Agefi Luxembourg - février 2026

Février 2026 47 AGEFI Luxembourg Informatique financière By Vincent WELLENS, Avocat à la Cour & Ottavio COVOLO, Avocat à la Cour, NautaDutilh Avocats Luxembourg S.à r.l. O n 20 January 2026, the EUCom- missionpublished a new legisla- tive package targeted at cybersecuritywithin the EU, ta- king the formof amendments made to EURegulation 2019/881 (the “Cybersecurity Act”), aswell as toDirective n°2022/2555 (“NIS2”). This package has garnered conside- rable attention, being characteri- sed as the EUCommission’s attempt to respond to foreign tech creatingweaknesses in the EU’s cyber resilience.Why has such package been adopted?What is inside it ? andwhat does itmean for entities already handling theirNIS2 orDORAcompliance? Current state of affairs Back inDecember 2003, theEuropeanNetworkand Information Security Agency (“ ENISA ”) was ini- tiallyestablishedonatemporarybasiswiththeman- date of developing standards and coordinating efforts in the field of cybersecurity. Since its incep- tion, ENISA’s responsibilities have expanded con- siderably, particularly entrusting it with the implementation of the first Network and Informa- tion Security Directive 2016/1148 (the “ NIS ” Direc- tive). The Cybersecurity Act made further institutional changes by further increasing the roles of the ENISA, removing time limits for itsmandate. The Cybersecurity Act also introduced a European cybersecurity certification framework (notably the published EU cybersecurity certification scheme on common criteria or “ EUCC ”). Such schemes are in- tended to enable public and private entities to achievecomplianceincybersecuritymattersthrough certification schemes, as evidenced by references thereto in theCyberResilienceAct, (1) theNIS2Direc- tive, (2) or even – albeit more implicitly – DORA for the financial sector. (3) The rationale underlying this evolution reflects a global trend towards heightened focus on cyberse- curityas a (geo)political challenge, particularly inre- cent years where resilience has become an increasingly important topic for governments and even the market. It is noteworthy that, contrary to certain beliefs, these rules follow a bottom-up ap- proach;theEuropeancertificationschemeintheCy- bersecurity Act for instance stems from a pilot programme betweenmultiplemember States. (4) The thorny issue of the ‘kill-switch’ in supply-chains National cybersecurity incidents have attracted sig- nificant attention across the EU, including airports shuttingdownduetoafailedanti-virusupdateatthe kernel level or a widely used 2-factor authentication tool beingunavailable.Moreover, public scrutinyhas extended to systemic vulnerabilities evenbefore inci- dents happen, such as the widely shared piece on buses in Norway from a Chinese company which is capable of shutting themdown remotely, (5) and simi- larconcernscanbetracedbacktotheimplementation of 5Gnetworks relying on foreign tech. This ‘kill-switch’ has also found itsway inpublic dis- courseinearlyFebruary,shortlyaftertheunveilingof theCommission’s package, with certain outlets voic- ingconcernsregardingthecapacityofUStechnology companies to, in principle, disable a substantial por- tion of the EU market infrastructure to the latter’s (over)reliance on foreign tech, a hypothesis increas- ingly considered in the current political climate. (6) A ‘CybersecurityAct 2’ to respond The Commission proposes to repeal the Cybersecu- rityAct with a new regulation building upon it. The structure now is comprised of the functioning of the ENISA, the European certification mechanism (re- brandedas theEuropeanCybersecurityCertification Framework),andanewcomponentregardingthese- curity of ICT supply chains. To tackle the above issue of ‘kill-switches’, the pro- posal introduces the notion of “Key ICTAssets”, de- finedassoftwareandhardwareassetsusedbyentities fallinginthescopeofNIS2andidentifiedbytheCom- mission in delegated acts. The Commission has the power todrawupa list of “high-risk suppliers” from which theprocurement ofKey ICTAssetswouldbe- comeprohibited,and/orrequireKeyICTAssetstobe subject to transparency requirements, limitation in terms of transfers of data to third countries, disabling features, andother limitations. From an institutional perspective, this may be con- strued as enabling the EU Commission to create a sanctions-like regime targeting assets in ICT supply chains on the grounds of the functioning of the inter- nalmarketpursuantart.114oftheTreatyontheFunc- tioning of the EU (“ TFEU ”). This marks a non-negligeable shift as it is otherwise for the compe- tence of the Council (i.e., the member State govern- ments) toadopt such restrictivemeasures per art. 215 of the TFEU. Whilst the proposal does not expressly invoke sovereignty considerations, the Commission acknowledgesthatthisrepresentsa“ strategic ”tool“ for achieving technological sovereignty and boosting the competitiveness withinEurope ”. Theprovidersofmobile, fixedandsatellite electronic communications networks are particularly targeted with stricter rules re- garding their Key ICTAssets, limited to the prohibitionof theiruse, andaphaseout of maximum 36 months from the publi- cation of the list of high-risk providers. Failure to abide by suchprohibitions and restrictions on Key ICT Assets is subject to penalties of a maximum of 7% of the totalworldwide turnover of the undertaking. Although the proposal seeks to align the Cybersecurity Act with the NIS2 regime, the interplay between this pro- posal and other instruments remains to be determined, such as the aforementioned sanc- tions regime. T is alsounclear howthiswill playout with the foreign direct investment rules (“ FDI ”) al- ready subjectingEU-basedentities to screeningand filteringprocedureswhencontemplating foreign in- vestments. It is also noteworthy that FDI was al- ready identified as a key lever for supply-chain security by EU States which participated in the 5G toolbox programme, one if not the main source for the Commission’s current proposal. As for the changes to the other titles of the proposal, the ENISA receives an increase in size and funding, notably to better manage the newly established EU CybersecurityReserve,which is a collectionof cyber- security services to be offered and managed by ENISA (with key public tenders to be initiated by ENISA in this respect for interested cybersecurity providers). The certification framework has been amended with the goal of speeding up the creation and adoption of certification schemes, with specific deadlines or 12 months for their development upon request by the Commission. The framework is also completed with a European Cybersecurity Skills framework(“ ECSF ”)designedtocertifycybersecurity professionals (rather than entities). A“simplified”NIS2Directive EchoingthedriveoftheCommissionto“simplify”its regulatoryframeworkthroughtheDigitalOmnibus, (7) the second part of the package is an amendment to theNIS2 Directivewith the goal of achieving simpli- ficationwithanalignmenttotheCybersecurityAct2. As a reminder, the Digital Omnibus sought to intro- duce a single-entry portal for incident notifications, operatedbyENISA(EuropeanUnionAgencyforCy- bersecurity). This portal is designed to simplify over- lapping reporting obligations under GDPR, NIS2, DORA,andtheCyberResilienceAct(“ CRA ”)byap- plying the principle of “ report once, sharemany .” The proposal now aims to take a step further with a newcategory of smallmid-cap enterprises to be des- ignatedasimportant(ratherthancritical)entities,thus lighteningtheirregulatoryburdenundertheNIS2Di- rective. Certain definitions have been clarified in re- sponse to challenges faced by healthcare providers, electricityproducers,hydrogenundertakingsanden- tities in the chemical sector when implementing the currentNIS2Directive. Again looking at the concerns regarding ‘kill switches’, the proposal seeks to capture all aspects of submarine data transmission infrastructure (such as the transatlantic cables responsible for a substantial part of internet traffic),which the currentNIS2Direc- tive does not in relation to private entities operating such infrastructure or leasing it. A similar focus has been brought to ransomware at- tacks,instructingnationalcomputersecurityincident responseteams(“ CSIRT ”)toorganisedatacollection efforts in this respect (in particular in terms of detec- tion, attack vectors and implemented – but defeated –mitigationmeasures). Key takeaways The strategic importance of digital resilience, as re- flected in these texts, raises fundamental questions concerning the extent towhich controls may be im- posed by the Commission and national authorities, particularly in light of entities required to implement suchmeasures having to terminate their reliance on foreign but trusted commercial partners for a durable amount of time. Thismaygive rise toconcerns regarding transitional arrangements and the mitigation of claims for wrongful termination, notably in agreements procuring ICT assets and services concluded at the group level on behalf and to the benefit of entities across theEUor even theglobe. Such initiativesmay necessitate the inclusion of carve-out provisions in global or international procurement contracts to ac- commodate local regulatoryor sovereignty require- ments (as canbe seen incertain frameworks already, notably theCSSFCircular 22/806 requiringfinancial entities to negotiate an explicit termination right upon order by the CSSF thereto, on the grounds of ensuring its regulatory oversight). More generally, entities may look to assess whether their ICT services do include kill-switches, or other similarvulnerabilities(e.g.,back-doors)andtry,toan- ticipateregulatorypressureandtosafeguardtheirre- silience, to negotiate for such vulnerabilities to be removedor rendered ineffective. Thisproposal, inamanner similar to theDigitalOm- nibus, has attracted criticism from certain European legislators,andislikelytoundergosubstantialamend- ments prior to adoption by the European Parliament and theCouncil. 1)Seerecital87oftheCybersecurityAct. 2)Seerecital80oftheNIS2Directive. 3) Regrettably, DORAdoes not include the relevant certification recitalpresentintheNIS2Directive,withtheonlymentionbeing a left-over of the EBA guidelines on outsourcing regarding the possibilitytotakeintoaccountthird-partycertificationsregarding the auditing by financial entities of their third-party service providers. 4) Known as the SOGISAgreement between 17 member States, includingLuxembourg,BelgiumandtheNetherlands. 5) See AP, Chinese-made buses in Norway can be halted re- motely, spurring increased security, available at : https://urls.fr/tN-NAs 6) See Politico, EU capitals say deleting US tech is not realistic, availableat :https://urls.fr/yKvmFM 7) See our article in the December 2025 edition of theAGEFI for moredetail New EU cybersecurity package : digital sovereignty without saying it V ingt-et-un dirigeants d'entreprises issus de sec- teurs clés de l'économie luxembourgeoise se sont réunis le 2 février pour une entrevue stratégique avec le Gouverne- ment, consacrée à saisir les oppor- tunités économiques et sociales qu'offre l'intelligence artificielle (IA). Dans un contexte géopoli- tique où la maîtrise de l'IA de- vient un enjeumajeur de souve- raineté et des perspectives écono- miques, cette rencontre revêtait une importance particulière. La réunion s'est tenue sous laprésidence duPremierministreLuc Frieden, avec la participation duministre de l'Économie, des PME, de l'Énergie et du Tourisme, Lex Delles, du ministre des Finances, Gilles Roth, ainsi que de la ministre dé- léguée auprèsduPremierministre, char- gée des Médias et de la Connectivité, ElisabethMargue. Elle apermisd'échan- ger sur les opportunités et défis liés à l'adoption de l'IA. Elle a également per- mis d'aborder des mesures mises en place par le Gouvernement, telles que l'AI Factory, afin d'appuyer les entre- prises dans leurs efforts. Le Premier ministre a déclaré : « Cette rencontre intervient à unmoment déci- sif pour positionner le Luxembourg comme un champion de l'adoption et du développement responsables de l'IA, plaçant l'être humain au centre en mettant cette nouvelle technologie au service du progrès social, de la création d'emplois et de la souveraineté. Nous voulons une IA fondée sur la confiance et la transparence, qui place l'innova- tion au service de l'humanité. Une in- telligence artificielle à l'européenne, avec une touche luxembourgeoise. » Leministre de l'Économie, des PME, de l'Énergie et du Tourisme, Lex Delles, a ajouté : « L'intelligence artificielle est une opportunité majeure pour renfor- cer la compétitivité du Luxembourg. Avec nos infrastructures digitales de pointe, dont le futur MeluxinaAI, ainsi que des initiatives comme l'AI Factory, le Deep Tech Lab et nos dispositifs d'aides, nous offrons aux entreprises, notamment aux PME, les moyens d'adopter l'IA de manière responsable. Alors que le Luxembourg figure parmi les pays européens les mieux préparés, nous poursuivons nos efforts pour ac- compagner les entreprises, soutenir l'innovation et faire en sorte que la tran- sition technologique profite à toute notre économie. » GillesRothasouligné:«L'intelligencear- tificielle est un levier stratégique pour la compétitivité et la résiliencedenotre éco- nomie et de notre place financière. Avec des initiatives telles que l'AI Factory et le comitéconsultatifsurl'IAdanslafinance, nous favorisons un cadre créateur qui soutient l'investissement, l'innovation et l'utilisation responsable de l'IA, afin de renforcer l'attractivité de notre centre fi- nancier ainsi que la croissance et la sou- veraineté de notre pays. » Elisabeth Margue a ajouté : « Tandis que lesactionsconcrètesetlesprojetspharede lastratégieIAprésentéeenmai2025conti- nuentàêtreimplémentésàtraverslessec- teursstratégiquesdenotreéconomie,nous devons veiller chaque jour à identifier les barrières de l'application. Avec des initia- tives de simplification comme le Digital Omnibusetlamiseenœuvrerapided'ins- truments novateurs sous l'AI Act comme les bacs à sable réglementaires, nousmet- tonsenplaceuncadreclairpourlesentre- prises.Uncadreprévisiblequileurpermet d'investiravecconfianceetdanslerespect de nos données personnels. » Source : ministère d'État Échange stratégique entre Gouvernement et entreprises Accélération de l'IAau Luxembourg ©ministèred'État