Turning NIS2 requirements into practical action

Advisory

By: Hakim Mezieche

NIS2 is the European Union’s updated cybersecurity framework. In Luxembourg, it was transposed into national law through the Act of 5 May 2026, which entered into force on 10 May 2026. The objective is to strengthen cybersecurity, improve resilience, and ensure that organisations providing essential or important services are better prepared to manage cyber risks and incidents.
Contents

Who is concerned?

NIS2 mainly concerns medium-sized and large organisations operating in sectors such as energy, transport, banking, healthcare, digital infrastructure, public administration, food, manufacturing, and other critical services. In some cases, smaller organisations may also be in scope if they provide essential services, operate key infrastructure, or play a strategically important role.

What does it mean in practice?

Organisations that fall within scope must put in place appropriate cybersecurity measures, manage incidents effectively, and report significant incidents within strict deadlines. NIS2 also increases expectations around business continuity, supply chain security, internal governance, and accountability.

Management is expected to oversee cybersecurity measures and ensure they are appropriately prioritised within the organisation.

How can Grant Thornton help?

Grant Thornton supports organisations in understanding their obligations, identifying priorities, and building a pragmatic path to compliance. We combine regulatory expertise, real-world implementation experience, and a risk-based approach to help clients strengthen resilience while meeting evolving expectations.

  • Clear regulatory interpretation: We help you understand what NIS2 means for your organisation and translate legal and regulatory requirements into practical, actionable steps.
  • Focused readiness assessments: We assess your current cybersecurity and governance framework, identify gaps, and highlight priority actions based on risk, maturity, and business impact.
  • Pragmatic remediation support: We help design realistic remediation roadmaps covering governance, policies, incident management, business continuity, supply chain security, and control enhancement.
  • Sustainable compliance and resilience: Beyond immediate readiness, we help embed cybersecurity into governance and operations, so your organisation is better prepared for future regulatory developments and emerging threats.

 

Contact

If you wish to understand whether your organisations is in scope and how ready you are for NIS2, Grant Thornton can help you assess your exposure, identify gaps, and define a practical roadmap forward. Please feel free to reach out to Hakim Mezieche, IT Audit Partner at Grant Thornton Luxembourg.