+352 20 60 68 00
Formation management au Luxembourg pour entreprises
info@crescerasolutions.com
Contact

The €10 Million Question of NIS2: Workshop Recap

Actualités 6 heures ago

The €10 Million Question of NIS2

DECISION MAKERS MORNING SERIES — FIRST EDITION | Workshop recap — 11 June 2026 — Luxembourg

€10 million is the maximum penalty under NIS2 — or 2 percent of global annual turnover, whichever is higher. But the figure is only half the story. What truly changes the game is the personal liability of executives. For ninety minutes, participants confronted this new reality through three lenses: regulatory framing, European case studies, and a full-scale crisis simulation.

▍ A Countdown Already Underway

The Luxembourg law of 5 May 2026 transposes the European NIS2 Directive into national law. Registration with the ILR is due by 10 July 2026 — only three weeks away at the time of the workshop. For many participants, the deadline still raised more questions than answers: who must register, against which criteria, and with what immediate consequences?

The facilitator opened with a show-of-hands survey on those uncertainties, then set out the essentials. NIS2 significantly widens the scope of affected entities across eighteen public and private sectors, from medium-sized enterprises to large corporations. It strengthens oversight through active inspections and mandatory registration — and shifts responsibility to governing bodies, which can no longer delegate accountability to the IT department.

▍ A Threat Landscape That Has Changed

Before turning to the regulation itself, the workshop established one observation: the threat landscape is no longer what it was five years ago. Three trends now dominate.

1. Artificial intelligence in the hands of attackers

Voice and video deepfakes are turning trust itself into an attack surface. The case in point: in January 2024, an employee of Arup in Hong Kong joined a video call with what looked like the CFO and several familiar colleagues. Everyone on the call except him was an AI-generated impersonation. In a single day, fifteen transfers totalling USD 25.6 million were executed. The fraud only came to light at headquarters several days later.

2. The supply chain as a preferred attack vector

Third-party risk is rising sharply. According to the Verizon 2025 Data Breach Investigations Report, the share of breaches involving a third party reached 30 percent — roughly double the previous year. Attackers increasingly target smaller service providers to reach larger organizations indirectly — precisely the scenario NIS2 is designed to address.

3. State-sponsored operations on European infrastructure

Espionage and influence operations increasingly rely on compromised infrastructure hosted within Europe, blurring the line between cybercrime and geopolitics.

▍ What NIS2 Requires in Practice

The workshop distilled the obligations into four plain questions.

Who? Essential and important entities — defined by sector under Annexes I and II of the Directive, and by size under Recommendation 2003/361/EC. The public sector is explicitly included.

What? An all-risks approach covering cyber, physical, human and environmental threats. The aim is no longer only to protect information systems, but to ensure the continuity of critical services.

How? Article 21 sets ten minimum measures, from risk analysis to multi-factor authentication. Article 23 establishes three-stage reporting: an early warning within 24 hours, a full notification within 72 hours, and a final report within one month. In Luxembourg, this chain runs through the ILR’s SERIMA platform — with dual notification where personal data is involved, including the 72-hour GDPR notification to the CNPD.

Otherwise? Fines up to €10 million or 2 percent of global annual turnover, plus suspension of executives and public disclosure of sanctions. Gartner estimates that by the end of 2026, 75 percent of CEOs will be held personally accountable for cyber incidents.

▍ Legislation, Frameworks and Areas of Friction

One point deserved emphasis: NIS2 is a legal obligation, not an operational framework. To turn its broad requirements into auditable controls, organizations rely on voluntary standards.

ISO 27001 / 27002 provide the operational foundation — an Information Security Management System, auditable controls, and certification. NIST CSF 2.0 offers a strategic framework around six functions (Govern, Identify, Protect, Detect, Respond, Recover), particularly useful in board-level discussions. ENISA bridges the two: its June 2025 guidelines map NIS2 requirements onto both NIST and ISO, letting organizations use those controls as evidence of compliance.

The workshop also untangled the overlaps with neighbouring regulations. DORA takes precedence over NIS2 for the financial sector under the principle of lex specialis — entities supervised by the CSSF refer primarily to DORA. GDPR may trigger a parallel notification for the same incident. CER, focused on the physical resilience of critical entities, is effectively the real-world counterpart of NIS2. And Part-IS, covering information security in aviation, is complementary to NIS2 rather than a substitute for it. A well-designed ISMS can serve several of these at once, even where their scopes and supervisory authorities differ.

▍ What Others Have Already Experienced

Three recent cases anchored the theory in reality:

  • Miljödata (Sweden, summer 2025): A cloud-based HR provider used by many Swedish municipalities was hit by ransomware. The attack rippled across the ecosystem, disrupting HR and administrative processes in dozens of public organizations, and stolen data was later published.
  • Marks & Spencer (United Kingdom): Social engineering against a subcontractor’s staff forced the retailer to run logistics manually for several weeks. Estimated operational loss: GBP 300 million.
  • Jaguar Land Rover (UK & beyond): A cyberattack halted production lines in the UK, Slovakia, Brazil and India. Direct losses reached USD 250 million.

Across Europe, the first NIS2 sanctions are already landing: proceedings in Germany for late notification, formal warnings in France for missing minimum measures, and inspections of public administrations in Italy.

▍ The Simulation: Living the Crisis, Not Reading About It

The heart of the workshop was an immersive exercise. Four successive injects (T+0, T+18h, T+30h, T+1 month) tested the participants’ ability to report, communicate under pressure, and manage board-level expectations.

The contrast between groups exposed real grey areas: the deadline is not the hard part — deciding when to report is. Supply-chain risk remains the blind spot, and under pressure, governance takes precedence over technology.

▍ Provocations, Decisions and Takeaways

Participants identified five collective priorities: 1. Name the notification decision-maker; 2. Map and contract critical suppliers; 3. Get board sign-off on the cyber policy; 4. Run a real crisis exercise; and 5. Register with the ILR before 10 July.

Three Key Takeaways: Compliance is not security; The supply chain is the risk; Liability is personal.

Voir aussi

20 juin 2025
Protéger demain : formation CISSP à distance – du 21 au 25 juillet 2025 avec Crescera Solutions
8 juillet 2025
AI Training Isn’t Just Smart—It’s Now the Law