Luxembourg has adopted two cornerstone laws that, together, constitute a new national cyber and resilience "arsenal":
- the law transposing Directive (EU) 2022/2555 (NIS 2) on cybersecurity
- the law transposing Directive (EU) 2022/2557 (CER) on the resilience of critical entities.
Adopted in parallel, these laws significantly strengthen Luxembourg's legal framework for protecting essential services and digital infrastructures, and replace and modernize the previous, more fragmented national regime.
The simultaneous adoption of the NIS 2 and CER laws stems from the EU's broader policy shift toward strengthening the EU's capacity to prevent, withstand, and recover from large scale disruptions affecting vital societal and economic functions.
NIS 2 responds to the sharp increase in cyber threats by expanding the scope of regulated entities, tightening incident reporting obligations, reinforcing cybersecurity risk management requirements, and placing explicit responsibility on management bodies.
In parallel, the CER framework addresses operational resilience beyond cybersecurity, covering physical, organizational, human and supply chain risks that could disrupt the provision of essential services. It introduces a national framework for identifying and supervising "critical entities" on the basis of a national risk assessment and imposes targeted resilience obligations on those entities.
Taken together, the two laws move Luxembourg toward a holistic, governance driven security model, in which cybersecurity under NIS 2 is embedded within a broader operational resilience approach under CER.
In Luxembourg, NIS 2 is supervised by ILR (digital infrastructure, ICT services, energy, transport, health, etc.) or CSSF (for banking, financial market infrastructure and financial entities in scope) and governs cybersecurity, while CER is supervised by the Haut Commissariat à la Protection Nationale (HCPN) and governs overall resilience; the two regimes are complementary and can apply simultaneously to the same entity.
Many more entities are now in scope of binding cybersecurity obligations under NIS 2, with selected additional entities designated as critical under CER. Compliance is no longer limited to technical IT measures, but requires board level engagement, integrated risk management, and coordinated crisis response planning. The dual application of NIS 2 and CER also increases supervisory intensity and heightens enforcement exposure.
Authors: Dr. Catherine Di Lorenzo (Partner), Barbara Azoulay (Senior Associate), Virginie Liebermann (CE Knowledge Counsel) — A&O Shearman Luxembourg
