Global Data and Cyber Handbook

Luxembourg

Select a Topic
Start Comparison
Key Data & Cybersecurity Laws
Jump to
Key Data & Cybersecurity Laws Start Comparison
How are data and cybersecurity laws/regulations implemented?

Last review date: 10 January 2025

☒   omnibus – all personal data

☒   sector-specific

E.g. telecoms, public healthcare sector

What are the key data privacy laws and regulations?

Last review date: 10 January 2025

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

What are the key cybersecurity laws and regulations?

Last review date: 10 January 2025

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

EU law:

  • Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems ("NIS Directive")
  • Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact
  • Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 ("Cybersecurity Act")
  • Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)
  • Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (Text with EEA relevance.)
  • Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union ("NIS2 Directive")
  • Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector ("DORA", or Digital Operational Resilience Act)

Besides the General Data Protection Regulation (“GDPR”) and the Luxembourg Data Protection Law, the following general and sector-specific regulations apply in the field of cybersecurity:

  • Luxembourg Law of 28 May 2019 transposing the Directive (UE) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (General regulation)
  • Luxembourg Regulation ILR/N21/1 of 9 June 2021 determining the parameters and procedures in relation to the notification of an incident having a significant impact on the supply of a digital service
  • Luxembourg Regulation ILR/N22/1 of 22 February 2022 (Sector-specific regulation: transport – sub-sector: road)
  • Luxembourg Regulation ILR/N22/2 of 15 June 2022 (Sector-specific regulation: transport – sub-sector: railways)
  • Luxembourg Regulation ILR/N22/3 of 3 August 2022 (Sector-specific regulation: energy – sub-sector: gas)
  • Luxembourg Regulation ILR/N22/4 of 3 August 2022 (Sector-specific regulation: energy – sub-sector: electricity)
  • Luxembourg Regulation ILR/N22/5 of 3 August 2022 (Sector-specific regulation: healthcare)
  • Luxembourg Regulation ILR/N22/6 of 3 August 2022 (Sector-specific regulation: digital infrastructure)
  • Luxembourg Law of 20 December 2024 on the implementation of rules and penalties for Regulation (EU) No 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (European Union Agency for Cyber Security) and Information and Communications Technologies Cybersecurity Certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Regulation) and amending the amended Act of 4 July 2014 reorganizing ILNAS.
What are the key laws and regulations relating to non-personal data?

Last review date: 10 January 2025

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

  • Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free-flow of non-personal data in the European Union
Are new or material changes to those key data and cybersecurity laws anticipated in the near future?

Last review date: 10 January 2025

Draft bill n°8395 on the use of data in a safe environment; on the implementation of the "once only" principle; on the implementation of certain provisions of Regulation (EU) 2022/868, on the implementation of certain provisions of Regulation (EU) 2016/679

{{ $store.state.loadingScreen.message }} ...