NIS2 in Luxembourg: Who Has to Do What, and by When?

This article answers the first questions SME owners usually ask: does this apply to us, what does the management body have to do, and what file should we build first?

What "In Scope" Means in Practice

NIS2 creates two tiers of entities: essential entities and important entities. Directive (EU) 2022/2555 Article 2 sets the scope, Article 3 addresses essential and important entities, and Annexes I and II list the sectors ¹. Luxembourg's Act of 5 May 2026 transposes that framework nationally, while ILR provides the practical sector, size-cap, self-registration, security-measure, and incident-notification guidance for Luxembourg entities ^{2 3}.

The general NIS2 rule is that medium and large organisations in listed sectors are in scope. The size-cap rule is read from Article 2(1) of NIS2 together with the SME definition approach in Commission Recommendation 2003/361/EC: 50 or more employees, or annual turnover and balance-sheet thresholds at the medium-enterprise level ^{1 4}. Some categories are in scope regardless of size, including specified DNS service providers and top-level domain name registries under the Article 2(2) exceptions ¹.

The essential-sector list in Annex I includes energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space ¹. The important-sector list in Annex II includes postal and courier services, waste management, manufacture and distribution of certain critical products, food production, digital providers, and research organisations ¹.

For German operations, a Luxembourg scope analysis is not enough. German entities should check the NIS2UmsuCG / BSIG implementation context and BSI guidance because national implementation status and supervisory mechanics may differ from Luxembourg ⁶.

A Practical Scope Reference

• A 60-person logistics company providing transport services — Transport appears in Annex I and the organisation may meet the medium-size rule ¹.
• A Luxembourg data centre operator — Data-centre services sit in the digital infrastructure sector ¹.
• A payment institution supervised by CSSF — Financial-sector entities may fall under sector-specific competent-authority treatment in Luxembourg ².
• A hospital or diagnostic laboratory — Health is an Annex I sector ¹.
• A DNS service provider or domain registry — Certain categories are captured by Article 2(2) size-cap exceptions ¹.

This table is illustrative. The authoritative determinant is the Directive, the Luxembourg Act, and ILR scope guidance, not a vendor summary ^{1 2 3}.

What "Management Body" Means for SME Owners

NIS2 places direct responsibility on the management body of an essential or important entity. Article 20 requires the management body to approve cybersecurity risk-management measures, oversee their implementation, and follow training sufficient to understand cyber risks and their impact ¹. The Luxembourg Act and ILR security-measures guidance provide the national implementation path for those obligations ^{2 3}.

For a Luxembourg SME, the management body is typically the board of directors or, in a simpler structure, the managing director or gerant. The obligation is not satisfied by telling the IT manager to "handle security." The decision-maker needs a file that shows what was reviewed, what was approved, which risks remain, and what training has been completed ¹.

What the Operating File Should Look Like

If your organisation may be in scope, the practical first deliverable is a three-part operating file.

1. Owner review pack. This is a one-to-two page summary for the management body. It should explain the scope conclusion, the essential or important tier if applicable, the measures requiring approval, and the management-body training status. The legal hook is Article 20: approve, oversee, and train ¹.

2. Customer-evidence pack. This is the version you can use when customers or partners ask about NIS2 readiness. It should summarise registration status, governance ownership, security measures, incident-notification process, and the control framework you operate. The legal hooks are Article 21 for risk-management measures and Article 23 for significant-incident notification ¹.

3. Regulator-ready file. This is the more complete record for supervisory review. Article 21 includes risk analysis, incident handling, business continuity, crisis management, supply-chain security, security in network and information systems acquisition and maintenance, vulnerability handling, basic cyber hygiene, training, cryptography where appropriate, human-resource security, access control, and asset management ¹. ILR guidance should be checked for Luxembourg submission and supervisory expectations ³.

You do not need every item perfect before the management body starts. The owner review pack is often the correct first step because it creates evidence that the Article 20 governance process has begun ¹.

When Notification Is Required

Article 23 requires essential and important entities to notify significant incidents without undue delay and within defined windows: an early warning within 24 hours after becoming aware, an incident notification within 72 hours after becoming aware, and a final report within one month after the incident notification in the Article 23 sequence ¹. ILR's NIS2 incident-notification guidance and the SERIMA route should be checked for the Luxembourg operational channel ³.

A significant incident is one that has caused, or is capable of causing, severe operational disruption, financial loss, or significant material or immaterial damage to other persons under the Article 23 framework ¹. For SME owners, the practical implication is simple: the incident process must include a rapid classification and escalation step that reaches the person responsible for Article 20 governance within hours.

How Cyvalent Can Help

Cyvalent 360 Cyber Services / CISOaaS provides the practitioner-led work: sector classification, threshold analysis, management-body briefing, Article 20 owner review pack, Article 21 regulator-ready file, and Article 23 notification-process design ^{1 2 3}.

CORTEX AI maps NIS2 obligations to the control framework you operate, such as ISO 27001, NIST CSF, or a custom control library. It tracks posture, evidence, and cross-framework reuse so the management body can see which obligations are covered, which remain open, and what evidence supports each approval cycle.

Both offerings can be used separately or together. The right starting point depends on whether your first gap is governance capacity, structured tracking, or both.

NIS2 in Luxembourg is in force. If you are unsure whether your organisation is in scope or what your management body's obligations are, discuss your readiness with Cyvalent.

References

[1] European Parliament & Council. Directive (EU) 2022/2555 (NIS2) — Art. 2 & Annexes I-II (scope/sectors), Art. 3 (essential vs important), Arts. 20-21 (governance & risk measures), Art. 23 (incident reporting), Art. 41 (transposition deadline 17 Oct 2024). Status/date: in force; adopted 14 Dec 2022. Source: EUR-Lex. https://eur-lex.europa.eu/eli/dir/2022/2555/oj

[2] Grand-Duche de Luxembourg. Loi du 5 mai 2026 relative a des mesures destinees a assurer un niveau eleve de cybersecurite (Mem. A no. 225) — NIS2 transposition; in force 10 May 2026; self-registration by 10 July 2026; ILR competent with CSSF derogation for financial sector and HCPN coordination. Status/date: in force 10 May 2026. Source: Legilux. https://legilux.public.lu/eli/etat/leg/loi/2026/05/05/a225/jo

[3] ILR. NIS2 — scope, security measures, incident notification (SERIMA) — Luxembourg NIS2 guidance for scope, self-registration, security measures, and incident notification. Status/date: accessed June 2026. Source: ILR. https://www.ilr.lu/en/sectors/niss/nis-2/

[4] European Commission. Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises — SME threshold framework referenced for size-cap analysis. Status/date: adopted 6 May 2003. Source: EUR-Lex. https://eur-lex.europa.eu/eli/reco/2003/361/oj

[6] Germany / BSI. NIS-2-Umsetzungs- und Cybersicherheitsstaerkungsgesetz (NIS2UmsuCG), amending the BSI-Gesetz (BSIG) — German NIS2 implementation context; BSI competent. Status/date: current status should be verified before publication. Source: BSI. https://www.bsi.bund.de/