Article 1

Subject matter

Directive on the security of network and information systems · UE 2022/2555

Subject matter

1.   This Directive lays down measures that aim to achieve a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market.

2.   To that end, this Directive lays down:

(a)

obligations that require Member States to adopt national cybersecurity strategies and to designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity (single points of contact) and computer security incident response teams (CSIRTs);

(b)

cybersecurity risk-management measures and reporting obligations for entities of a type referred to in Annex I or II as well as for entities identified as critical entities under Directive (EU) 2022/2557;

(c)

rules and obligations on cybersecurity information sharing;

(d)

supervisory and enforcement obligations on Member States.

Luxembourg specificity
loi luxembourgeoise du 28 juillet 2023 relative a la cybersécurité, modifiée par la loi du 28 juillet 2025

In Luxembourg, the ILR (Institut Luxembourgeois de Regulation) designates essential and important operators, receives incident notifications, conducts inspections and imposes administrative sanctions. The law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025, transposes NIS 2 into national law and sets out the mechanism for identifying covered entities.

Luxgap practice: have your essential or important entity qualification validated under the LU law before any notification to the ILR, since the supervision regime and the sanction ceiling (up to EUR 10 million or 2% of worldwide turnover for essential entities) depend directly on it.