Article 41

Transposition

Directive on the security of network and information systems · UE 2022/2555

Transposition

1.   By 17 October 2024, Member States shall adopt and publish the measures necessary to comply with this Directive. They shall immediately inform the Commission thereof.

They shall apply those measures from 18 October 2024.

2.   When Member States adopt the measures referred to in paragraph 1, they shall contain a reference to this Directive or shall be accompanied by such reference on the occasion of their official publication. The methods of making such reference shall be laid down by Member States.

Luxembourg specificity
loi luxembourgeoise du 28 juillet 2023 relative a la cybersecurite, modifiee par la loi du 28 juillet 2025

In Luxembourg, the transposition of NIS 2 is carried out by the law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025. The ILR (Institut Luxembourgeois de Regulation) is designated as the national competent authority: it identifies essential and important operators, maintains the entity register, receives incident notifications, conducts inspections and imposes administrative sanctions. The national timeline diverged from the 18 October 2024 date set in Article 41, but the substantive obligations and the ILR's sanctioning powers are fully operational.

Luxgap practice: do not align your planning with the ILR designation letter. Carry out your self-identification now and prepare your registration in the entity register, because the transposition delay does not exempt an entity from its cybersecurity obligations.