Skip to main content

NIS2 Directive in Luxembourg - What to expect?

The final text of the NIS2 Directive has been published: until October 2024 EU member states must adopt and publish a national legislation.

The European Commission has published on 16 January 2023 the final text of the NIS2 Directive - high common level of cybersecurity across the Union, which means that by 17 October 2024 Luxembourg and other member states, must adopt and publish a national legislation incorporating the provisions of the NIS2.

Below are some key take-aways on what to expect from the NIS2 implementation.


Organizations in scope

NIS2 introduces a size-cap rule, increasing its scope to all medium and large-sized entities in 11 different sectors, specified in Annex 1 of the Directive, such as:

1. Energy
2. Transport
3. Banking
4. Financial market infrastructure
5. Health
6. Drinking water
7. Waste water
8. Digital infrastructure
9. ICT service management
10. Public administration
11. Space

Unlike NISD 1, NIS2 no longer mentions operators of essential services (OES) or digital services providers (DSPs). Instead it defines requirements for two new categories of entities; Essential and Important. The list of Essential and Important entities will be kept by the European Union Agency for Cybersecurity (ENISA).


Tip 1: Perform an analysis of your organization to check whether it falls under the definition of entities within the above mentioned sectors.


New cyber security requirements

NIS2 details cyber risk measures that need to put in place. The requirements are different for Essential and Important entities. While essential services should have an ex-ante supervisory regime (e.g., on-site inspections and off-site supervision, random checks, audits and requests for evidence of implementation of cybersecurity policies) important entities are not systematically required to document compliance with cybersecurity risk management requirements.

Both Essential and Important entities shall take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of their network and information systems. In practice, it means that the entities in scope should:

  • Review and reinforce information system security policies;
  • Set up incident handling process;
  • Ensure business continuity and proper crisis management;
  • Address risks steaming from an entity’s supply chain;
  • Manage security of network and information systems;
  • Review policies and procedures for cybersecurity risk management;
  • Reinforce the use of cryptography and encryption.


Tip 2: Perform a gap assessment of the requirements applicable to your organization.

Incident reporting

NIS2 also amends incident reporting requirements and imposes notification obligations in phases:

Tip 3: Align your incident reporting process with the new requirements.

Higher fines for non-compliance 

Administrative fines of up to 10 million EUR or 2% of the total global annual turnover of the company can be levied for non-compliance with the Directive. In addition to the fines, penalties can include binding instructions to bring security measures in line with NIS2 requirements as well to implement the recommendations of a security audit. In case of significant cyber threat is likely the entities can be also requested to inform their service recipients of the threat itself. Least but not last, the NIS2 makes it possible to hold natural persons representing Essential Entities liable for a breach of their duties to ensure compliance with the Directive.


Tip 4: Consider designating a monitoring role (e.g. officer) with well-defined tasks for a determined period of time to oversee the compliance.

How can Deloitte help

Deloitte can help to create a roadmap for implementation of compliance measures for risk management, aligning it with other applicable regulations applicable to your organization.

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey