39. Luxembourg 66.23

39th National Cyber Security Index
13th Global Cybersecurity Index
9th ICT Development Index
17th Networked Readiness Index
Population 0.6million
Area (km2) 2.6thousand
GDP per capita ($) 109.2thousand
NCSI FULFILMENT PERCENTAGE
NCSI DEVELOPMENT TIMELINE 3 years All data
RANKING TIMELINE
NCSI Update Data source
8 Apr 2022 Public data collection

Version 8 Apr 2022

GENERAL CYBER SECURITY INDICATORS
BASELINE CYBER SECURITY INDICATORS
  • 5. Protection of digital services 1/5 20%
    1
    5 20%
    • 5.1. Cyber security responsibility for digital service providers 0
      0
      1
      Requirements
      Criteria

      According to legislation, digital service providers (except micro and small enterprises): (1) must manage cyber/ICT risks or (2) must implement established cyber/information security requirements.

      Accepted references

      Legal act

      Evidence
    • 5.2. Cyber security standard for the public sector 1
      1
      1
      Requirements
      Criteria

      Public sector digital service providers must implement (1) cyber/ICT security requirements (defined by legislation) or (2) a widely recognised security standard.

      Accepted references

      Legal act

      Evidence

      The Luxembourg State Information Security Policy (PSI) implements an information security management system (ISMS) in accordance with the international standard ISO / IEC 27001 for all ministerial departments, administrations and services of the Luxembourg State as well as operators of critical infrastructures.

      As part of the WSIS definition, general policies by area are developed and implemented. The numbering of domains 5 to 18 has been chosen to be aligned with the international standard ISO / IEC 27002 and thus simplify the implementation and monitoring by trained personnel in the use of standards. Initial domains can be completed when needed. Following this logic, domain 19 of the PSI defines the general policy for the management of classified documents of the Luxembourg State.

    • 5.3. Competent supervisory authority 0
      0
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise public and private digital service providers regarding the implementation of cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence
  • 6. Protection of essential services 5/6 83%
    5
    6 83%
    • 6.1. Operators of essential services are identified 1
      1
      1
      Requirements
      Criteria

      There is a legal act that allows to identify operators of essential services.

      Accepted references

      Legal act

      Evidence

      Grand Ducal Regulation dated 12 March 2012 implementing the Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructure and the assessment of the need to improve their protection (Critical Infrastructures Act)

    • 6.2. Cyber security requirements for operators of essential services 1
      1
      1
      Requirements
      Criteria

      According to the legislation, operators of essential services must manage cyber/ICT risks.

      Accepted references

      Legal act

      Evidence

      Art 8.

      (1) The owner or operator of a critical infrastructure is required to develop a security and business continuity plan that includes security measures for the protection of the infrastructure. The top-Office of the National Protection Commissioner makes recommendations to the owner or operator of a critical infrastructure regarding these security measures to ensure their protection within the meaning of section 5, to improve their resilience and to facilitate managing a crisis.

      (2) The owner or operator of a critical infrastructure is required to designate a security correspondent who is the contact person for infrastructure security issues with the Office of the High Commissioner for National Protection.

      (3) The owner or operator of a critical infrastructure must notify the Office of the High Commissioner for National Protection of any incident that has had a significant impact on the security and sustainability of the operation of the infrastructure.

      (4) The structure of the safety and business continuity plans for the critical infrastructure is set by Grand-Ducal regulation.

    • 6.3. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise operators of essential services, regarding cyber/information security requirements.

      Accepted references

      Official website or legal act

    • 6.4. Regular monitoring of security measures 0
      0
      1
      Requirements
      Criteria

      Operators of essential services must regularly (at least once every 3 years) provide evidence of the effective implementation of cyber/information security policies (e.g. audit result, documentation, specific report).

      Accepted references

      Legal act

      Evidence
  • 7. E-identification and trust services 8/9 89%
    8
    9 89%
    • 7.1. Unique persistent identifier 1
      1
      1
      Requirements
      Criteria

      The government provides a unique persistent identifier to all citizens, residents, and legal entities. For example, the identifier remains the same after document expiration and name change.

      Accepted references

      Legal act

      Evidence

      Règlement grand-ducal du 28 novembre 2013 fixant les modalités d’application de la loi du 19 juin 2013
      relative à l’identification des personnes physiques. (Grand-Ducal Regulation of 28 November 2013 laying down the implementing rules for the law of 19 June 2013 on the identification of natural persons.)

      Article 1 

      "The identification number is made up of 13 digits comprising the following components in order:

      at)the year of birth expressed by four digits;b)the month of birth expressed by two digits;vs)the day of birth expressed by two digits;d)a unique sequential range per date of birth expressed by three digits;e)a control number calculated according to the so-called “Luhn” algorithm;f)a control number calculated according to the so-called “Verhoeff” algorithm.

      For the allocation of the identification number and when the year of birth is unknown, component a) indicates the year of entry, when the month of birth is unknown, component b) indicates two zeros and when the day of birth is unknown, component c) shows two zeros."


      Law of March 30, 1979 organizing the digital identification of natural and legal persons. (National identifier) 

      Art. 2 (1) b: "An identity number is assigned (...) to each legal person governed by Luxembourg law, upon incorporation, (...)"

      Art. 2 (2): "The identity number is to be determined in such a way that a number cannot be assigned to more than one person and that a single person cannot be assigned several numbers."

      "Non-natural persons: The national identifier is used as a TIN-like number. The national identifier is regulated by the law of 30th March 1979 concerning the introduction of a national identifier. The tax file number corresponds to the national identifier. The allocation of a file number is an administrative practice. There is no further regulation". Cited source can be accessed here

    • 7.2. Requirements for cryptosystems 0
      0
      1
      Requirements
      Criteria

      Requirements for cryptosystems in the field of trust services are regulated.

      Accepted references

      Legal act

      Evidence
    • 7.3. Electronic identification 1
      1
      1
      Requirements
      Criteria

      Electronic identification is regulated.

      Accepted references

      Legal act

      Evidence

      REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014

    • 7.4. Electronic signature 1
      1
      1
      Requirements
      Criteria

      E-signature is regulated

      Accepted references

      Legal act

      Evidence

      REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014


       Civil Code

       Art. 1322-1: 

      "( L. August 14, 2000 ) The signature necessary for the perfection of a private deed identifies the person who affixes it and shows his adherence to the content of the deed.

      It can be handwritten or electronic.

      The electronic signature consists of a set of data, inseparably linked to the act, which guarantees its integrity and satisfies the conditions laid down in the first paragraph of this article."

    • 7.5. Timestamping 1
      1
      1
      Requirements
      Criteria

      Timestamping is regulated.

      Accepted references

      Legal act

      Evidence

      REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014

    • 7.6. Electronic registered delivery service 1
      1
      1
      Requirements
      Criteria

      Electronic registered delivery service between state entities, citizens and private sector entities is regulated. The service provides legally binding data exchange and guarantees the confidentiality and integrity of information.

      Accepted references

      Legal act

      Evidence

      REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014

    • 7.7. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      There is an authority responsible for the supervision of qualified trust service providers.

      Accepted references

      Official website or legal act

      Evidence

      Luxembourg Institute of Standardisation, Accreditation, Safety and Quality of Products, ILNAS

  • 8. Protection of personal data 4/4 100%
    4
    4 100%
INCIDENT AND CRISIS MANAGEMENT INDICATORS
Information Disclaimer

The information provided on the NCSI website is based on publicly available evidence materials. The appearance in the index and subsequent ranking is commensurate to the existence and public availability of such information. The NCSI links to third party websites and information. The NCSI and eGA are not responsible for the accuracy or completeness of third party website information.

What can I do to improve my country's data in NCSI?

Become a data contributor Update a specific indicator with evidence data