Amendment of Directive (EU) 2018/1972
Directive on the security of network and information systems · UE 2022/2555
Amendment of Directive (EU) 2018/1972
In Directive (EU) 2018/1972, Articles 40 and 41 are deleted with effect from 18 October 2024.
In Luxembourg, the ILR is the competent national cybersecurity authority, acting both as the electronic communications regulator and as the body implementing NIS 2. The law of 28 July 2023 on cybersecurity (amended by the law of 28 July 2025) transposes the shift: telecom operators previously covered by Articles 40 and 41 of the Code are now designated as essential or important operators and notify their incidents directly to the ILR under the NIS 2 tiered regime. Administrative fines can reach 10 million EUR or 2 percent of worldwide turnover for an essential entity.
Luxgap practice: check that your interconnection agreements and notification procedures sent to the ILR no longer cite the old Code, and switch your incident contact point to the ILR NIS 2 channel.