ARTICLE
29 May 2026

Luxembourg Adopts A New Cyber And Resilience Framework With NIS 2 And CER Laws

AO
A&O Shearman

Contributor

A&O Shearman logo
A&O Shearman was formed in 2024 via the merger of two historic firms, Allen & Overy and Shearman & Sterling. With nearly 4,000 lawyers globally, we are equally fluent in English law, U.S. law and the laws of the world’s most dynamic markets. This combination creates a new kind of law firm, one built to achieve unparalleled outcomes for our clients on their most complex, multijurisdictional matters – everywhere in the world. A firm that advises at the forefront of the forces changing the current of global business and that is unrivalled in its global strength. Our clients benefit from the collective experience of teams who work with many of the world’s most influential companies and institutions, and have a history of precedent-setting innovations. Together our lawyers advise more than a third of NYSE-listed businesses, a fifth of the NASDAQ and a notable proportion of the London Stock Exchange, the Euronext, Euronext Paris and the Tokyo and Hong Kong Stock Exchanges.
Explore Firm Details
Luxembourg has enacted two parallel laws—transposing the EU's NIS 2 Directive on cybersecurity and the CER Directive on critical entity resilience—that together create a comprehensive national framework...
Luxembourg Technology
Catherine Di Lorenzo,Barbara Azoulay, and Virginie Liebermann
Your Author LinkedIn Connections
Catherine Di Lorenzo’s articles from A&O Shearman are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Business & Consumer Services industries

Luxembourg has adopted two cornerstone laws that, together, constitute a new national cyber and resilience “arsenal”:

  • the law transposing Directive (EU) 2022/2555 (NIS 2) on cybersecurity
  • the law transposing Directive (EU) 2022/2557 (CER) on the resilience of critical entities.

Adopted in parallel, these laws significantly strengthen Luxembourg’s legal framework for protecting essential services and digital infrastructures, and replace and modernize the previous, more fragmented national regime.

The simultaneous adoption of the NIS 2 and CER laws stems from the EU’s broader policy shift toward strengthening the EU’s capacity to prevent, withstand, and recover from large scale disruptions affecting vital societal and economic functions.

NIS 2 responds to the sharp increase in cyber threats by expanding the scope of regulated entities, tightening incident reporting obligations, reinforcing cybersecurity risk management requirements, and placing explicit responsibility on management bodies.

In parallel, the CER framework addresses operational resilience beyond cybersecurity, covering physical, organizational, human and supply chain risks that could disrupt the provision of essential services. It introduces a national framework for identifying and supervising “critical entities” on the basis of a national risk assessment and imposes targeted resilience obligations on those entities.

Taken together, the two laws move Luxembourg toward a holistic, governance driven security model, in which cybersecurity under NIS 2 is embedded within a broader operational resilience approach under CER.

In Luxembourg, NIS 2 is supervised by ILR (digital infrastructure, ICT services, energy, transport, health, etc.) or CSSF (for banking, financial market infrastructure and financial entities in scope) and governs cybersecurity, while CER is supervised by the Haut Commissariat à la Protection Nationale (HCPN) and governs overall resilience; the two regimes are complementary and can apply simultaneously to the same entity.

Many more entities are now in scope of binding cybersecurity obligations under NIS 2, with selected additional entities designated as critical under CER. Compliance is no longer limited to technical IT measures, but requires board level engagement, integrated risk management, and coordinated crisis response planning. The dual application of NIS 2 and CER also increases supervisory intensity and heightens enforcement exposure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Catherine Di Lorenzo
Catherine Di Lorenzo
Photo of Barbara Azoulay
Barbara Azoulay
Photo of Virginie Liebermann
Virginie Liebermann
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More