Which of Luxembourg’s Three NIS2 Authorities Supervises Your Sector? HCPN, ILR, or CSSF Explained

Luxembourg may be the EU’s second-smallest country by area, but it operates one of the most structurally complex NIS2 governance frameworks on the continent. Most member states designated a single competent authority or paired one NCA with a CSIRT. Luxembourg designated three competent authorities — each with a distinct mandate — plus two CSIRTs with non-overlapping constituencies, and a single point of contact that reports directly to the Prime Minister.

The Law of 5 May 2026 on measures to ensure a high level of cybersecurity entered into force on 10 May 2026, replacing the NIS1 framework and expanding scope from roughly 1,000 entities to an estimated 6,000–8,000. Entities had two months from that date — until 10 July 2026 — to register with the correct authority. Getting that routing right matters: HCPN, ILR, and CSSF each have separate registration channels, and submitting to the wrong body delays your classification as essential or important.

This article maps each authority’s exact mandate, explains the CSIRT routing split between GOVCERT.LU and CIRCL, and outlines what registration requires.

Why Luxembourg Needs Three NIS2 Authorities for One Country

NIS2 Directive Article 8 gives member states flexibility: each state must designate “one or more competent authorities responsible for cybersecurity.” A single-body model — such as Estonia’s, where RIA holds NCA, SPOC, and CSIRT functions simultaneously — is permitted. A multi-body model is equally valid where sector-specific expertise justifies the split.

Luxembourg chose distribution for two structural reasons. First, the CSSF already supervised financial institutions under DORA and existing sector-specific cybersecurity rules. Reassigning financial oversight to a different body would have severed established supervisory relationships and created duplicated oversight of the same entities without adding regulatory value.

Second, the ILR was already the designated authority for electronic communications networks and services under the Law of 17 December 2021. That law’s Articles 42 and 43 — which imposed cybersecurity obligations on electronic communications providers — were repealed by the NIS2 law, with ILR’s supervisory role over that sector absorbed cleanly into its new NIS2 mandate. There was no regulatory gap to fill; the existing structure extended naturally.

The HCPN fills the third role: strategic coordination and EU-level representation that neither a sector regulator (ILR) nor a prudential supervisor (CSSF) is positioned to own. The result is a division of labour by expertise rather than by size — a design that makes sense for a country whose financial sector manages assets equivalent to roughly half of EU GDP.

For comparison, Latvia’s NIS2 structure also uses multiple bodies — NCSC, SAB, and CERT.LV — but distributes roles by sector criticality tier rather than by pre-existing regulatory mandates. Luxembourg’s split follows a different logic.

HCPN: Single Point of Contact Reporting to the Prime Minister

The Haut-Commissariat à la Protection nationale (HCPN) holds Luxembourg’s designation as the NIS2 Single Point of Contact under Article 8(3) of the Directive. That function — liaison with other EU member states, the European Commission, and ENISA — requires a body with cross-departmental authority and a direct line to political leadership. Luxembourg placed it under the Prime Minister’s office to provide both.

HCPN’s NIS2 mandate operates across three distinct areas:

Strategic leadership. HCPN adopts Luxembourg’s National Cybersecurity Strategy, including frameworks for national asset identification, risk assessment methodology, supply chain security policy, and vulnerability management. This operates above the operational level handled by ILR and CSSF day-to-day.

Crisis management. When a cybersecurity incident threatens to escalate beyond a single sector or becomes systemically significant, HCPN coordinates the national response through the National Crisis Centre (Centre National de Crise). It represents Luxembourg in the EU-CyCLONe network — the European network for coordinated response to large-scale cross-border cyber crises — and coordinates with intelligence services and justice authorities when incidents carry national security implications. Luxembourg participated in the Cyber Europe 2026 exercise, the pan-European ENISA crisis simulation, with HCPN as national coordinator.

ANSSI hosting. HCPN houses the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), Luxembourg’s national agency for information systems security. This gives HCPN technical depth to complement its political authority.

Critically, HCPN does not conduct routine sector supervision. Day-to-day incident notifications from energy companies, logistics operators, or healthcare providers do not go to HCPN. They go to ILR or CSSF. HCPN’s role is strategic and crisis-oriented: it activates at the level of national cyber emergencies and EU coordination, not individual entity compliance management.

ILR: Default Regulator for Energy, Transport, Health, and Digital Infrastructure

The Institut Luxembourgeois de Régulation (ILR) is Luxembourg’s primary NIS2 competent authority for the large majority of sectors. By default, if an entity falls under NIS2 Annex I or Annex II and is not supervised by the CSSF for its primary activity, ILR is its competent authority.

Annex	Sectors under ILR supervision
Annex I (Highly Critical)	Energy (electricity, gas, oil, hydrogen, district heat), Transport (air, rail, water, road), Health, Drinking water, Wastewater, Digital infrastructure, ICT service management (B2B), Public administration, Space, Electronic communications
Annex II (Other Critical)	Postal and courier services, Waste management, Manufacture of critical products (pharma, medical devices, chemicals, computers, machinery), Food, Chemicals, Digital providers (online marketplaces, search engines, social networks), Research

The mandatory risk methodology for ILR-supervised entities is SERIMA (Système d’Évaluation des Risques de Sécurité des Systèmes d’Information). The competent authority may require entities to use SERIMA as their risk analysis platform. This is a Luxembourg-specific addition to the NIS2 baseline: the Directive requires risk management measures under Article 21 of its own text, but does not mandate a particular tool. Luxembourg’s national law adds that layer for ILR-supervised entities.

ILR manages entity registration, essential/important classification, and routine supervisory interactions. The primary registration contact is niss@ilr.lu, and the ILR portal is the standard submission channel.

CSSF: Financial Sector NCA and DORA Coordinator

The Commission de Surveillance du Secteur Financier (CSSF) is designated as NIS2 competent authority for banking institutions, financial market infrastructures, and related digital and ICT service management activities conducted under CSSF supervision.

This designation matters most for two entity categories:

Credit institutions, investment firms, and fund managers already subject to DORA (Regulation (EU) 2022/2554 on digital operational resilience for the financial sector). Under Luxembourg’s implementation, DORA operates as lex specialis relative to NIS2: where DORA’s ICT risk requirements are more specific than NIS2’s general cybersecurity obligations, DORA takes precedence. The CSSF oversees both frameworks for these entities through integrated rather than duplicated supervision. Luxembourg also runs the TIBER-LU programme — threat-intelligence-based red-team testing aligned with EU TIBER — under CSSF coordination.

Mixed-model providers whose operations span CSSF-regulated financial services and ILR-regulated sectors face dual-authority reality. Each authority maintains separate incident notification templates: ILR entities use SERIMA-aligned workflows; CSSF-supervised entities use CSSF-specific forms. Maintaining a single incident playbook that covers both is insufficient — a documentation gap auditors now check explicitly.

For DORA-in-scope entities, the incident timeline creates a three-clock challenge worth documenting separately: NIS2 requires an early warning within 24 hours of becoming aware of a significant incident; DORA requires classification of a major ICT incident within 4 hours of detection; GDPR requires notification of personal-data breaches within 72 hours. Each clock has a different trigger condition, a different reporting recipient, and a different template. Managing all three requires pre-built, tested runbooks — not reactive procedures.

GOVCERT.LU and CIRCL: Why Luxembourg Has Two CSIRTs

Luxembourg designated two CSIRTs under NIS2 Article 10, each with a distinct constituency. The routing is not determined by sector but by the nature of the entity reporting:

Entity type	Designated CSIRT
State administrations	GOVCERT.LU
Public establishments	GOVCERT.LU
Critical infrastructure operators (public or private)	GOVCERT.LU
Private sector companies	CIRCL
Municipalities (communes)	CIRCL
Non-governmental organisations	CIRCL
All other entities not listed above	CIRCL

GOVCERT.LU manages cybersecurity incidents compromising Luxembourg’s government information systems and the information systems of public or private critical infrastructure operators. It is the official national contact point for all national and international CSIRT-to-CSIRT communications, forwarding incidents outside its direct scope to CIRCL where appropriate.

CIRCL (Computer Incident Response Center Luxembourg) is the government-driven national CERT for the private sector, communes, and NGOs. Since the Law of 5 May 2026 entered into force, CIRCL holds two additional mandates that rarely appear in compliance guides:

First, CIRCL holds the role of national CVD coordinator. Under NIS2’s coordinated vulnerability disclosure framework, CIRCL acts as the trusted intermediary between vulnerability researchers and affected organisations. Its formal CVD process was published on 20 May 2026, immediately following the law’s entry into force.

Second, as of 20 May 2026, CIRCL became a CVE Numbering Authority (CNA) under the ENISA CVE Root, enabling it to assign CVE identifiers and publish CVE Records within its designated scope. This makes CIRCL one of the first national CSIRTs in the EU to obtain CNA status under the ENISA-managed root — a direct outcome of NIS2’s vulnerability management requirements.

Both CSIRTs hold authority under NIS2 Article 10(2) to conduct proactive, non-intrusive scans of publicly accessible network and information systems without requiring prior entity consent. Organisations operating internet-facing infrastructure in Luxembourg should ensure their external attack surface reflects their intended security posture, not their assumptions about whether anyone is looking.

Registration: What to Submit and by 10 July 2026

Under Article 11(4) of Luxembourg’s Law of 5 May 2026, in-scope entities were required to register with their competent authority within two months of the law’s entry into force — that is, by 10 July 2026.

Registration requires submitting:

• RCS (trade register) number and NACE sector classification code
• IP address ranges used by the entity
• Name and contact details of the designated cybersecurity point of contact
• Sectors and subsectors in which the entity operates (Annex I or II)
• Main establishment address and, where applicable, other EU locations

The ILR portal classifies entities as Essential or Important automatically based on submitted information, applying size thresholds (50+ employees or €10M+ annual turnover) plus sector-specific rules. One rule applies unconditionally: all state administrations and public establishments are automatically designated as essential entities regardless of size. The 50-employee threshold does not apply to them.

Luxembourg’s scope expansion from NIS1 is substantial. The 2019 NIS1 framework covered approximately 1,000 entities. The 2026 law is expected to bring 6,000–8,000 entities into scope, with most new entrants being mid-size private-sector companies in manufacturing, logistics, digital services, and healthcare — sectors newly covered under Annex II.

Penalties and Enforcement: Who Sanctions Whom

Luxembourg’s penalty structure mirrors the NIS2 Directive’s maximum thresholds:

Entity classification	Maximum fine	Alternative cap
Essential entities	€10,000,000	2% of global annual turnover (whichever is higher)
Important entities	€7,000,000	1.4% of global annual turnover (whichever is higher)

These headline maximums sit alongside a daily non-compliance penalty of €1,250 per day, capped at €25,000 in aggregate. Daily penalties and the headline maximum are distinct instruments — a regulator can impose daily penalties during an ongoing enforcement process before or alongside the headline fine.

Enforcement follows a four-stage graduated model: written warning → binding improvement plan → daily penalties → financial fine. Both ILR and CSSF hold full enforcement powers within their respective sectors.

Director liability under NIS2 Article 20 is independently actionable. Management bodies that fail to approve and actively oversee Article 21 cybersecurity measures face sanctions even where underlying technical controls are otherwise in place. Luxembourg’s implementation adds temporary management prohibition as a penalty measure for gross negligence.

Public sector entities are exempt from financial fines. Enforcement for state bodies runs through corrective orders and, where appropriate, public naming. Non-financial penalties still carry reputational and operational consequences.

Frequently Asked Questions

Does my Luxembourg entity register with ILR or CSSF?

Determine your primary regulated activity. If you are a credit institution, investment firm, fund manager, payment institution, or another entity supervised by CSSF for prudential or conduct purposes, register with the CSSF. All other in-scope entities — energy companies, logistics operators, digital infrastructure providers, hospitals, manufacturers, research organisations — register with ILR at niss@ilr.lu. If your operations span both CSSF-regulated and ILR-regulated sectors, you may need to register with both and maintain separate compliance tracks.

What is SERIMA and is it mandatory?

SERIMA is the risk analysis platform that ILR may require entities under its supervision to use. The national law gives ILR the power to mandate a specific risk framework. Treat it as mandatory unless ILR confirms in writing that an alternative methodology is accepted for your sector and size.

My company handles both investment management and data centre operations. Who supervises us?

The data centre function falls under Annex I digital infrastructure — ILR is the competent authority. The investment management function falls under CSSF supervision. You have two competent authorities with separate incident notification templates and timelines. Document both reporting chains and confirm the applicable DORA timelines before the registration deadline.

Can GOVCERT.LU or CIRCL scan our systems without asking?

Yes. NIS2 Article 10(2) permits designated CSIRTs to conduct proactive, non-intrusive scans of publicly accessible network and information systems. Luxembourg’s law implements this authority. The scan must remain non-intrusive and limited to publicly accessible systems — but neither GOVCERT.LU nor CIRCL requires prior entity consent to perform it.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. The NIS 2 Act — Institut Luxembourgeois de Régulation (ILR)
2. NIS2 is now in force in Luxembourg! — Elvinger Hoss
3. NIS2 in Luxembourg under Law of 5 May 2026 — Ratiofy.lu
4. CIRCL — Computer Incident Response Center Luxembourg — CIRCL.lu
5. GOVCERT.LU — GOVCERT.LU
6. Who Enforces NIS 2 in Luxembourg? — ISMS Online
7. Article 8: Competent Authorities and Single Points of Contact — NIS2 Directive
8. Haut-Commissariat à la Protection nationale — Luxembourg Government
9. NIS2 Directive implementation in Luxembourg — European Commission
10. Article 10: Computer Security Incident Response Teams (CSIRTs) — NIS2 Directive
11. NIS 2 in Luxembourg: executives, mandatory training and personal risk — Luxgap