asset service providers, depositaries, critical IT providers serving these entities.
Obligations: ICT risk management framework, incident register, resilience testing (TLPT for critical actors), management of critical ICT third parties with mandatory clauses, regulator reporting.
Deadline: Applicable since 17 January 2025. The Luxembourg CSSF has issued its circulars.
Sanctions: Graduated fines from the CSSF, up to licence withdrawal in case of major breach.

How Luxgap helps: DORA gap analysis + full implementation (BCP, incident register, third-party register).

Everything about this law →

🤖 AI Act, European AI Regulation

In scope: Any provider, deployer, importer or distributor of AI systems in Europe. Extraterritorial scope (a non-EU provider placing an AI system on the European market is in scope).
Obligations: Prohibition of unacceptable practices (social scoring, manipulation), strict requirements for high-risk AI (biometrics, HR, credit, justice, infrastructure), transparency obligations for generative AI, foundation model governance.
Deadline: Staggered deadlines: prohibitions in force since February 2025, transparency duties August 2026, high-risk AI August 2027.
Sanctions: Up to €35M or 7% of global turnover for prohibited practices, heavier than GDPR.

How Luxgap helps: Our AI advisory covers AI Act scoping, system mapping and the compliance plan.

Everything about this law →

🔔 Whistleblowing

In scope: Any public or private organisation with more than 50 staff.
Obligations: Internal reporting channel, confidentiality of the whistleblower, alert handling within 3 months, feedback.
Deadline: Luxembourg law of 16 May 2023, in force. Supervised by the Office of Whistleblower Affairs.
Sanctions: Up to €250,000 for the organisation, personal sanctions for directors in case of retaliation.

How Luxgap helps: Externalised channel, training of focal points, annual reporting.

Everything about this law →

Want to know exactly what applies to you?

Build your quote by ticking the obligations that concern you, we get back within one business day with a costed action plan.

Build my quote →