Article 22

Union level coordinated security risk assessments of critical supply chains

Directive on the security of network and information systems · UE 2022/2555

Union level coordinated security risk assessments of critical supply chains

1.   The Cooperation Group, in cooperation with the Commission and ENISA, may carry out coordinated security risk assessments of specific critical ICT services, ICT systems or ICT products supply chains, taking into account technical and, where relevant, non-technical risk factors.

2.   The Commission, after consulting the Cooperation Group and ENISA, and, where necessary, relevant stakeholders, shall identify the specific critical ICT services, ICT systems or ICT products that may be subject to the coordinated security risk assessment referred to in paragraph 1.

Luxembourg specificity
loi du 28 juillet 2023 relative a la cybersecurite, modifiee par la loi du 28 juillet 2025

In Luxembourg, the ILR (Institut Luxembourgeois de Regulation) is the authority that will operationally relay article 22 coordinated assessment conclusions to designated essential and important operators. The law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025, empowers the ILR to mandate specific mitigation measures and verify their implementation, with administrative fines up to the NIS 2 caps (up to EUR 10 million or 2 percent of worldwide turnover for essential entities).

Luxgap practice: anticipate priority ICT categories in Luxembourg (sovereign cloud through LuxConnect / eBRC, local MSSPs, POST telecom equipment) by mapping your dependency on these players now and preparing a documented exit plan, rather than facing a short-notice ILR injunction.