NIS2 Country Guide

NIS2 Luxembourg: Compliance, Authorities & Key Requirements

Learn how Luxembourg implements the NIS2 Directive, which sectors and entities are covered, how registration works via MyGuichet.lu, and what steps organisations must take to prepare for compliance.

Get Ready Checklist Get Consultation
Luxembourg In force: 29 Jul 2024 Registration by: 1 Oct 2025

Introduction

Luxembourg has implemented NIS2 by strengthening and extending the existing 2021 national cybersecurity law. Entities operating essential or important services must comply with enhanced cybersecurity, risk management, and reporting requirements.

Quick link: See What is NIS2? and NIS vs NIS2.

NIS2 implementation in Luxembourg

Luxembourg transposed NIS2 through the Law of 29 July 2024, amending the national cybersecurity framework introduced in 2021.

Status

Transposed; in force since 29 July 2024.

Official law

Legilux – Law of 29 July 2024

Registration

Registration is made through MyGuichet: MyGuichet.lu Deadline: 1 October 2025.

SectorLuxembourg note
Finance Closely aligned with DORA; supervised by CSSF and ILR depending on the service type.
Digital Infrastructure Data centre & cloud operators supervised directly by ILR.
Public Administration State & municipal entities included; oversight via HCPN / GOVCERT.

Compliance & certification

Luxembourg follows NIS2’s “Essential” and “Important” entity structure.

Scope

  • Annex I & II sectors
  • ≥50 employees or ≥€10m annual turnover
  • Small entities may still qualify if critical for the state

Obligations

  • Risk management & policies
  • Incident detection & reporting
  • Business continuity
  • Supply-chain security
  • Access control & encryption

Recommended standards

ISO/IEC 27001:2023, NIST CSF 2.0, ETSI EN 303 645 for certain infrastructures.

Competent authorities

Luxembourg uses a multi-body model under HCPN.

RoleAuthorityNotes
National CSIRT GOVCERT.LU Cyber incident response for state & critical operators.
Single Point of Contact Haut-Commissariat à la Protection Nationale (HCPN) Coordinates nationwide cybersecurity strategy.
Supervisory authority ILR (Institut Luxembourgeois de Régulation) Primary NIS2 regulator for private-sector entities.
Financial sector CSSF Supervises NIS2 requirements aligned with DORA.

Timeline & key dates

27 Dec 2022 — NIS2 published in EU Official Journal.
29 Jul 2024 — Luxembourg NIS2 Law enters into force.
1 Oct 2025 — Registration deadline via MyGuichet.lu.

Sector-specific notes

  • Finance: Strong overlap with DORA; CSSF supervises key actors.
  • Cloud & data centres: Major presence in Luxembourg; supervised by ILR.
  • Government & municipalities: Covered under HCPN & GOVCERT.

Penalties

Luxembourg applies NIS2’s turnover-based maximum penalties. Fines are administrative and may include mandatory corrective action plans.

How to prepare

  1. Determine if your entity falls under Annex I or II.
  2. Register on MyGuichet.lu.
  3. Perform a cybersecurity gap analysis.
  4. Align with ISO 27001/NIST CSF controls.
  5. Evaluate third-party & supply-chain dependencies.
  6. Prepare incident-reporting procedures with GOVCERT.
  7. Ensure management accountability & training.
Run Eligibility Check Start Readiness Test

Official links & resources

📘  NIS2 Law — Legilux (29 July 2024)
🧭  Registration — MyGuichet.lu
⚙️  HCPN – National Authority
🛡️  GOVCERT.LU
📚  Guide: What is NIS2? · NIS vs NIS2

FAQ

When did NIS2 enter into force in Luxembourg?
The NIS2 Law entered into force on 29 July 2024.
Where do I register?
Registration is completed on MyGuichet.lu.
Does NIS2 apply to small companies?
Generally, only medium & large entities. However, small operators may be included if they are essential for Luxembourg’s national security or economy.
Who supervises NIS2?
ILR supervises most private-sector entities; GOVCERT handles cyber incidents; HCPN is the central coordination authority.
Information provided for general guidance; consult official national sources for updates.