Article 36

Penalties

Directive on the security of network and information systems · UE 2022/2555

Penalties

Member States shall lay down rules on penalties applicable to infringements of national measures adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall, by 17 January 2025, notify the Commission of those rules and of those measures and shall notify it, without delay of any subsequent amendment affecting them.

Luxembourg specificity
loi luxembourgeoise du 28 juillet 2023 relative a la cybersecurite, modifiee par la loi du 28 juillet 2025

In Luxembourg, the ILR (Institut Luxembourgeois de Regulation) designates essential and important operators, receives incident notifications, runs inspections and imposes administrative penalties. The law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025, transposes Article 36 and sets the national regime: administrative fines up to EUR 10 million or 2 % of global annual turnover for essential entities, and EUR 7 million or 1.4 % for important entities, with coercive measures that may target directors directly.

Luxgap practice: build a permanent, timestamped evidence file today, because during an inspection the ILR will require you to demonstrate compliance at a given point in time, with the burden of proof on you.