Information protection: the experience of Luxembourg
Getty Images
Luxembourg continues to strengthen critical infrastructure protection and cybersecurity. Bill No. 8364, based on the European directive "NIS 2" (Security of Network and Information Systems), introduces updated standards for risk management and incident response.
The bill divides companies into:
- "Critical" (more than 250 employees, annual turnover over €50 million).
- "Significant" (50 employees or more, turnover over €10 million).
These companies should be active in critical sectors: energy, transport, healthcare, financial infrastructure, waste management, digital services and others.
If a company fits the above criteria, it will be required to take a number of measures to improve cyber security. For example, it will be required to take measures to secure its supply chain. The organisation will also be asked to register with the relevant supervisory authorities (ILR or CSF for the financial sector) and to train management on basic cyber security concepts.
Failure to do so could result in fines of up to €10 million or 2% of annual turnover for "critical" companies, and up to €7 million or 1.4% of turnover for merely "significant" companies.
The bill still needs to be finalised. The State Council has already made 10 formal comments that need to be taken into account in further discussions. However, if the law is passed after several readings, major players in the market will have to invest significant sums to meet the state's requirements.
