Subject matter

Directive on the security of network and information systems · UE 2022/2555

Subject matter

1. This Directive lays down measures that aim to achieve a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market.

2. To that end, this Directive lays down:

(a)	obligations that require Member States to adopt national cybersecurity strategies and to designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity (single points of contact) and computer security incident response teams (CSIRTs);

(b)	cybersecurity risk-management measures and reporting obligations for entities of a type referred to in Annex I or II as well as for entities identified as critical entities under Directive (EU) 2022/2557;

(c)	rules and obligations on cybersecurity information sharing;

(d)	supervisory and enforcement obligations on Member States.

Luxembourg specificity

loi du 28 juillet 2023 relative a la cybersecurite, modifiee par la loi du 28 juillet 2025

In Luxembourg, NIS 2 is transposed by the law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025. The Institut Luxembourgeois de Regulation (ILR) is the national competent authority: it nominally designates essential and important operators, receives incident notifications (via the MISP-LU platform or its dedicated portal), conducts inspections and imposes administrative sanctions (up to 10 M EUR or 2% of worldwide turnover for essential entities, 7 M EUR or 1.4% for important entities). GOVCERT.LU acts as national CSIRT for the public sector and CIRCL for the private sector.

Luxgap practice: quarterly check the public list of operators designated by the ILR and keep a written record of your non-designation analysis, signed by management, dated and archived. It is the first piece required during an ILR inspection if your status is contested.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Article 1 looks harmless (it just states the subject matter of the Directive), but it actually fixes the scope of everything that follows: Annexes I and II, critical entities under Directive (EU) 2022/2557 (CER), and cascading obligations. The classic trap sanctioned by the ILR and national CSIRTs: organisations that believe they are out of scope because they do not recognise themselves in the sectoral list, while they are in scope through chain effect (subsidiary of an energy group, critical subcontractor of a hospital, cloud provider of a public administration). Result: no cyber strategy, no contact point declared to the ILR, and scope discovered at the first incident.

The 4-question scope test

Annex I or II sector? Energy, transport, banking, health, water, digital infrastructure (DNS, cloud, datacenter, CDN), public administration, postal services, medical device manufacturing, food, chemicals, research, digital providers (marketplaces, search engines, social networks).
Size: at least 50 employees OR 10 M EUR annual turnover (medium enterprise threshold under recommendation 2003/361/EC). Below that, possible forced inclusion by the ILR if the entity is deemed critical.
Explicit designation by the ILR as essential entity (EE) or important entity (IE)? Silence does not mean out of scope: self-identification prevails.
Qualified as critical entity under the CER Directive (EU) 2022/2557? If yes, automatically essential entity under NIS 2.

Secondary trap: even an entity outside the annexes can fall into scope through the supply chain (article 21(2)(d)). Your NIS 2 clients will impose the same obligations contractually, without you being directly designated.

How Luxgap automates this risk

Our Luxgap NIS2 Scope Radar answers the only question that matters before any compliance project: are you in scope, on what basis, and with what level of obligation? The tool cross-references your NACE code, your Luxembourg RCS registration, your headcount declared to CCSS, your turnover filed with RCSL, your application mapping (M365, Azure, AWS, Odoo, Salesforce) and the public list of operators designated by the ILR to produce an enforceable verdict in less than 48 hours.

Automatically determines your qualification (essential entity, important entity, out of scope, indirect scope via supply chain) by cross-referencing NACE code, CCSS headcount and RCSL turnover.
Detects hidden attachments: subsidiary of an essential entity group, critical subcontractor of a Luxembourg hospital, cloud provider of a municipality or ministry.
Checks in real time whether your company name appears on the list of designated operators published by the ILR and alerts as soon as a new designation concerns you.
Maps your NIS 2 clients from your CRM and anticipates the cyber clauses they will impose on you in the next 12 months under article 21(2)(d).
Produces a time-stamped, cryptographically signed PDF report that materialises your scope analysis and constitutes the first piece of the compliance file enforceable against the ILR in case of inspection.
Automatically re-assesses your status every quarter, as soon as a headcount, turnover or activity threshold changes.

Available as a complement to a Luxgap CISO or DPO mandate or as a dedicated SaaS module depending on your perimeter. Request a personalised quote and our teams will prepare a scope analysis on your real perimeter, with a free white audit within 48 hours to materialise your NIS 2 exposure before any commitment.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Subject matter

They trust us

Before we chat