Veröffentlicht am
The answer depends on sector, activity, product, role, and sometimes size. NIS2 and CER are mostly sector-driven. DORA is financial-sector driven. The Cyber Resilience Act follows products with digital elements. The AI Act follows AI-system risk and the role you play as provider or deployer. The EU Space Programme Regulation matters for organisations involved in EU space programme infrastructure or security-relevant downstream use.
This article gives you a first map. It is not a legal opinion. It is a plain-language guide to what each instrument is for, why it exists, and which question to ask next.
| Regulation | Trigger | Regulates | First question | Key date |
|---|---|---|---|---|
| NIS2 | Sector + size + role | Organisation / service | Are we in an Annex I/II sector? | LU self-registration 10 Jul 2026 |
| DORA | Financial entity / ICT provider | Financial operational resilience | Are we a financial entity or an ICT provider to one? | Applies since 17 Jan 2025 |
| CRA | Product with digital elements | Product / economic operator | Do we place a connected product on the EU market? | Reporting from 11 Sep 2026 |
| AI Act | AI-system risk and role | AI systems | Are we provider or deployer of a high-risk AI system? |
The EU's approach has moved from largely voluntary cyber guidance toward mandatory, supervised obligations for organisations, products, and critical services. That shift sits in the broader policy context described in the EU Cybersecurity Strategy for the Digital Decade and in the recitals to the main cyber instruments, and it followed years of major incidents and threat-pattern reporting, including WannaCry, NotPetya, SolarWinds/Sunburst, Colonial Pipeline, and Kaseya as examples of the kind of incidents discussed in ENISA threat landscape reporting and EU policy material 16 17.
The result is not one single cyber law. It is a stack of instruments that answer different questions: is the organisation in a critical sector, is it a financial entity, does it place a connected software or hardware product on the EU market, does it develop or deploy high-risk AI, or is it identified as critical to societal resilience?
NIS2 is the EU directive for a high common level of cybersecurity across the Union. It applies to essential and important entities in listed sectors, with scope rules tied to Directive (EU) 2022/2555 Article 2 and Annexes I and II; the same instrument defines essential and important entities and sets governance, risk-measure, and incident-reporting duties in Articles 20, 21, and 23 .
Not sure where to start? Ask four questions:
If the answer to any question is yes, start with a scoping assessment before building a compliance roadmap.
Cyvalent helps Luxembourg and EU organisations turn this first map into an operating programme. Cyvalent 360 Cyber Services / CISOaaS provides the practitioner capacity to scope obligations, build governance files, prepare management-body decisions, and run the compliance programme. Cyvalent RGX maps regulatory obligations to control frameworks and tracks posture continuously across overlapping requirements.
Both offerings can be used independently or together. The correct starting point depends on whether the immediate gap is human operating capacity, structured compliance tracking, or both.
Zuletzt geprüft:
[1] European Parliament & Council. Directive (EU) 2022/2555 (NIS2) — Art. 2 & Annexes I-II (scope/sectors), Art. 3 (essential vs important), Arts. 20-21 (governance & risk measures), Art. 23 (incident reporting), Art. 41 (transposition deadline 17 Oct 2024). Status/date: in force; adopted 14 Dec 2022. Source: EUR-Lex. https://eur-lex.europa.eu/eli/dir/2022/2555/oj
[4] European Parliament & Council. Regulation (EU) 2022/2554 (DORA) — Art. 5 (governance/management body), Arts. 17-23 (incident management), Arts. 24-27 (testing/TLPT), Arts. 28-30 (third-party risk; Art. 28(3) Register of Information), Art. 64 (applies 17 Jan 2025). Status/date: applicable from 17 Jan 2025. Source: EUR-Lex. https://eur-lex.europa.eu/eli/reg/2022/2554/oj
[7] European Parliament & Council. Regulation (EU) 2024/2847 (Cyber Resilience Act) — Art. 2 (scope/connectivity), Art. 3 (definitions/roles), Art. 14 (reporting from 11 Sep 2026), Annex I (essential requirements and vulnerability handling), Annexes III-IV (product classes), full application 11 Dec 2027. Status/date: in force 10 Dec 2024; phased application. Source: EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/2847/oj
[9] European Parliament & Council. Regulation (EU) 2024/1689 (AI Act) — Annex III (high-risk use cases); phased application 2025-2027; in force 1 Aug 2024. Status/date: current timeline should be verified before programme design. Source: EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Cyvalent helps Luxembourg and EU organisations map which obligations apply before over-investing in the wrong compliance work — through founder-led 360 Cyber Services / CISOaaS and the CORTEX AI cyber GRC platform.
| Phased 2025–2027 |
| CER | Critical-entity designation | Physical / operational resilience | Could we be designated critical? | Member-state specific |
|---|
For Luxembourg readers, NIS2 was transposed by the Act of 5 May 2026, in force from 10 May 2026. ILR is the lead competent authority, CSSF is competent by derogation for financial-sector entities, and HCPN coordinates national cyber policy and crisis coordination. Luxembourg entities in scope must also pay attention to the self-registration deadline of 10 July 2026 2 3. For German operations, the German NIS2 implementation and BSIG amendment path should be checked against the current BSI position before decisions are made, because implementation-status trackers have diverged 6.
Who should investigate further: organisations in Annex I sectors such as energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space; and organisations in Annex II sectors such as postal services, waste management, manufacture of critical products, food production, digital providers, and research organisations 1.
DORA is an EU regulation, not a directive, so it applies directly across the EU. It governs digital operational resilience for financial entities and their ICT third-party risk management, including governance obligations, incident management, testing, and third-party ICT risk rules in Regulation (EU) 2022/2554 Articles 5, 17-30, and 64 4.
In Luxembourg, the Law of 1 July 2024 implements DORA-related national provisions and identifies CSSF and CAA as competent authorities. CSSF Circular 25/882 adds requirements for ICT third-party service use by DORA entities, while Circular 25/883 amends Circular 22/806 for the outsourcing framework 5. For German operations, BaFin is the relevant supervisory authority and the FinmadiG context should be checked for entity-specific transitional rules 8.
Who should investigate further: banks, insurers, investment firms, payment institutions, fund managers, crypto-asset service providers, and ICT providers serving financial entities. DORA has applied since 17 January 2025 under Article 64 4.
The Cyber Resilience Act sets cybersecurity requirements for products with digital elements placed on the EU market. It applies to the product and economic-operator role, not to a sector alone: Article 2 sets the scope and connectivity criterion, Article 3 defines products with digital elements and economic operators, Annex I sets essential cybersecurity and vulnerability-handling requirements, and Annexes III and IV identify important and critical product classes 7.
Because the CRA is a regulation, member states do not transpose the core obligations into national law in the same way as NIS2 or CER. They designate market-surveillance and enforcement authorities. Germany's authority-designation law is in progress and Luxembourg's authority designation should be verified before publication or customer-specific advice 7.
Who should investigate further: manufacturers, importers, and distributors of software, connected hardware, embedded firmware, or other products with digital elements. Reporting duties under Article 14 apply from 11 September 2026, and the regulation applies fully from 11 December 2027 7.
The EU AI Act regulates AI systems by risk tier. Annex III defines high-risk use cases, while the phased application timeline runs from 2025 through 2027, subject to current EU timetable changes that should be checked before a compliance programme is planned 9.
For Luxembourg, draft bill no. 8476 is the authority-designation route to watch. Germany's AI Act implementing law is also in progress and should be checked before advising German operations 10 11.
Who should investigate further: organisations that develop, sell, or deploy AI systems, especially in HR, creditworthiness, biometrics, critical infrastructure, education, law enforcement, migration, or access to essential services; the high-risk list is in Annex III 9.
CER is the sibling resilience directive to NIS2. NIS2 covers the cyber dimension; CER covers broader resilience for critical entities, including physical, operational, and supply-chain resilience. The directive's sectors are listed in its Annex 12.
Luxembourg transposed CER through the Law of 5 May 2026. Germany's KRITIS-Dachgesetz is reported in force from 17 March 2026, with BBK and BSI responsibilities and registration by 17 July 2026 14 15.
Who should investigate further: organisations in sectors that may be identified as critical by a member state, especially where NIS2 scope and physical or operational resilience obligations may overlap 12.
The EU Space Programme Regulation governs the Union space programme, including Galileo, Copernicus, and GOVSATCOM. It can matter for organisations involved in EU space programme infrastructure or downstream services that touch security-relevant programme requirements 13.
Who should investigate further: space-sector companies in Luxembourg or Germany with involvement in EU programme infrastructure, security-relevant downstream use, or service delivery connected to Galileo, Copernicus, or GOVSATCOM 13.
It depends on your sector, activity, product, role, and sometimes size. NIS2 and CER are mostly sector-driven, DORA is financial-sector driven, the Cyber Resilience Act follows products with digital elements, and the AI Act follows AI-system risk and whether you act as a provider or deployer. Working through the four questions — sector, financial-entity status, products with digital elements, and AI systems — gives you a first map of which instruments to investigate.
NIS2 is an EU directive setting a high common level of cybersecurity for essential and important entities across listed sectors, with governance, risk-measure, and incident-reporting duties. DORA is an EU regulation that applies directly across the Union and governs digital operational resilience for financial entities and their ICT third-party risk. A financial entity can be subject to both.
DORA (Regulation (EU) 2022/2554) has applied since 17 January 2025 under its Article 64. Because it is a regulation rather than a directive, it applies directly across the EU without national transposition of the core obligations.
The Cyber Resilience Act sets cybersecurity requirements for products with digital elements placed on the EU market. Scope turns on the product and connectivity criterion and on your economic-operator role — manufacturer, importer, or distributor — rather than on your sector alone. Reporting duties apply from 11 September 2026 and the regulation applies fully from 11 December 2027.
Luxembourg transposed NIS2 through the Act of 5 May 2026, in force from 10 May 2026. Entities in scope must pay attention to the self-registration deadline of 10 July 2026. ILR is the lead competent authority, CSSF is competent by derogation for financial-sector entities, and HCPN coordinates national cyber policy and crisis coordination.
Yes. The instruments regulate different objects — organisations, services, products, and AI systems — so they stack. A financial entity can be under DORA, in a NIS2 sector, and dependent on CRA-regulated products at the same time; a manufacturer can be under NIS2 for its sector and the CRA for its connected product line.
[12] European Parliament & Council. Directive (EU) 2022/2557 (CER) — Annex (sectors); transposition deadline 17 Oct 2024. Status/date: in force; adopted 14 Dec 2022. Source: EUR-Lex. https://eur-lex.europa.eu/eli/dir/2022/2557/oj
[13] European Parliament & Council. Regulation (EU) 2021/696 (EU Space Programme) — Galileo, Copernicus, GOVSATCOM security context. Status/date: in force. Source: EUR-Lex. https://eur-lex.europa.eu/eli/reg/2021/696/oj
[14] Luxembourg / HCPN. Loi du 5 mai 2026 sur la resilience des entites critiques — Luxembourg CER transposition and national critical-entities resilience governance. Status/date: transposed by Law of 5 May 2026; HCPN page last modified 21 May 2026. Source: HCPN and EUR-Lex national implementation measure record. https://hcpn.gouvernement.lu/fr/service/attributions/missions-nationales/protection-infrastructures-critiques.html and https://eur-lex.europa.eu/legal-content/EN/NIM/?uri=CELEX:32022L2557
[2] Grand-Duche de Luxembourg. Loi du 5 mai 2026 relative a des mesures destinees a assurer un niveau eleve de cybersecurite (Mem. A no. 225) — NIS2 transposition; in force 10 May 2026; self-registration by 10 July 2026; ILR competent with CSSF derogation for financial sector and HCPN coordination. Status/date: in force 10 May 2026. Source: Legilux. https://legilux.public.lu/eli/etat/leg/loi/2026/05/05/a225/jo
[3] ILR. NIS2 — scope, security measures, incident notification (SERIMA) — Luxembourg NIS2 sector guidance, self-registration, security measures, and incident notification. Status/date: accessed June 2026. Source: ILR. https://www.ilr.lu/en/sectors/niss/nis-2/
[5] Luxembourg / CSSF. Loi du 1er juillet 2024 implementing DORA / transposing Directive (EU) 2022/2556; Circular CSSF 25/882; Circular CSSF 25/883 amending Circular CSSF 22/806 — CSSF and CAA competent authorities; ICT third-party service requirements for DORA entities. Status/date: law of 1 July 2024; CSSF circulars published 2025. Source: CSSF. https://www.cssf.lu/en/regulatory-framework/ and https://www.cssf.lu/en/Document/circular-cssf-25-882/
[10] Luxembourg / Chambre des Deputes. Projet de loi no. 8476 portant mise en oeuvre de certaines dispositions du Reglement (UE) 2024/1689 (AI Act) — national competent-authority designation context. Status/date: legislative dossier in progress; verify before publication. Source: Chambre des Deputes. https://www.chd.lu/en/dossier/8476
[6] Germany / BSI. NIS-2-Umsetzungs- und Cybersicherheitsstaerkungsgesetz (NIS2UmsuCG), amending the BSI-Gesetz (BSIG) — German NIS2 implementation context; BSI competent. Status/date: current status should be verified before publication. Source: BSI. https://www.bsi.bund.de/
[8] Germany / BaFin. Finanzmarktdigitalisierungsgesetz (FinmadiG) and DORA supervisory context — DORA accompanying act; BaFin competent for German financial-sector supervision. Status/date: current status and transitional rules should be verified. Source: BaFin. https://www.bafin.de/DE/Aufsicht/DORA/DORA_node.html
[11] Germany / Bundesregierung. Durchfuehrungsgesetz zur KI-Verordnung — German AI Act implementation / authority-designation context. Status/date: federal cabinet approved draft implementing law; verify final enactment before publication. Source: Bundesregierung. https://www.bundesregierung.de/breg-de/aktuelles/bundesregierung-beschliesst-durchfuehrungsgesetz-zur-ki-verordnung-staatsminister-weimer-gesetzestext-stellt-staatsferne-medienordnung-in-deutschland-klar--2406634
[15] Germany / Bundesgesetzblatt, Gesetze im Internet, and Bundesregierung. KRITIS-Dachgesetz / Gesetz zur Umsetzung der Richtlinie (EU) 2022/2557 und zur Staerkung der Resilienz kritischer Anlagen — German CER/KRITIS-Dachgesetz context; registration duty by 17 July 2026. Status/date: in force 17 Mar 2026. Source: Gesetze im Internet and Bundesregierung. https://www.gesetze-im-internet.de/kritisdachg/BJNR0420B0026.html and https://www.bundesregierung.de/breg-de/aktuelles/kritis-dachgesetz-2383682
[16] ENISA. Threat Landscape — annual threat landscape series and threat-pattern context. Status/date: current annual series. Source: ENISA. https://www.enisa.europa.eu/topics/cyber-threats/threats-and-trends
[17] European Commission. EU Cybersecurity Strategy for the Digital Decade — Dec 2020 policy context. Status/date: published Dec 2020. Source: European Commission. https://digital-strategy.ec.europa.eu/en/library/eus-cybersecurity-strategy-digital-decade