The NIS2 Directive (EU 2022/2555) is the most consequential overhaul of EU cybersecurity law in a decade. Where the original NIS Directive applied to a narrow set of operators of essential services and digital service providers, NIS2 extends its reach across 18 sectors and introduces a direct management liability regime — including personal accountability for senior executives who fail to ensure their organisations comply. Luxembourg is transposing NIS2 through Bill 8364, with adoption expected by the end of 2025.

 

Most businesses within scope have not yet fully assessed what NIS2 will require of them. The obligation categories — risk management, incident reporting, supply chain security, and governance — are substantive and interconnected. The timeline is short. And the consequences of non-compliance, once the ILNAS begins exercising its supervisory functions, are significant: fines of up to 10 million euros or 2% of global annual turnover for essential entities.

 

Jurisconsul's cybersecurity practice has been advising technology companies and digital infrastructure providers on operational security and data protection for years. NIS2 adds a legal compliance dimension to work we have been doing in practice. We advise on the full arc from scope assessment to incident response — and we are one of the few Luxembourg boutiques with a visible NIS2 advisory practice.

 

Are You Within NIS2 Scope?

NIS2 applies to medium and large enterprises within 18 covered sectors, including energy, transport, banking, financial market infrastructure, health, digital infrastructure (cloud computing, data centres, CDNs, DNS, internet exchange points, trust services), ICT service management, and public administration. Some categories — including trust service providers and public electronic communications networks — are subject to NIS2 regardless of size. Determining whether your organisation qualifies as an essential or important entity is the first and most critical step.

 

NIS2 Gap Analysis

We conduct a structured assessment of your current technical and organisational cybersecurity measures against the requirements of NIS2 — covering risk analysis, incident handling, business continuity, supply chain security, access control, and cryptography. The gap analysis produces a prioritised action plan with legal and operational recommendations, sized to your organisation.

 

Incident Reporting Framework

NIS2's incident reporting obligations are among its most operationally demanding requirements. Significant incidents must be notified to the competent authority within 24 hours (early warning), 72 hours (incident notification), and one month (final report). We design the internal legal framework for incident escalation, assess what constitutes a significant incident for your specific operations, and prepare your regulatory correspondence templates in advance — so that when something happens, your team knows exactly what to do.

 

Supply Chain Security

NIS2 extends cybersecurity obligations into your supply chain. If you are an essential or important entity, your ICT supplier contracts must address the security risks those suppliers introduce. We assess your existing vendor agreements against NIS2 requirements, draft appropriate contractual provisions, and design a proportionate vendor due diligence framework.

 

Management Liability and Governance

One of NIS2's most significant departures from its predecessor is the personal liability it creates for management body members. Boards and senior leadership must approve, oversee, and be trained on cybersecurity risk management measures. We advise on the governance frameworks and board policies that discharge this responsibility — and on the documentation that demonstrates compliance if questions are asked later.

​

​

​

​

​