Mutual assistance
Directive on the security of network and information systems · UE 2022/2555
Mutual assistance
1. Where an entity provides services in more than one Member State, or provides services in one or more Member States and its network and information systems are located in one or more other Member States, the competent authorities of the Member States concerned shall cooperate with and assist each other as necessary. That cooperation shall entail, at least, that:
| (a) | the competent authorities applying supervisory or enforcement measures in a Member State shall, via the single point of contact, inform and consult the competent authorities in the other Member States concerned on the supervisory and enforcement measures taken; |
| (b) | a competent authority may request another competent authority to take supervisory or enforcement measures; |
| (c) | a competent authority shall, upon receipt of a substantiated request from another competent authority, provide the other competent authority with mutual assistance proportionate to its own resources so that the supervisory or enforcement measures can be implemented in an effective, efficient and consistent manner. |
The mutual assistance referred to in the first subparagraph, point (c), may cover information requests and supervisory measures, including requests to carry out on-site inspections or off-site supervision or targeted security audits. A competent authority to which a request for assistance is addressed shall not refuse that request unless it is established that it does not have the competence to provide the requested assistance, the requested assistance is not proportionate to the supervisory tasks of the competent authority, or the request concerns information or entails activities which, if disclosed or carried out, would be contrary to the essential interests of the Member State’s national security, public security or defence. Before refusing such a request, the competent authority shall consult the other competent authorities concerned as well as, upon the request of one of the Member States concerned, the Commission and ENISA.
2. Where appropriate and with common agreement, the competent authorities of various Member States may carry out joint supervisory actions.
In Luxembourg, the ILR (Institut Luxembourgeois de Régulation) is the competent authority that conducts inspections, receives incident notifications and may carry out a supervisory measure at the request of a peer authority from another Member State. The law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025, designates the ILR as the single point of contact for cross-border cooperation and the joint supervisory actions provided for under Article 37.
Luxgap practice: precisely document the location of your systems hosted outside Luxembourg (datacenters, cloud), as the ILR may be approached by the authority of the hosting country; prepare a single, multilingual inspection file to respond without delay to any request relayed by the ILR.