12 March 2026 Update - The transposition of NIS 2 in Luxembourg
Luxembourg is among the EU Member States that have not yet completed the formal transposition of Directive (EU) 2022/2555 into national law.
Although the legislative process has progressed and a draft implementation law has been introduced, the directive has not yet been fully implemented through a final enacted statute. Consequently, Luxembourg remains in a legislative transition phase, where the previous NIS 1 framework continues to apply while the NIS 2 implementing law is still undergoing parliamentary examination.
Prior to the adoption of the NIS 2 Directive, Luxembourg implemented the earlier Directive 2016/1148 through national legislation commonly referred to as the NIS Act, which established cybersecurity obligations for operators of essential services and digital service providers. This framework required entities to implement appropriate technical and organisational security measures and to notify significant incidents to the competent authorities.
The supervisory and institutional structure under this regime involves several national authorities. In particular, the Haut-Commissariat à la Protection nationale (HCPN) plays a central role in national cybersecurity policy, while sectoral supervision in areas such as telecommunications and digital infrastructure is exercised by the Luxembourg Institute of Regulation (ILR).
Although this earlier framework provided a foundation for cybersecurity governance, its scope and regulatory mechanisms were based on the more limited architecture of the original NIS Directive and therefore required substantial reform to comply with the expanded requirements of NIS 2.
Under Article 41 of the NIS 2 Directive, Member States were required to adopt and publish national implementing legislation by 17 October 2024. Luxembourg did not meet this deadline.
In November 2024, the European Commission launched infringement procedures against several Member States, including Luxembourg, for failing to notify full transposition of the directive within the prescribed timeframe.
This procedural step does not necessarily imply the absence of legislative activity but indicates that the Commission had not yet received notification of complete transposition measures.
The Luxembourg government has prepared a comprehensive implementation measure in the form of a draft law (Projet de loi n° 8364) intended to transpose the NIS 2 Directive into national law. The draft was formally introduced in the Chambre des Députés on 13 March 2024 and remains under parliamentary discussion.
The proposed legislation aims to establish a new legal framework governing cybersecurity obligations for entities operating in sectors considered essential or important under the directive. It will also revise and replace aspects of the existing NIS 1 legislation to align the national cybersecurity regime with the expanded scope of the directive.
Once adopted, the Luxembourg NIS 2 implementation law will introduce the classification system of essential entities and important entities, reflecting the regulatory model established by the directive. Entities within these categories will be required to implement cybersecurity risk-management measures, maintain incident-reporting mechanisms, and comply with supervisory oversight by the competent national authorities.
EU - Transposition, Member States