Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
14 articles found · Expertise Luxgap
DPIA (Art. 35 GDPR) in Luxembourg: when to trigger and how to succeed
When is a DPIA mandatory in Luxembourg and how to do it right? GDPR framework, CNPD list, EDPB method, prior consultation (Art. 36) and best practices.
CNPD — Workplace video surveillance: proportionality, DPIA and employee rights
Workplace cameras are allowed in Luxembourg, but under strict rules: legal basis, proportionality, frequent DPIA, L.261‑1 information duties and employee rights. Document everything, camera by camera.
GDPR – Article 28: the watertight processor contract
In 2026, every DPO/CISO must bulletproof processor contracts. Mandatory clauses, EDPB/CNPD guidance, and a practical audit playbook for a watertight Article 28.
NIS 2 in Luxembourg: executives, mandatory training and personal risk
Under NIS 2, management bodies must approve and supervise cybersecurity measures (Art. 20), undergo regular training, and may be held personally liable for failures. The ILR has issued concrete guidance.
NIS 2 and ICT supply chain: concrete obligations and certification
Securing the ICT supply chain is a first-order control under NIS 2. This guide outlines your obligations (Art. 21(2)(d)), the ILR’s role in Luxembourg, and when to use EU cybersecurity certification (Art. 24).
AI Act – Annex III: move to high-risk without getting it wrong
High-risk AI systems: how to decide if Annex III applies and build a compliant file (risk management, Annex IV, CE marking) in Luxembourg, as of May 2026.
NIS 2 – Article 21 in Luxembourg: what does the ILR actually check?
Article 21 of NIS 2 sets 10 families of minimum measures. The ILR announces ex ante/ex post supervision focused on these measures and management accountability. Here is how to comply efficiently.
NIS 2 in Luxembourg: Law of 5 May 2026 published—what to do before 10 May
Luxembourg’s law transposing NIS 2 was published on 5 May 2026 and enters into force on 10 May. Broader scope, stronger governance, incident reporting within 24 h/72 h to ILR via SERIMA. Priority actions and official sources.
AI Act – Article 50: transparency for chatbots and deepfakes by 2026
From 2 August 2026, any AI interaction, synthetic content, and any emotion recognition/biometric categorization system must be disclosed. Fines up to €15M or 3% of global turnover.
GDPR Art. 33: Notify CNPD of a breach within 72h—without panic
Practical method, based on official texts and CNPD guidance, to decide, notify, and document a personal data breach within 72 hours.
EU‑US data transfers after Schrems II and the DPF: CNPD expectations 2026
Secure transatlantic flows without over‑compliance: the DPF eases transfers to certified US entities, but Article 46 and supplementary measures remain key outside the DPF. Prioritize vendor governance and DPIA documentation.
NIS 2 in Luxembourg: how to notify ILR within 24h/72h/1 month
NIS 2 requires an early warning within 24h, a formal notification at 72h, and a final report within 1 month. In Luxembourg, ILR and the national CSIRT (CIRCL) are your key contacts.
