Sector-specific Union legal acts
Directive on the security of network and information systems · UE 2022/2555
Sector-specific Union legal acts
1. Where sector-specific Union legal acts require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provisions on supervision and enforcement laid down in Chapter VII, shall not apply to such entities. Where sector-specific Union legal acts do not cover all entities in a specific sector falling within the scope of this Directive, the relevant provisions of this Directive shall continue to apply to the entities not covered by those sector-specific Union legal acts.
2. The requirements referred to in paragraph 1 of this Article shall be considered to be equivalent in effect to the obligations laid down in this Directive where:
| (a) | cybersecurity risk-management measures are at least equivalent in effect to those laid down in Article 21(1) and (2); or |
| (b) | the sector-specific Union legal act provides for immediate access, where appropriate automatic and direct, to the incident notifications by the CSIRTs, the competent authorities or the single points of contact under this Directive and where requirements to notify significant incidents are at least equivalent in effect to those laid down in Article 23(1) to (6) of this Directive. |
3. The Commission shall, by 17 July 2023, provide guidelines clarifying the application of paragraphs 1 and 2. The Commission shall review those guidelines on a regular basis. When preparing those guidelines, the Commission shall take into account any observations of the Cooperation Group and ENISA.
In Luxembourg, the ILR (Institut Luxembourgeois de Regulation) is the competent national authority that designates essential and important operators, receives incident notifications and conducts inspections. The law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025, transposes NIS 2 and coordinates this competence with that of the CSSF for the financial sector under DORA. It is the ILR, not the entity itself, that ultimately rules on qualification and any sectoral exemption.
Luxgap practice: for a Luxembourg financial group, explicitly document the CSSF/DORA versus ILR/NIS 2 boundary for each entity, and confirm the exempt perimeter in writing with the ILR before any incident, rather than discovering it during an inspection.