Article 40

Review

Directive on the security of network and information systems · UE 2022/2555

Review

By 17 October 2027 and every 36 months thereafter, the Commission shall review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the relevance of the size of the entities concerned, and the sectors, subsectors and types of entity referred to in Annexes I and II for the functioning of the economy and society in relation to cybersecurity. To that end and with a view to further advancing the strategic and operational cooperation, the Commission shall take into account the reports of the Cooperation Group and the CSIRTs network on the experience gained at a strategic and operational level. The report shall be accompanied, where necessary, by a legislative proposal.

Luxembourg specificity
loi luxembourgeoise du 28 juillet 2023 relative a la cybersecurite, modifiee par la loi du 28 juillet 2025

In Luxembourg, the ILR (Institut Luxembourgeois de Regulation) designates essential and important operators, receives incident notifications and conducts inspections. The law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025, transposes NIS 2 and allows the ILR to individually designate an entity beyond the automatic thresholds, based on its criticality for the national economy. Scope changes from article 40 reviews are therefore relayed into Luxembourg law via this law and ILR decisions.

Luxgap practice: we configure Scope Radar against the ILR designation criteria and monitor its publications, so that your applicability sheet stays aligned with national practice and not just the EU text.