Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
14 articles found · #luxembourg
Automated patching: the answer to NIS 2, Article 21
Executives must prove vulnerabilities are remediated in a timely manner. Well-configured automated patching is the safest, most auditable way to meet NIS 2 Art. 21.
CNPD — Workplace video surveillance: proportionality, DPIA and employee rights
Workplace cameras are allowed in Luxembourg, but under strict rules: legal basis, proportionality, frequent DPIA, L.261‑1 information duties and employee rights. Document everything, camera by camera.
NIS 2 in Luxembourg: executives, mandatory training and personal risk
Under NIS 2, management bodies must approve and supervise cybersecurity measures (Art. 20), undergo regular training, and may be held personally liable for failures. The ILR has issued concrete guidance.
NIS 2 and ICT supply chain: concrete obligations and certification
Securing the ICT supply chain is a first-order control under NIS 2. This guide outlines your obligations (Art. 21(2)(d)), the ILR’s role in Luxembourg, and when to use EU cybersecurity certification (Art. 24).
Immutable, isolated backups: meeting DORA on ransomware resilience
DORA requires restorable, isolated backups. Immutable backups and network isolation meet these obligations while reducing ransomware risk.
AI Act – Annex III: move to high-risk without getting it wrong
High-risk AI systems: how to decide if Annex III applies and build a compliant file (risk management, Annex IV, CE marking) in Luxembourg, as of May 2026.
NIS 2 – Article 21 in Luxembourg: what does the ILR actually check?
Article 21 of NIS 2 sets 10 families of minimum measures. The ILR announces ex ante/ex post supervision focused on these measures and management accountability. Here is how to comply efficiently.
NIS 2 in Luxembourg: Law of 5 May 2026 published—what to do before 10 May
Luxembourg’s law transposing NIS 2 was published on 5 May 2026 and enters into force on 10 May. Broader scope, stronger governance, incident reporting within 24 h/72 h to ILR via SERIMA. Priority actions and official sources.
NIS 2 in Luxembourg: how to notify ILR within 24h/72h/1 month
NIS 2 requires an early warning within 24h, a formal notification at 72h, and a final report within 1 month. In Luxembourg, ILR and the national CSIRT (CIRCL) are your key contacts.
CNIL approves a GDPR code of conduct for retail
On 28 April 2026, the CNIL approved a GDPR code of conduct for apparel/footwear retailers in France. A strong signal for retailers, with auditable requirements and third-party oversight.
Qilin claims cyberattack on Exclusive Networks
The Qilin ransomware group claims it compromised Exclusive Networks, a major European cybersecurity distributor. Claimed in late April 2026; supply-chain risk for customers in Luxembourg.
Ransomware at ChipSoft: alert for cross‑border care
Dutch EHR vendor ChipSoft said on April 29 that data stolen in an early‑April cyberattack had been “destroyed.” Cross‑border hospitals and insurers should take action this week.
