Agefi Luxembourg - mai 2026

Mai 2026 47 AGEFI Luxembourg IA & Tech ByVincentWELLENS,Partner,NautaDutilhAvocats Luxembourg T he loi du 5mai 2026 concernant des mesures destinées à assurer un ni­ veau élevé de cybersécurité trans­ posesDirective (EU) 2022/2555 of 14December 2022 (the “NIS2 Directive”) intoLuxembourg law. The textwas adoptedby theChamber ofDeputies on 28 April 2026 and the lawwas published in the Luxembourg Official Journal (Mémorial An° 225) on 6May 2026. Luxembourgislateinitstransposition: the NIS2 Directive, like the Critical Entities Resilience Directive (EU) 2022/2557, required EU Member States to adopt and publish transposition measures by 17 October 2024 and to apply them from 18 October 2024. The two Luxembourg trans­ positionlaws–NIS2andCER–wereadoptedonthe same day (5 May 2026) to ensure consistency be­ tween their crossreferences andcoordinated imple­ mentation. The newNIS2 law repeals and replaces the law of 28 May 2019, which transposed the first­ generationNIS1 Directive (EU) 2016/1148. Scope—Who Is Covered? General Threshold As ageneral rule, the lawapplies topublic or private entities of a type listed in Annex I or Annex II that qualify as SME (within the meaning of Article 2 of the Annex to Commission Recommendation 2003/361/CE) and that provide their services or carry out their activities within the EuropeanUnion. SizeIndependent Application incl. CER/ Critical Entities The law also applies regardless of size where services are provided by: (i) providers of public electronic com­ munications networks or publicly available electronic communications services; (ii) trust service providers; or (iii) toplevel domain (TLD) name reg­ istries and DNS service providers or, (iv) where : the entity is the sole provider in Luxembourg of a service essential to the maintenance of critical societal or economic activities; a disruption could have a significant impact on public security, public safety or public health; a disruption could create a significant systemic risk (including transborder im­ pact); or the entity is a public administration entity. The law applies to entities identified as critical enti­ ties under the loi du 5 mai 2026 sur la résilience des entités critiques (the companion CER transposition law, adopted simultaneously), regardless of their size. This is a critical point: entitiesdesignatedunder the CER regime are automatically brought into NIS2’s scope in their entirety, irrespective of head­ count or turnover. Exclusions Entities excluded from the scope of the DORAReg­ ulation(EU)2022/2554pursuanttoArticle2(4)ofthat regulation, also fall outside the scopeof this law. The core security obligations (Articles 12, 13, 14, and 15) and the supervisionandenforcement chapterdonot apply to the State intelligence service (SREL), the Ministry of Defence, or the LuxembourgArmy, nor to classified information systems. Where sectorspecific EU legal acts (such as DORA) impose cybersecurity risk management or incident notification requirements on entities with at least equivalent effect to this law, the overlapping provi­ sions(includingsupervisionandenforcement)ofthe NIS2 lawdo not apply to those entities. Covered Sectors The law covers a wide range of sectors through its two annexes: Annex I—HighlyCritical Sectors: Energy; Trans­ port, Banking, Financial market infrastructures, Health, Drinking &Waste water, Digital infrastruc­ ture (IXPs, DNS providers, TLD registries, cloud providers,datacentres,CDNproviders,trustservice providers, public electronic communications net­ worksandservices),ICTServiceManagement(man­ agedserviceprovidersandmanagedsecurityservice providers), Public administration, and Space. Annex II — Other Critical Sectors: Postal / courier services, Waste management, Manufac­ ture/production/ distribution of chemical sub­ stances, Food production/processing/distribution (wholesale and industrial), Manufacturing (medi­ cal devices, computers/ electronics/ optics, electri­ cal equipment, machinery, motor vehicles, other transport equipment), Digital providers (online marketplaces, online search engines, social networking platforms), and Research. Essential vs. Important Entities Entities of the types listed inAnnex I that exceed the SME thresholds are classified as essential entities . The category also covers: qualified trust service providers, TLD registries, and DNS service providers regard­ less of size; providers of public electronic communications net­ works or services that are mediumsized enterprises; public administration entities; entities identi­ fied by the competent authority on the basis of the sizeindependent criteria (sole provider, systemic risk, etc.); entities identified as critical en­ tities under the CER law; and entities previously identified as operators of essential services under the former NIS1 law of 28May 2019. All other inscope entities that do not qualify as es­ sentialentitiesareclassifiedas importantentities ,in­ cluding those identified by the competent authority pursuant to the sizeindependent criteria. The distinction is significant: essential entities are subject to ex ante supervision, while important enti­ ties are generally subject to ex post supervision trig­ gered by evidence of noncompliance. Competent Authorities Core Obligations Cybersecurity RiskManagement Essential and important entitiesmust takeappropri­ ate and proportionate technical, operational and or­ ganisationalmeasurestomanageriskstothesecurity of thenetworks and informationsystems theyuse in thecontextoftheiractivitiesorserviceprovision,and to eliminate or reduce the consequences of incidents for the recipients of their services. These measures must be based on an “allhaz­ ards” approach aimed at protecting networks and information systems and their physical environ­ ment. Theymust include at least the following ten categories: 1. Policies on risk analysis and information system security; 2. Incident management; 3. Business continuity (backupmanagement, disas­ ter recovery) and crisismanagement; 4. Supply chain security, including security aspects of relationships with direct suppliers and service providers; 5. Security in network and information system ac­ quisition, development andmaintenance, including vulnerability handling and disclosure; 6. Policies andprocedures for assessing theeffective­ ness of cybersecurity riskmanagement measures; 7. Basic cyber hygiene practices and cybersecurity training; 8. Policies and procedures on the use of cryptogra­ phy and, where appropriate, encryption; 9. Human resources security, access control policies, and asset management; 10. Use of multifactor authentication or continuous authentication, secure voice/video/text communica­ tions, and secure emergency communication sys­ tems within the entity, as appropriate. As it seems, the competent authorities requireadop­ tion of measures in compliance with ISO 27k rules of the Belgian CyFun framework. Apparently, the Agence nationale de la sécurité des systèmes d’information (ANSSI) will release it framework soon. Essentialentitiesmustnotifytheircompetentauthor­ ityofthemeasurestaken:themodalities,format,and timeline for such notification are to be determined by the competent authority by way of regulation or circular. If the ILR remains consistent with its notifi­ cationrequirements in the telecomsector,whichwill be governed by NIS2 too, then measures are likely to be notified by 31March of each year. Governance—Management Body Responsibilities Themanagement bodies of essential and important entities must approve the cybersecurity risk man­ agement measures, supervise their implementa­ tion, andmay be helddirectly liable for breaches of the law by the entity. Members of management bodies must undergo regular training, and entities must offer similar training to their staff, to acquire sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices and their impact on the entity’s services. Significant Incident Notification Essentialandimportantentitiesmustnotifythecom­ petent authorityof any significant incident without undue delay. The mere act of notification does not increase the entity’s liability. An incident is “signifi­ cant” if it has caused, or is likely tocause, serious op­ erational disruption or financial losses, or if it has affectedorislikelytoaffectothernaturalorlegalper­ sons by causing considerable material, physical, or moral damage. The notification timeline is as follows and notifica­ tion requirements may be streamlined with other notification requirements as a result of the ongoing “omnibus” simplification initiatives on EU level: Preliminary notification (incl.indication of sus­ pectedmalicious act or potential crossborder im­ pact): Within 24 hours of awareness Incident notification (initial assessment of sever­ ity, impact, and indicators of compro­ mise): Within 72 hours of awareness Interim report (if requested by CSIRT or competent authority): Upon request Final report (detailed description, threat/root cause, mitigationmeasures, crossborder impact): Within 1 month of notification By exception, trust service providers, suchasLuxTrust,mustnotifysignificant incidentswithin24hours(ratherthan72 hours) of awareness. Supervision and Enforcement For essentialentities ,thecompetentau­ thorities exercise ex ante supervision on the basis of notified security measures and may conduct onsite inspections and remote controls (including random audits), regular and targeted security audits (by in­ dependent bodies or the authority), ad hoc audits (including following a significant incident), security scans, and requests for information, documents, or evidenceof implementation. For important entities , supervision is ex post in nature, triggered by evi­ dence, indications, or information suggesting non­ compliance. Enforcement powers in respect of essential entities include: issuingwarnings, adoptingbinding instruc­ tions (including remediation measures and dead­ lines), ordering cessationof infringing conduct, and ordering entities to ensure compliance with risk management and notification requirements. If enforcementmeasures remain ineffective, the com­ petent authoritymay apply to the President of the LuxembourgDistrict Court (sitting in interimpro­ ceedings) to seek a temporary suspension of certi­ fications or authorisations, or a temporary ban on aCEOor legal representative fromexercisingman­ agement functions—until the entity remedies the situation. These measures cannot be applied to public administration entities. Administrative Sanctions For essential entities in breach of the riskmanage­ ment obligations or significant incident notification duties: administrative fines of up to €10,000,000 or 2%of totalworldwide annual turnover of the pre­ ceding financial year of the undertaking to which the entity belongs, whichever is higher. For impor­ tant entities in breach of the same obligations: ad­ ministrative fines of up to €7,000,000 or 1.4% of total worldwide annual turnover , whichever is higher. For other breaches (registration/identifica­ tion, governance, reporting to the authority, DNS data obligations), sanctions include warnings, for­ mal reprimands, and administrative fines not ex­ ceeding €250,000 . Key ImplementationTakeaways Act nowon registration: Entities fallingwithin the scope of the lawmust provide registration informa­ tion to the ILRor CSSF by 10 July 2026. Assess your classification: Determine whether you are an essential or important entity – the dis­ tinction drives the intensity of supervision (ex ante vs. ex post). CERcritical entities: If you are (or are likely to be) designated as a critical entity under the CER law, you are automatically an essential entityunder this NIS2 law and must comply with the full suite of NIS2 obligations regardless of your size as from CER designation which is supposed to take place as by or around 17 July 2026. Management body accountability: Directors and seniormanagement are personally involved – they must approve cybersecuritymeasures, receive reg­ ular training, and may bear personal liability for failures. Review your incident response procedures: The 24hour preliminary notification obligation is de­ mandingandrequires robust internal escalationand logging procedures to be in place before an incident occurs. Supply chain: The explicit inclusion of supply chain security in the mandatory measures requires entitiestoassessandmanagecyberrisksarisingfrom their direct suppliers and service providers. The NIS2 Directive has been transposed: The Law of 5 May 2026 on Cybersecurity has been adopted General ȱ competent ȱ authority ȱ (Annex ȱ I ȱ & ȱ II ȱ sectors, ȱ and ȱ CER ȱ entities) ȱȱ Institut ȱ luxembourgeois ȱ de ȱ régulation ȱ (ILR) ȱȱ ȱ Banking ȱ and ȱ financial ȱ market ȱ infrastructure ȱ sectors; ȱ digital ȱ infrastructure ȱ and ȱ ICT ȱ services ȱ management ȱ for ȱ activities ȱ under ȱ CSSF ȱ supervision ȱȱ Commission ȱ de ȱ surveillance ȱ du ȱ secteur ȱ financier ȱ (CSSF) ȱȱ ȱ Single ȱ point ȱ of ȱ contact ȱ (cross Ȭ border ȱ liaison, ȱ intersectoral ȱ coordination) ȱȱ Haut Ȭ Commissariat ȱ à ȱ la ȱ Protection ȱ nationale ȱ (HCPN) ȱȱ Crisis ȱ management ȱ for ȱ major ȱ cybersecurity ȱ incidents ȱ (EU Ȭ CyCLONe ȱ representative) ȱȱ HCPN ȱȱ ȱ CSIRT ȱ for ȱ State ȱ administrations, ȱ public ȱ establishments, ȱ and ȱ CER ȱ critical ȱ entities ȱ (as ȱ GOVCERT.LU) ȱȱ HCPN ȱ / ȱ GOVCERT.LU ȱ ȱ ȱ CSIRT ȱ for ȱ all ȱ other ȱ cases ȱȱ ȱ CIRCL ȱ (Computer ȱ Incident ȱ Response ȱ Center ȱ Luxembourg) ȱ – ȱ also ȱ acts ȱ as ȱ the ȱ national ȱ coordinator ȱ for ȱ the ȱ coordinated ȱ vulnerability ȱ disclosure ȱ process, ȱ acting ȱ as ȱ a ȱ trusted ȱ intermediary ȱ between ȱ vulnerability ȱ reporters ȱ and ȱ TIC ȱ product/service ȱ manufacturers ȱ or ȱ providers ȱ ȱ Abonnement aumensuel (journal + éditiondigitale) 1an (11numéros) =55€abonnement pourLuxembourget Belgique - 65€pour autrespays L’édition digitale du mensuel en ligne sur notre site Internet www.agefi.lu est accessible automatiquement aux souscripteurs de l’éditionpapier. NOM:....................................................................................................................................................................... ADRESSE:.............................................................................................................................................................. LOCALITÉ:............................................................................................................................................................ PAYS:....................................................................................................................................................................... TELEPHONE:...................................................................................................................................................... EMAIL:.................................................................................................................................................................... - Je verse ……€ au compte d’AGEFI Luxembourg à la BIL / LU71 0020 1562 9620 0000 (BIC/Swift : BILLLULL) -Jedésireunefacture :...................................................................................................................................... -N°TVA : ................................................................................................................................................................ Abonnement aumensuel en ligne Si vouspréférezvous abonner en ligne, rendez-vous à lapage ‘S’abonner’ sur notre site In- ternet https://www.agefi.lu/Abonnements.aspx Abonnement à notre newsletter / Le Fax quotidien (5 jours/semaine, du lundi auvendredi) Informations en ligne sur https://www.agefi.lu/Abonnements.aspx Abonnez-vous / Subscribe