	NIS2 Implementation in the EU
	Luxembourg
	(Europe) Firm Arendt & Medernach Contributors Astrid Wagner Updated 20 Jan 2026
Status of the legislative process	Ongoing
Status of the NIS2 Implementation Act	On 13 March 2024, the Luxembourg government filed a Draft Law n°8364, which is currently under discussion. The draft law will amend three national laws: (i) the amended Law of 14 August 2000 on e-commerce; (ii) the amended Law of 23 July 2016 creating a high commission for national protection; and (iii) the Law of 17 December 2021 transposing the European Electronic Communication Code. It is currently unknown when the draft law will be adopted by the Luxembourg Parliament.
Significant deviations of the National Implementation Act from the NIS2 Directive, if any	Apart from: adding the national reference laboratories designated under Article 10 of the amended Law of 1 August 2018 on the mandatory notification of certain diseases in the context of public health protection to Annex I, section 5 on health; and setting the maximum administrative fines up to EUR 7,000,000 or 1.4% of the total worldwide annual turnover for the previous financial year of the company to which the significant entity belongs (whichever is higher); No significant deviations from the NIS2 Directive are contained in the current bill, nor are expected. The Institut Luxembourgeois de Régulation and the Commission de Surveillance du secteur financier are designated as competent authorities. The Haut-Commissariat à la Protection nationale will be in charge of international and intersectoral cooperation and will be the cyber crisis management authority.
Date of entry into force of the Implementation Act	Not applicable.

NIS2 Implementation in the EU

Back XLS

Status of the legislative process

Ongoing

Status of the NIS2 Implementation Act

On 13 March 2024, the Luxembourg government filed a Draft Law n°8364, which is currently under discussion. The draft law will amend three national laws: (i) the amended Law of 14 August 2000 on e-commerce; (ii) the amended Law of 23 July 2016 creating a high commission for national protection; and (iii) the Law of 17 December 2021 transposing the European Electronic Communication Code. It is currently unknown when the draft law will be adopted by the Luxembourg Parliament.

Significant deviations of the National Implementation Act from the NIS2 Directive, if any

Apart from:

adding the national reference laboratories designated under Article 10 of the amended Law of 1 August 2018 on the mandatory notification of certain diseases in the context of public health protection to Annex I, section 5 on health; and
setting the maximum administrative fines up to EUR 7,000,000 or 1.4% of the total worldwide annual turnover for the previous financial year of the company to which the significant entity belongs (whichever is higher); No significant deviations from the NIS2 Directive are contained in the current bill, nor are expected.

The Institut Luxembourgeois de Régulation and the Commission de Surveillance du secteur financier are designated as competent authorities. The Haut-Commissariat à la Protection nationale will be in charge of international and intersectoral cooperation and will be the cyber crisis management authority.

Date of entry into force of the Implementation Act

Not applicable.