NIS2 in Luxembourg: which businesses need to care about cybersecurity compliance

NIS2 is the EU’s upgraded cybersecurity rulebook, and Luxembourg companies cannot treat it as a pure IT issue. The directive creates a unified legal framework for cybersecurity across 18 critical sectors and expands the scope well beyond the first NIS directive.

The European Commission says NIS2 applies to sectors including energy, transport, healthcare, finance, water, digital infrastructure, public electronic communications, digital services, waste and wastewater, critical manufacturing, postal and courier services, public administration and space.

As a rule, medium-sized and large entities in covered sectors must take appropriate cybersecurity risk-management measures and notify significant incidents to national authorities. The point is not only preventing attacks, but reducing disruption and damage when incidents happen.

The boardroom matters. NIS2 introduces accountability of top management for non-compliance with cyber-risk management measures. That means governance, supplier security, vulnerability management, incident playbooks and staff awareness are no longer optional documentation exercises.

Luxembourg firms should start with a scope assessment: sector, entity size, services provided, dependencies, suppliers and incident-reporting channels. If the company touches finance, cloud, digital services, logistics, health or public-sector supply chains, waiting is risky.