AI Act · NIS 2 · GDPR · DORA · Whistleblowing · CSSF

Your legal obligations, without the jargon.

Five laws now structure digital compliance in Luxembourg. Below: who is in scope, key obligations, deadlines and sanctions for each. To know exactly what applies to you, build your quote or write to us.

Build my quote → Contact us

European framework

EU regulations and directives applicable in Luxembourg.

🛡️  GDPR, General Data Protection Regulation

In scope
Any organisation processing personal data of European residents. No size exception.
Obligations
Records of processing, DPO appointment if large-scale processing, DPIAs for high-risk processing, breach notification within 72 hours, data subject rights.
Deadline
In force since May 2018. The Luxembourg CNPD enforces actively.
Sanctions
Up to €20M or 4% of global turnover. Over €30M in fines issued in Luxembourg.
How Luxgap helps: Our external DPO mandate covers all these obligations.

Everything about this law → Browse articles →

⚔️  NIS 2, Network and Information Security

In scope
Essential or important entities: energy, transport, banking, health, water, digital infrastructure, postal services, government, research, manufacturing, food (over 50 staff or €10M turnover).
Obligations
Cyber risk management policy, identified security officer, board training, incident reporting within 24 hours, supply chain security.
Deadline
Transposed in Luxembourg in 2024. ILR/HCPN inspections have started.
Sanctions
Up to €10M or 2% of global turnover. Personal liability for directors for governance failure.
How Luxgap helps: Our external CISO mandate covers the full programme.

Everything about this law → Browse articles →

🏦  DORA, Digital Operational Resilience Act

In scope
Financial sector: banks, insurers, asset managers, funds, market infrastructure, crypto-asset service providers, depositaries, critical IT providers serving these entities.
Obligations
ICT risk management framework, incident register, resilience testing (TLPT for critical actors), management of critical ICT third parties with mandatory clauses, regulator reporting.
Deadline
Applicable since 17 January 2025. The Luxembourg CSSF has issued its circulars.
Sanctions
Graduated fines from the CSSF, up to licence withdrawal in case of major breach.
How Luxgap helps: DORA gap analysis + full implementation (BCP, incident register, third-party register).

Everything about this law → Browse articles →

🤖  AI Act, European AI Regulation

In scope
Any provider, deployer, importer or distributor of AI systems in Europe. Extraterritorial scope (a non-EU provider placing an AI system on the European market is in scope).
Obligations
Prohibition of unacceptable practices (social scoring, manipulation), strict requirements for high-risk AI (biometrics, HR, credit, justice, infrastructure), transparency obligations for generative AI, foundation model governance.
Deadline
Staggered deadlines: prohibitions in force since February 2025, transparency duties August 2026, high-risk AI August 2027.
Sanctions
Up to €35M or 7% of global turnover for prohibited practices, heavier than GDPR.
How Luxgap helps: Our AI advisory covers AI Act scoping, system mapping and the compliance plan.

Everything about this law → Browse articles →

🔔  Whistleblowing

In scope
Any public or private organisation with more than 50 staff.
Obligations
Internal reporting channel, confidentiality of the whistleblower, alert handling within 3 months, feedback.
Deadline
Luxembourg law of 16 May 2023, in force. Supervised by the Office of Whistleblower Affairs.
Sanctions
Up to €250,000 for the organisation, personal sanctions for directors in case of retaliation.
How Luxgap helps: Externalised channel, training of focal points, annual reporting.

Everything about this law → Browse articles →

Luxembourg financial sector — DORA & CSSF circulars

The framework applicable to Luxembourg financial entities (banks, PFS, payment and e-money institutions, management companies, funds): the DORA technical standards (including the TLPT testing RTS, implemented via TIBER-LU) and the CSSF circulars on cybersecurity, ICT risk management, outsourcing, cloud and governance. Each text is broken down section by section, with Luxgap practical guidance.

TLPT RTS (EU 2025/1190)
Commission Delegated Regulation (EU) 2025/1190 on threat-led penetration testing (TLPT) un
The DORA technical standards for threat-led penetration testing, implemented in Luxembourg via TIBER-LU under CSSF authority.
9 sections analysed →
CSSF 25/883
CSSF Circular 25/883 amending CSSF 22/806 to align with DORA
The CSSF amendment aligning circular 22/806 with DORA, in force since 9 April 2025.
5 sections analysed →
CSSF 25/882
CSSF Circular 25/882 on requirements for ICT third-party services for DORA entities
CSSF practical expectations on ICT third-party providers, complementing the DORA Regulation.
4 sections analysed →
CSSF 25/881
CSSF Circular 25/881 amending CSSF 20/750 on ICT and security risk management
Aligning the foundational 20/750 circular (ICT risks) with the DORA Regulation.
4 sections analysed →
CSSF 25/880
CSSF Circular 25/880 on payment service user relationships and PSP ICT assessment
CSSF expectations for PSP customer relationships and ICT self-assessment, in the wake of DORA.
3 sections analysed →
CSSF 22/806
CSSF Circular 22/806 on outsourcing (as amended by CSSF 25/883)
The CSSF framework for outsourcing and cloud arrangements of Luxembourg financial entities.
28 sections analysed →
CSSF 20/750
CSSF Circular 20/750 on ICT and security risk management requirements
The CSSF foundation for ICT risk and information security management in the financial sector.
4 sections analysed →
CSSF 12/552
CSSF Circular 12/552 on central administration, internal governance and risk management
The CSSF framework for internal governance and control of banks and investment firms.
17 sections analysed →
CSSF 11/504 (repealed)
CSSF Circular 11/504 (repealed) on frauds and incidents due to external IT attacks
REPEALED on 1 April 2024 and replaced by CSSF Circular 24/847. Kept for reference: former obligation to report frauds and IT attac
2 sections analysed →
CSSF 24/847
CSSF Circular 24/847 on the ICT-related incident reporting framework
The CSSF ICT-incident reporting framework replacing 11/504, articulating DORA, the NIS Law and CSSF Regulation 24-01.
4 sections analysed →

Financial entity subject to DORA and these circulars? Our CISO mandate dedicated to the financial sector covers everything: ICT risk management, provider register, exit plans, resilience testing, CSSF dialogue.

Want to know exactly what applies to you?

Build your quote by ticking the obligations that concern you, we get back within one business day with a costed action plan.

Build my quote →