Luxembourg (LU)

In March 2015, Luxembourg published the latest version of its national strategy: National Cybersecurity Strategy II.

The overarching goal of the new strategy is the democratisation of cybersecurity by promoting collaboration and reducing complexity and costs to all stakeholders. The following objectives are the basis for achieving this overarching goal:

Obj. 1 - Strengthening national co-operation: government coordination for multi-stakeholder collaboration. Adaptive and flexible governance tool that is risk-oriented and underpinned by the establishment of a national agency for the security of information systems (ANSSI), which becomes the line of command for all cybersecurity stakeholders. Active co-operation with the international community is imperative, especially at the level of Computer Emergency Response Teams (CERTs) and law enforcement agencies.

Obj. 2 - Strengthening international co-operation: International co-operation should go beyond the exchange of operational information to include methodological aspects and tools in the field of incident management, on systems for detecting abnormalities, early warning systems, risk management, security policies, raising awareness and education. The period 2015-2017 should be dedicated to identifying good practices for co-operation (in Europe and internationally) and participating in groups to establish key partnerships.

Obj. 3 - Increasing the resilience of the digital infrastructure: underpinned by risk analysis, management and measures, this objective covers a preventive operational and a defensive operational strand. The preventive strand plans to make available information, training, guides to good practice as well as methodologies. The defensive strand places emphasis not only on having sufficient capacity for detecting intrustions but also for reacting to a detected incident, handling the issue efficiently and restoring the operability of the systems affected.

Obj. 4 - Fighting cybercrime: Legal monitoring must identify the contradictions or discrepancies in laws, regulations and circulars, and harmonise the approach of all state actors. Due to the cross-border nature of cybercrime, the evolution of technologies and fraudulent behaviours needs to be closely monitored. Legal monitoring should include the follow-up of initiatives launched amongst communities or even internationally.

Obj. 5 - Informing, training and raising awareness of cyber risks: Raising the awareness of public and private sectors of the risks involved and means of protection is an essential element of the strategy, as it makes a considerable contribution to reducing potential vulnerabilities and motivates actors to participate actively in the strengthening of security. The strategy calls for the engagment of all actors from end-users (consumers; IT professionals; civil servants and public employees); decision-makers and business executives; service providers and critical infrastructure owners, where training plays a key role in keeping them updated on potential threats and how to protect themselves.

Obj. 6 - Implementing norms, standards, certificates, labels and framews of reference for requirements for the government and critical infrastructures: Foster use of risk analysis methods, policies and security standards for specific contexts, along with the implementation of organisational and technical security measures applied by different administrations. Compliance with reference frameworks and sector certifications by critical infrastructure operators. Establish an inventory of standards and good practices in the different sectors

Obj. 7 - Strengthening co-operation with the academic and research sphere: Ensure skills can be used to improve the national cybersecurity environment, both through research per se and training. Ensure continuous development of these skills in close consultation with the private sector and government authorities, while also promoting international academic co-operation.

 

NATIONAL CYBERSECURITY STRATEGY - NIS Capacities

Year of adoption 2013; 2015
Updates and revisions

In July 2017, the government announced its Guidelines of the Luxembourg Defense to 2025 and beyond. In addition to an increased military budget, the guidelines set out plans for the:

  • Development of an industrial strategy, innovation and research in order to involve the Luxembourg economy in the development of defense capabilities.
  • Development of a recruitment strategy to meet the human resource needs in sufficient numbers and with adequate profiles, including specialists capable of developing and implementing defense and military capabilities.
  • Study on the creation of a national availability service to mobilize civilian expertise in case of a crisis, in order to strengthen the resilience of the Luxembourg State and its services.
  • Establishment of a national capacity development agency for the development and implementation of major investment projects.

The 2015 strategy provides for risk-oriented governance targeting government bodies (HCPN, GOVCERT, SRE, CTIE, Army); prosecuting authorities (Grand Ducal Police and the Prosecution service); independent national authorities concerned (ILR, CSSF, NCDP); sector actors (CIRCL, RESTENA, private CERTs) and public-private partnerships (PPP).

Implementation and monitoring

ANSSI, the national agency for the security of information systems, defines policies and guidelines for the security of classified and unclassified information, ensures that norms and standards are established, that the measures regarding the security of information systems are implemented and that the application is guaranteed, amd also certifies the means of processing of unclassified information (digital systems, services, infrastructures). 

Since 2015, ANSSI acts a nation Computer Emergency Response Team (CERT) and ensures the hosting of the government's CERT - GOVCERT.LU, and serves as the line of command for all active players in the field of cybersecurity in relation to the public sector and critical infrastructure. Its mission therefore also includes co-operation with all suitable private sector stakeholders, if necessary by means of formalised co-operation agreements.

Operational capacity building

Capacity in the preventive operative strand (objective 3) involves Computer Emergency Response Teams (CERTs) in two ways:

  • Governance tools for analysis, risk management, as well as metrics of threats and vulnerabilities (made available to CERTs) may be used by regulators and private and public actors.
  • Making the results of CERT monitoring of threats and vulnerabilities available to all Luxembourg actors and used in the context of governance and risk management tools.

Capacity in the defensive operative strand, focuses on three types of operational measures:

  • Sharpening operational aspects in the implementation of the Cyber PIU for significant cyber incidents.
  • Creating simulations and/or sector and national exercises on the response to incidents affecting the security of senstive or critical information and communication systems, and participating in similar international exercises.
  • Improving co-operation between CERTs when handling routine incidents through co-operation agreements and establishing an information exchange platform.

Currently, there are 4 public CERTs and 6 private CERTs (1 is a joint industry service) covering different sectors of the economy and society in Luxembourg.

GOVCERT.LU - government and critical infrastructures. It oversees the management of cyber-security incidents compromising Luxembourg, its citizens or its economy and is responsible for receiving, reviewing and responding to reports of such. NCERT.LU (National CERT) acts as the official national point of contact for national and international governmental CERTs.

Computer Incident Response Centre: CIRCL - private sector, communes and non-governmental entities in Luxembourg. Its activities include coordinating communication among national and international incident response teams during security emergencies and helping prevent future incidents, providing a security related alert and warning system for ICT users in Luxembourg and fostering knowledge and awareness exchange in ICT security.

HealthNet-CSIRT (Agence eSanté) - health sector: health professionals and institutions in the sector.

RESTENA-CSIRT - education and research sector

Malware.lu CERT - private CSIRT providing expertise in incident response and malware analysis to private customers and governmental entities. Follows guidelines of NIST (National Institute of Standards and Technology).

Excellium CSIRT (CERT-XLM) - Excellium's commercial CERT providing services and response services. In BE and LU: mostly service providers, finance and insurance organisations but also provides reponse services outside these countries.

Clearstream – Deutsche Boerse CERT (DBG-CERT) - all systems hosted and owned by Deutsche Boerse Group.

eBRC/POST SOC - response team operated by POST group, the largest provider of postal and telecommunications services, also offering financial services.

IBM-Sogeti Security Operation Center (SOC) - In Luxembourg, the joint IBM and Sogeti SOC ensures compliance with local regulations in the national market.

Telindus-CSIRT - private CSIRT owned and operated by Telindus S.A., a national and international cloud service provider and telecom operator. Its CSIRT team responds to cyber-security and computer security incidents from or targeting its own autonomous system (ASN-Telindus-Telecom).

Legal conditions

Criminal legislation: Specific legislation on cybercrime has been enacted through the following instrument: - Penal Code (French).

Regulation and Compliance: Specific legislation and regulation related to cybersecurity has been enacted through the following instruments:

Law on Data Protection on Electronic Communications (English)

Law on Electronic Commerce (English)

Law on Electronic Signature and Cryptography (French).

Law on the Protection of Individuals with regard to the Processing of Personal Data. (English)

The 2015 strategy defines the following action plan for the period 2015-2017 under Objective 4:

Creation of a legal WG with the following missions: analysis of the current legal framework; analysis of the provisions in force
abroad; transposition of European directives and adaptations of the national legal framework.

Businesses and Public-private partnerships

The 2015 strategy highlights the importance of a multi-stakeholder dialogue and engagement on cybersecurity. Luxembourg ICT Cluster brings together  public and private research actors and could become a forum also for cybersecurity awareness raising and new partnerships.

LUXEMBOURG AUTOMOBILITY CLUSTER highlights its unique selling point for businesses as Luxembourg’s strong ICT eco-system with proven competences in cybersecurity and availability of high-speed connectivity (ultra-low latency).

Other capacity-building measures: research and education

Under the 2015 strategy, co-operation across academic and research institutions, business and government is mainly focused on technology advances, such as the development of protocols and cryptographic algorithms and the development of a cybersecurity training programme.

Five public and private players (Ministry of Economy, SECURITYMADEIN.LU, Luxinnovation, Excellium and PwC Luxembourg) are gathering to create the Cybersecurity Week - Luxembourg in the framework of the European Cybersecurity Month (ECSM), an annual advocacy campaign organised by the European Union Agency for Network and Information Security (ENISA) and the European Commission to promote cybersecurity internationally.

The event will build on existing synergies to help develop cyber-security initiatives led by public and private sector players, as well as to encourage the development of a cyber-security start-up ecosystem encompassing innovative firms from both Luxembourg and abroad, investors and individuals with skills in the field.

Overall assessment/best practices

At national level there is a high-level security board (Cyber Security Board - CSB) to share information through official channels and share technical details with national partners.

The Luxembourg national CERT is one of the drivers of the NIS platform and fosters sharing information as widely as possible across geographies and borders, with the 7 private CERTs also actively supporting this practice.
Date of last WISER analysis July 2017


Compliance with the GDPR and NIS Directive: Report a cyber incident

Report a cyber incident to a national CERT/CSIRT

GOVCERT.LU

  • Email completed Incident Reporting Form (FRM 702 docx txt) to soc@govcert.etat.lu
  • Using the Online form (www.govcert.lu/online_form) - Incidents reported using this form are encrypted prior to transmission thus enabling anonymous reporting.
  • Using the online file encrypt to securely encrypt files on your computer prior to reporting them to us without the need to install aditional software. The resulting files will only be readable by GOVCERT.LU

Whenever possible, constituents should use the incident reporting form (FRM 702 docx txt). Non-constituents, however, should use the online form or contact our SOC directly by email.

CIRCL.LU

RESTENA-CSIRT

Healthnet CSIRT - Private users

Healthnet CSIRT - Businesses

Healthnet CSIRT - IT Community

Guidance and Updates CIRL.LU provides updates on the latest threat landscape on its home page.
Languages French, Dutch, English
Date inserted July 2017

 

Contact us for more info