On 6 May 2026, Luxembourg published the law transposing the European NIS2 Directive (EU 2022/2555) Bill 8364 — in the Journal officiel du Grand-Duché de Luxembourg. The law entered into application on 10 May 2026 and introduces a comprehensive, structured approach to cybersecurity across the economy, reflecting the growing urgency of cyber resilience in the face of increasingly sophisticated threats.
In brief
NIS2 applies automatically to organisations with 50 or more employees or annual turnover exceeding €10 million, operating in one of 18 critical sectors. Entities have until 10 July 2026 to self-register with their competent authority.
The law establishes two tiers of obligation:
- Essential entities — large organisations in Annex I sectors exceeding 250 employees and either €50 million in turnover or €43 million in annual balance sheet — are subject to proactive supervision and sanctions of up to €10 million or 2% of global turnover.
- Important entities — medium-sized organisations in Annex I sectors and all qualifying Annex II entities — are subject to reactive supervision and sanctions of up to €7 million or 1.4% of global turnover.
Both tiers must implement the same ten categories of measures under Article 12, covering risk analysis, incident handling, business continuity, supply chain security, secure development, effectiveness assessment, cyber hygiene, cryptography, access control, and multi-factor authentication.
When a significant incident occurs, entities must notify their competent authority within 24 hours, submit a formal notification within 72 hours, and file a final report within one month. Missing any deadline is itself a sanctionable breach.
Management bodies must formally approve cybersecurity measures, supervise their implementation and undergo regular training. For essential entities, senior managers can face a temporary ban from exercising management functions for serious failures.
The ILR acts as competent authority for most sectors; the CSSF oversees banking and financial market infrastructures. The HCPN serves as Luxembourg's single point of contact for cross-border cooperation and manages major cyber crises. GOVCERT.LU and CIRCL are the two designated CSIRTs.
Your next steps
Determine if you are in scope: check your NACE code against the 18 covered sectors and assess headcount, turnover and balance sheet at consolidated group level.
Self-register by 10 July 2026: registration is a legal obligation under Article 11. Non-registration is itself a sanctionable breach. The ILR portal is available at ilr.lu.
Conduct a gap analysis against Article 12: map your current cybersecurity posture against the 10 required domains and prioritise quick wins alongside longer-term structural work.
Engage your board: management bodies must formally approve security measures. Frame this as a governance and legal risk, not just an IT matter.
Build your 24-hour incident response capability: test your ability to detect, escalate and notify the competent authority within 24 hours before an incident forces you to do so under pressure.
Audit and formalise your supply chain with clear contractual safeguards: NIS2 holds you accountable for your suppliers' security posture. Update contracts to include minimum security requirements and audit rights.
Consult the ILR's NIS 2 resources. The ILR has published dedicated guidance on scope, security measures, incident notification, and frequently asked questions, as well as recorded information sessions. These are available on the ILR website and provide the ILR's official interpretation of the law's requirements.
How PwC can help
PwC Luxembourg provides end-to-end support across your NIS2 compliance journey, including:
Scoping assessments to determine your classification as an essential or important entity.
Gap analysis against Article 12 requirements and remediation planning.
Governance and operating model design, including board-level accountability frameworks.
Targeted training sessions for Top Management.
Implementation of cybersecurity risk management frameworks aligned with NIS2.
Assist for ILR reporting and prepare for the supervision.
