Securing your organization
Security measures notification
Here you will find the information you need to submit your organisation’s security measures.
Notification of security measures
In accordance with Article 8 (3) of the Law of 28 May 2019 (NIS) and Articles 42 (1) and 43 (2) of the Law of 17 December 2021 on electronic communications networks and services, operators will be required to notify the Institute of security measures.
- Regulation ILR/N22/7 of 15 September 2022 on the notification of security measures to be taken by operators of essential services specifies the procedures and deadlines for this notification for the Energy, Transport, Health, Drinking Water and Digital Infrastructures sectors.
- Regulation ILR/N22/8 of 26 September 2022 on the notification of security measures to be taken by companies providing public communications networks and/or electronic communications services to the public specifies the procedures and deadlines for this notification for the public electronic communications sector
Submission of security measures to the NISS team
The submission of reports is preferably done via the request for an OTX link to serima(at)ilr(dot)lu or directly via secure email to serima(at)ilr(dot)lu
The content required for the notification of security measures
Notification of these measures is made by:
- a description of the measures in place, based on the security objectives proposed by ENISA (Measures Form) in the form of an Excel file;
- a list of dependencies on other electronic communications services or essential services (Dependency Form) in the form of an Excel file; and
- an analysis of the risks associated with the electronic communications service(s) or essential service(s) provided. This risk analysis can be carried out using the SERIMA tool provided by the Institute or with another similar tool. The analysis must:
- be delivered in the form of a JSON file that can be imported into SERIMA;
- the file name must comply with the following naming convention: YearMonthDay_Operator_Sector-Sub-sector_Language.JSON. For example 20221124_MyOrganisation_Energy-Gas_EN.JSON;
- not contain any personal data; and
- be based on the sectoral library available on request from the Institute. Content:
- a list of essential services provided in Luxembourg;
- the primary and secondary assets necessary to provide these services taken into account;
- the list of threats taken into account;
- the list of vulnerabilities applied for each asset;
- the impacts of each risk identified;
- use the threat, impact and vulnerability rating scales (see below);
- use the risk acceptance criteria;
- indicate the measures put in place to minimise the risks;
- indicate the choice of risk treatment and the related implementation schedule;
- indicate the assessment of residual risks;
- use a 5-level scale, from 0 (minimum) to 4 (maximum), to assess the level of each threat;
- use a 4-level scale, from 0 (minimum) to 3 (maximum), to assess the level of each vulnerability;
- use a 5-level impact scale, from 0 (minimum) to 4 (maximum), to assess the level of impact.
- The operator is free to add assets and risks to complete his risk analysis.
N.B. Depending on the type of operator in question, the notification requirement may be limited to only one or two items on the above list.
If the operator uses a different number of levels for the scales, they will need to adapt them to be in line with the above levels.