← All laws

Compliance · Cybersecurity

NIS 2, the EU cybersecurity directive 2022/2555.

NIS 2 (EU directive 2022/2555) replaces the 2016 NIS directive and significantly broadens the scope of organisations subject to cyber obligations. Transposed in Luxembourg in 2024, it has been applicable since 17 October 2024. What does it change for you?

Build my quote → Contact us

Who is concerned?

NIS 2 distinguishes two categories: essential entities (EE) and important entities (IE), based on sector and size. Highly critical sectors include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, B2B ICT management, public administration, space.

The Luxembourg ILR and ANSSI Lux have been designated as supervisory authorities.

Key obligations

  • Technical and organisational measures (Article 21): security policy, risk management, incident handling, business continuity, supply chain security, acquisition and development security, effectiveness assessment, cyber training, cryptography, identity management, secure communications.
  • Incident notification (Article 23): early warning within 24 h, incident notification within 72 h, final report within 1 month.
  • Management governance and liability (Article 20): leadership approves measures, oversees implementation, and is personally liable in case of demonstrated failure.

Deadlines

Luxembourg's NIS 2 transposition law entered into force on 17 October 2024. All concerned entities must already be compliant. Inspections began in 2025.

Sanctions for non-compliance

Administrative sanctions: up to €10 million or 2% of worldwide turnover for essential entities; €7 million or 1.4% for important entities. The directive provides for personal liability of executives: temporary disqualification from management duties.

How Luxgap helps

Our external CISO mandate covers the full NIS 2 requirements. For organisations unsure whether they are concerned, we offer a NIS 2 eligibility diagnosis within 5 business days.

Let's set up your NIS 2 compliance.

Configure a quote for a CISO mandate or a targeted NIS 2 audit. Reply within one business day.

Build my quote →