Article 42

Amendment of Regulation (EU) No 910/2014

Directive on the security of network and information systems · UE 2022/2555

Amendment of Regulation (EU) No 910/2014

In Regulation (EU) No 910/2014, Article 19 is deleted with effect from 18 October 2024.

Luxembourg specificity
loi luxembourgeoise du 28 juillet 2023 relative a la cybersecurite, modifiee par la loi du 28 juillet 2025

In Luxembourg, the deletion of eIDAS Article 19 moves trust service providers under the supervision of the ILR, the national cybersecurity authority, with the NIS 2 specific incident notification sequence (early warning within 24h, notification within 72h, final report within one month) to the ILR and the national CSIRT. The law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025, designates the ILR as competent authority for inspections and administrative sanctions, which may reach up to EUR 10 million or 2% of worldwide turnover for essential entities.

Luxgap practice: check whether your qualified provider status classifies you as an Annex I essential entity and immediately align your eIDAS procedures with NIS 2 Article 21, as the compliance gap has been running since 18 October 2024.