The EU's New Cybersecurity Rulebook, in Plain English

Published June 5, 2026

If you run or manage a small or mid-sized business in Luxembourg, Germany, or elsewhere in the EU, the cybersecurity rulebook now looks crowded: NIS2, DORA, the Cyber Resilience Act, the AI Act, CER, and sector-specific instruments all appear in the same conversations. The practical question is not "which regulation is most important?" It is "which legal trigger applies to what we actually do?"

The answer depends on sector, activity, product, role, and sometimes size. NIS2 and CER are mostly sector-driven. DORA is financial-sector driven. The Cyber Resilience Act follows products with digital elements. The AI Act follows AI-system risk and the role you play as provider or deployer. The EU Space Programme Regulation matters for organisations involved in EU space programme infrastructure or security-relevant downstream use.

This article gives you a first map. It is not a legal opinion. It is a plain-language guide to what each instrument is for, why it exists, and which question to ask next.

Why There Are Suddenly So Many Rules

The EU's approach has moved from largely voluntary cyber guidance toward mandatory, supervised obligations for organisations, products, and critical services. That shift sits in the broader policy context described in the EU Cybersecurity Strategy for the Digital Decade and in the recitals to the main cyber instruments, and it followed years of major incidents and threat-pattern reporting, including WannaCry, NotPetya, SolarWinds/Sunburst, Colonial Pipeline, and Kaseya as examples of the kind of incidents discussed in ENISA threat landscape reporting and EU policy material ¹⁶ ¹⁷.

The result is not one single cyber law. It is a stack of instruments that answer different questions: is the organisation in a critical sector, is it a financial entity, does it place a connected software or hardware product on the EU market, does it develop or deploy high-risk AI, or is it identified as critical to societal resilience?

NIS2: Sector-Based Cybersecurity Governance

NIS2 is the EU directive for a high common level of cybersecurity across the Union. It applies to essential and important entities in listed sectors, with scope rules tied to Directive (EU) 2022/2555 Article 2 and Annexes I and II; the same instrument defines essential and important entities and sets governance, risk-measure, and incident-reporting duties in Articles 20, 21, and 23 ¹.

For Luxembourg readers, NIS2 was transposed by the Act of 5 May 2026, in force from 10 May 2026. ILR is the lead competent authority, CSSF is competent by derogation for financial-sector entities, and HCPN coordinates national cyber policy and crisis coordination. Luxembourg entities in scope must also pay attention to the self-registration deadline of 10 July 2026 ² ³. For German operations, the German NIS2 implementation and BSIG amendment path should be checked against the current BSI position before decisions are made, because implementation-status trackers have diverged ⁶.

Who should investigate further: organisations in Annex I sectors such as energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space; and organisations in Annex II sectors such as postal services, waste management, manufacture of critical products, food production, digital providers, and research organisations ¹.

DORA: Digital Operational Resilience for Financial Entities

DORA is an EU regulation, not a directive, so it applies directly across the EU. It governs digital operational resilience for financial entities and their ICT third-party risk management, including governance obligations, incident management, testing, and third-party ICT risk rules in Regulation (EU) 2022/2554 Articles 5, 17-30, and 64 ⁴.

In Luxembourg, the Law of 1 July 2024 implements DORA-related national provisions and identifies CSSF and CAA as competent authorities. CSSF Circular 25/882 adds requirements for ICT third-party service use by DORA entities, while Circular 25/883 amends Circular 22/806 for the outsourcing framework ⁵. For German operations, BaFin is the relevant supervisory authority and the FinmadiG context should be checked for entity-specific transitional rules ⁸.

Who should investigate further: banks, insurers, investment firms, payment institutions, fund managers, crypto-asset service providers, and ICT providers serving financial entities. DORA has applied since 17 January 2025 under Article 64 ⁴.

Cyber Resilience Act: Product Cybersecurity

The Cyber Resilience Act sets cybersecurity requirements for products with digital elements placed on the EU market. It applies to the product and economic-operator role, not to a sector alone: Article 2 sets the scope and connectivity criterion, Article 3 defines products with digital elements and economic operators, Annex I sets essential cybersecurity and vulnerability-handling requirements, and Annexes III and IV identify important and critical product classes ⁷.

Because the CRA is a regulation, member states do not transpose the core obligations into national law in the same way as NIS2 or CER. They designate market-surveillance and enforcement authorities. Germany's authority-designation law is in progress and Luxembourg's authority designation should be verified before publication or customer-specific advice ⁷.

Who should investigate further: manufacturers, importers, and distributors of software, connected hardware, embedded firmware, or other products with digital elements. Reporting duties under Article 14 apply from 11 September 2026, and the regulation applies fully from 11 December 2027 ⁷.

EU AI Act: Risk-Tiered AI Governance

The EU AI Act regulates AI systems by risk tier. Annex III defines high-risk use cases, while the phased application timeline runs from 2025 through 2027, subject to current EU timetable changes that should be checked before a compliance programme is planned ⁹.

For Luxembourg, draft bill no. 8476 is the authority-designation route to watch. Germany's AI Act implementing law is also in progress and should be checked before advising German operations ¹⁰ ¹¹.

Who should investigate further: organisations that develop, sell, or deploy AI systems, especially in HR, creditworthiness, biometrics, critical infrastructure, education, law enforcement, migration, or access to essential services; the high-risk list is in Annex III ⁹.

CER: Critical Entities Resilience

CER is the sibling resilience directive to NIS2. NIS2 covers the cyber dimension; CER covers broader resilience for critical entities, including physical, operational, and supply-chain resilience. The directive's sectors are listed in its Annex ¹².

Luxembourg transposed CER through the Law of 5 May 2026. Germany's KRITIS-Dachgesetz is reported in force from 17 March 2026, with BBK and BSI responsibilities and registration by 17 July 2026 ¹⁴ ¹⁵.

Who should investigate further: organisations in sectors that may be identified as critical by a member state, especially where NIS2 scope and physical or operational resilience obligations may overlap ¹².

EU Space Programme Security Context

The EU Space Programme Regulation governs the Union space programme, including Galileo, Copernicus, and GOVSATCOM. It can matter for organisations involved in EU space programme infrastructure or downstream services that touch security-relevant programme requirements ¹³.

Who should investigate further: space-sector companies in Luxembourg or Germany with involvement in EU programme infrastructure, security-relevant downstream use, or service delivery connected to Galileo, Copernicus, or GOVSATCOM ¹³.

The Four Questions That Decide Whether You Should Act Now

What sector are you in? NIS2 and CER are sector-led instruments; start with NIS2 Annexes I and II and the CER Annex ¹ ¹².
Are you a regulated financial entity or an ICT provider to one? DORA applies to financial entities and creates structured third-party ICT risk obligations ⁴.
Do you make, import, or distribute a product with software or connectivity? CRA scope turns on products with digital elements and the role you play in putting them on the EU market ⁷.
Do you develop or deploy AI systems? The AI Act risk tier and Annex III high-risk list decide whether deeper obligations may apply ⁹.

A single company may be touched by more than one instrument. A financial entity can be under DORA, in a NIS2 sector, and dependent on CRA-regulated products. A manufacturer can be under NIS2 for its sector and CRA for its connected product line. These rules stack because they regulate different objects: organisations, services, products, and AI systems.

What Cyvalent Does

Cyvalent helps Luxembourg and EU organisations turn this first map into an operating programme. Cyvalent 360 Cyber Services / CISOaaS provides the practitioner capacity to scope obligations, build governance files, prepare management-body decisions, and run the compliance programme. CORTEX AI maps regulatory obligations to control frameworks and tracks posture continuously across overlapping requirements.

Both offerings can be used independently or together. The correct starting point depends on whether the immediate gap is human operating capacity, structured compliance tracking, or both.

Discuss your EU cyber regulation exposure with Cyvalent

References

[1] European Parliament & Council. Directive (EU) 2022/2555 (NIS2) — Art. 2 & Annexes I-II (scope/sectors), Art. 3 (essential vs important), Arts. 20-21 (governance & risk measures), Art. 23 (incident reporting), Art. 41 (transposition deadline 17 Oct 2024). Status/date: in force; adopted 14 Dec 2022. Source: EUR-Lex. https://eur-lex.europa.eu/eli/dir/2022/2555/oj

[2] Grand-Duche de Luxembourg. Loi du 5 mai 2026 relative a des mesures destinees a assurer un niveau eleve de cybersecurite (Mem. A no. 225) — NIS2 transposition; in force 10 May 2026; self-registration by 10 July 2026; ILR competent with CSSF derogation for financial sector and HCPN coordination. Status/date: in force 10 May 2026. Source: Legilux. https://legilux.public.lu/eli/etat/leg/loi/2026/05/05/a225/jo

[3] ILR. NIS2 — scope, security measures, incident notification (SERIMA) — Luxembourg NIS2 sector guidance, self-registration, security measures, and incident notification. Status/date: accessed June 2026. Source: ILR. https://www.ilr.lu/en/sectors/niss/nis-2/

[4] European Parliament & Council. Regulation (EU) 2022/2554 (DORA) — Art. 5 (governance/management body), Arts. 17-23 (incident management), Arts. 24-27 (testing/TLPT), Arts. 28-30 (third-party risk; Art. 28(3) Register of Information), Art. 64 (applies 17 Jan 2025). Status/date: applicable from 17 Jan 2025. Source: EUR-Lex. https://eur-lex.europa.eu/eli/reg/2022/2554/oj

[5] Luxembourg / CSSF. Loi du 1er juillet 2024 implementing DORA / transposing Directive (EU) 2022/2556; Circular CSSF 25/882; Circular CSSF 25/883 amending Circular CSSF 22/806 — CSSF and CAA competent authorities; ICT third-party service requirements for DORA entities. Status/date: law of 1 July 2024; CSSF circulars published 2025. Source: CSSF. https://www.cssf.lu/en/regulatory-framework/ and https://www.cssf.lu/en/Document/circular-cssf-25-882/

[6] Germany / BSI. NIS-2-Umsetzungs- und Cybersicherheitsstaerkungsgesetz (NIS2UmsuCG), amending the BSI-Gesetz (BSIG) — German NIS2 implementation context; BSI competent. Status/date: current status should be verified before publication. Source: BSI. https://www.bsi.bund.de/

[7] European Parliament & Council. Regulation (EU) 2024/2847 (Cyber Resilience Act) — Art. 2 (scope/connectivity), Art. 3 (definitions/roles), Art. 14 (reporting from 11 Sep 2026), Annex I (essential requirements and vulnerability handling), Annexes III-IV (product classes), full application 11 Dec 2027. Status/date: in force 10 Dec 2024; phased application. Source: EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/2847/oj

[8] Germany / BaFin. Finanzmarktdigitalisierungsgesetz (FinmadiG) and DORA supervisory context — DORA accompanying act; BaFin competent for German financial-sector supervision. Status/date: current status and transitional rules should be verified. Source: BaFin. https://www.bafin.de/DE/Aufsicht/DORA/DORA_node.html

[9] European Parliament & Council. Regulation (EU) 2024/1689 (AI Act) — Annex III (high-risk use cases); phased application 2025-2027; in force 1 Aug 2024. Status/date: current timeline should be verified before programme design. Source: EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj

[10] Luxembourg / Chambre des Deputes. Projet de loi no. 8476 portant mise en oeuvre de certaines dispositions du Reglement (UE) 2024/1689 (AI Act) — national competent-authority designation context. Status/date: legislative dossier in progress; verify before publication. Source: Chambre des Deputes. https://www.chd.lu/en/dossier/8476

[11] Germany / Bundesregierung. Durchfuehrungsgesetz zur KI-Verordnung — German AI Act implementation / authority-designation context. Status/date: federal cabinet approved draft implementing law; verify final enactment before publication. Source: Bundesregierung. https://www.bundesregierung.de/breg-de/aktuelles/bundesregierung-beschliesst-durchfuehrungsgesetz-zur-ki-verordnung-staatsminister-weimer-gesetzestext-stellt-staatsferne-medienordnung-in-deutschland-klar--2406634

[12] European Parliament & Council. Directive (EU) 2022/2557 (CER) — Annex (sectors); transposition deadline 17 Oct 2024. Status/date: in force; adopted 14 Dec 2022. Source: EUR-Lex. https://eur-lex.europa.eu/eli/dir/2022/2557/oj

[13] European Parliament & Council. Regulation (EU) 2021/696 (EU Space Programme) — Galileo, Copernicus, GOVSATCOM security context. Status/date: in force. Source: EUR-Lex. https://eur-lex.europa.eu/eli/reg/2021/696/oj

[14] Luxembourg / HCPN. Loi du 5 mai 2026 sur la resilience des entites critiques — Luxembourg CER transposition and national critical-entities resilience governance. Status/date: transposed by Law of 5 May 2026; HCPN page last modified 21 May 2026. Source: HCPN and EUR-Lex national implementation measure record. https://hcpn.gouvernement.lu/fr/service/attributions/missions-nationales/protection-infrastructures-critiques.html and https://eur-lex.europa.eu/legal-content/EN/NIM/?uri=CELEX:32022L2557

[15] Germany / Bundesgesetzblatt, Gesetze im Internet, and Bundesregierung. KRITIS-Dachgesetz / Gesetz zur Umsetzung der Richtlinie (EU) 2022/2557 und zur Staerkung der Resilienz kritischer Anlagen — German CER/KRITIS-Dachgesetz context; registration duty by 17 July 2026. Status/date: in force 17 Mar 2026. Source: Gesetze im Internet and Bundesregierung. https://www.gesetze-im-internet.de/kritisdachg/BJNR0420B0026.html and https://www.bundesregierung.de/breg-de/aktuelles/kritis-dachgesetz-2383682

[16] ENISA. Threat Landscape — annual threat landscape series and threat-pattern context. Status/date: current annual series. Source: ENISA. https://www.enisa.europa.eu/topics/cyber-threats/threats-and-trends

[17] European Commission. EU Cybersecurity Strategy for the Digital Decade — Dec 2020 policy context. Status/date: published Dec 2020. Source: European Commission. https://digital-strategy.ec.europa.eu/en/library/eus-cybersecurity-strategy-digital-decade