Article 8

Competent authorities and single points of contact

Directive on the security of network and information systems · UE 2022/2555

Competent authorities and single points of contact

1.   Each Member State shall designate or establish one or more competent authorities responsible for cybersecurity and for the supervisory tasks referred to in Chapter VII (competent authorities).

2.   The competent authorities referred to in paragraph 1 shall monitor the implementation of this Directive at national level.

3.   Each Member State shall designate or establish a single point of contact. Where a Member State designates or establishes only one competent authority pursuant to paragraph 1, that competent authority shall also be the single point of contact for that Member State.

4.   Each single point of contact shall exercise a liaison function to ensure cross-border cooperation of its Member State’s authorities with the relevant authorities of other Member States, and, where appropriate, with the Commission and ENISA, as well as to ensure cross-sectoral cooperation with other competent authorities within its Member State.

5.   Member States shall ensure that their competent authorities and single points of contact have adequate resources to carry out, in an effective and efficient manner, the tasks assigned to them and thereby to fulfil the objectives of this Directive.

6.   Each Member State shall notify the Commission without undue delay of the identity of the competent authority referred to in paragraph 1 and of the single point of contact referred to in paragraph 3, of the tasks of those authorities, and of any subsequent changes thereto. Each Member State shall make public the identity of its competent authority. The Commission shall make a list of the single points of contact publicly available.

Luxembourg specificity
loi luxembourgeoise du 28 juillet 2023 relative a la cybersecurite, modifiee par la loi du 28 juillet 2025

In Luxembourg, the ILR (Institut Luxembourgeois de Regulation) is designated as the national competent cybersecurity authority and as the single point of contact within the meaning of Article 8. The law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025, tasks the ILR with designating essential and important operators, receiving incident notifications, conducting inspections and imposing administrative sanctions (up to EUR 10 million or 2% of worldwide annual turnover for essential entities). It is therefore the ILR, not the CSSF or the CNPD, that is your reference NIS 2 desk.

Luxgap practice: ensure your incident response plan explicitly names the ILR notification channel and test the escalation at least once a year, as an ILR inspection requires evidence of an operational procedure, not merely a policy on paper.