Cybersecurity - NISS

The NIS 2 Act

This section is intended to provide an overview of the rules and new provisions introduced by the transposition into Luxembourg law of DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (hereinafter the ‘NIS2 Directive’).

The NIS2 Directive was transposed into Luxembourg law by means of the Act of 5 May 2026 on measures to ensure a high level of cybersecurity (hereinafter the ‘NIS 2 Act’). This transposition law came into force on 10 May 2026 and repealed, in particular, the the NIS1 Act, as well as Articles 42 and 43 of the Law of 17 December 2021 on electronic communications networks and services. The main changes introduced are explained below.

Important: The European Commission has published Implementing Regulation EU 2024/2690 of 17 October 2024.

Disclaimer: The ‘questions and answers’ section below is intended to improve the understanding of the provisions of the NIS 2 Act by those concerned. However, it does not constitute a final interpretation of the various terms of the NIS 2 Act and the general explanations provided by the Institute may vary over time.

Scope and field of application
More information
Security measures and supervision under NIS2
More information
Incident notification under NIS2
More information
Information sessions
More information
Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024
More information
Frequently asked questions about NIS2 (FAQ)
More information

The NIS 2 act brings several new features to the supervision of cybersecurity. The major changes are the following:

  1. definition of uniform criteria to determine the entities that fall within the scope of this act by default;
  2. introduction of new sectors within the scope, grouping them into the categories ‘important’ and ‘essential’;
  3. risk management measures are to be applied to all networks and information systems that support the entity’s activities, not just those that support the essential services;
  4. liability of management bodies of entities falling within the scope of the NIS 2 act;
  5. harmonisation of security measures to be applied (establishing security policies, ensuring security in the supply chain, etc.);
  6. clarification of the rules on incidents to be notified by the entities to the competent authorities.

Consult the different topics below for more information.

Developers, robot work at laptop with magnifier. Industrial cybersecurity, industrial robotics malware, safeguarding of industrial robotics concept. Pinkish coral bluevector isolated illustration

Publications

Consult the latest available publications on the NISS sector.

Guidelines NIS2 - Organes de direction
Publication Guides Cybersécurité - NISS March 4, 2026
More information
Lancement du portail centralisé de notification d’incidents sur la plateforme SERIMA pour NIS1/NIS2, CCEE, GDPR et CER
Publication Communiqués Cybersécurité - NISS May 2, 2025
More information
Lancement du portail centralisé de notification d’incidents sur la plateforme SERIMA pour NIS1/NIS2, CCEE, GDPR et CER
Publication Communiqués Cybersécurité - NISS May 2, 2025
More information
Définition des différents secteurs d'activité concernés par la directive NIS2
Publication Autres publications Cybersécurité - NISS November 6, 2024
More information
Presentation sessions d'informations
Publication Cybersécurité - NISS September 30, 2024
More information
1 sur
All the sector's publications
  • Securing your organisation

    The NISS department ensures that legislation on network and information system security is properly enforced across a range of sectors.

    More information
  • NIS 2 Act

    Find out more about the NIS 2 Act.

    More information
  • Incident Notification

    Please use SERIMA to report incidents.

    More information