Luxembourg's strong data protection laws were originally designed for the financial sector. The Government understands that legal stability is very important as it allows companies to enjoy medium- and long-term predictability.
An original feature of this outlook is the law of 9 July 2013 which made Luxembourg the first European country to define to the legal status of data in the event of bankruptcy.
A right to claim intangible and non-fungible movable assets from a bankrupt company was hence created. The new law had initially been designed for bankrupt cloud computing companies, but the scope is wider. For example, it applies to data entrusted to any third party, including e-archiving service providers (for more information on the Luxembourg law related to e-archiving, click here).
In addition, several organisations have been created to enhance Luxembourg’s data protection framework:
The National Commission for Data Protection (Commission Nationale pour la Protection des Données – CNPD) is an independent authority created by the Act of 2 August 2002 related to the protection of individuals with regard to the processing of personal data.
It verifies the legality of the data processing and ensures that personal freedoms and fundamental rights are respected with regard to data protection and privacy.
It also covers the terms of the amended Act of 30 May 2005 regarding the specific rules for the protection of privacy in the electronic communications sector.
The Luxembourg Data Protection Association (Association pour la protection des données - APDL) was officially launched on 11 March 2014.
The APDL represents its members' interests and is a forum through which they can communicate on a more ad hoc basis with administrations and local regulators. It is also a place to share information and knowledge about data protection through local and international networking events, conferences, and partnerships often organised with foreign data protection associations.
The APDL welcomes members from all kinds of backgrounds, resulting in a diverse, active data protection community.
E-Archiving and e-Signature
Luxembourg aims to become the “European hub for electronic data”. A newly amended law has introduced a new electronic archiving legal framework which allows companies to centralise their e-archiving management into a single European country.
The main function of the law is to give legal recognition to electronic documents which can be certified by a provider of dematerialisation and conservation services (prestataire de services de dématérialisation et de conservation or PSDC). An electronic copy can now be used as legal evidence.
Luxembourg was also the first European country to recognise that electronic and handwritten signatures can have the same legal value.
Personal Data Protection
Corporations with entities in Europe which collect and use customer and staff personal data may be required to register details of their data protection practices with the Luxembourg National Data Protection Commission (CNDP).
The CNDP is an independent body set up by the amended law of 2 August 2002 and the law of 30 May 2005 which deal with the specific requirements in the field of Luxembourg electronic communications.
Under certain conditions, some activities do not require prior notification to the CNDP, for example, salaries, job applications, personnel and client management, bookkeeping, and network and IT systems management. Thus, the legal framework achieves a good balance between the free flow of data and the protection of individuals.
IT Trust and Security
Luxembourg has played a major role in the democratisation of information security with the development of a state-of-the-art risk management platform for businesses, the my.cases.lu. This tool uses objective metrics on threats and vulnerabilities, made available by the 4 publically financed Computer and Emergency Response Teams (CERTs).
The CERTs ensure stronger national collaboration and a better support for businesses and users in the event of cyber-attacks. They also provide timely information for the implementation of appropriate technical security measures (IDS/IPS). As well as this support, the Government promotes the creation of mutualised technical security measures for businesses at the level of ISPs and data centres. Luxembourg is the first country in Europe to introduce a harmonised regulatory approach to information security.
A number of public and private initiatives offer security options for individuals and all types of company.
Securitymadein.lu is the main online resource for cybersecurity in Luxembourg, informing nationally and promoting internationally. It centralises news and information related to cybersecurity and a toolbox of solutions for individuals, organisations, and the ICT community. Securitymadein.lu is Luxembourg’s cybersecurity one-stop-shop.
Cyberworld Awareness and Security Enhancement Services (CASES)
CASES enables public and private entities to acquire the necessary organisational and methodological know-how to address cybersecurity. It identifies measures, procedures, methods and other organisational structures.
The national risk management method is called MONARC and is developed and maintained by the CASES team. It democratises the risk management approach by providing contextual risk models, as well as risk mitigation options. Thus risk management is made easier to implement and results are more objective, and they can be converted to requirement standards, and harmonised with regulators.
Computer Incident Response Centre Luxembourg (CIRCL)
CIRCL is the central point from which security can be enhanced and responses coordinated. Besides its pure CERT (Computer Emergency Response Team) activity for the private and local government sectors, CIRCL also develops services to enhance the efficiency of operational security work, such services including a malware and information sharing platform (MISP).
The fast, loss-free MISP platform represents a tremendous opportunity and challenge for the cybersecurity community. MISP creates a central IOC database by storing technical and non-technical information about malware and attacks. It also creates correlations between malware, events and attributes, and automatically exchanges and synchronises data with other parties and trust-groups that use MISP. This results in a faster detection of targeted attacks and an improved detection ratio, due to a reduction of false positives. Furthermore, duplication of work is reduced and synergies are generated.
BGP ranking is a free software that calculates the security ranking of an Internet Service Provider. The data provided by BGP ranking shows that incidents in Luxembourg are dealt with in a timely manner and that malicious activities do not persist. This is an important health indicator for the Luxembourg network.
Framework for Analysis of Information Leaks (AIL)
AIL is a modular framework to analyse information leaks from unstructured data sources like pastes from Pastebin or similar services. The AIL framework is flexible and can be extended to other functionalities in order to mine sensitive information. This service has been designed in compliance with the strict data protection rules. It allows companies to look for breach indicators.
CIRCL provides a contextual feed containing all software vulnerabilities including visibility ranking in Luxembourg. The data feed originates from the aggregated data sources of cve.circl.lu including the National Vulnerability Database (NIST), Common Platform Enumeration (CPE), Common Weakness Enumeration (CWE), CIRCL incident statistics and the Toolswatch/vFeed.
Dynamic Malware Analysis Platform (DMA)
The DMA Platform is operated by CIRCL. It analysises potential malicious software or suspicious documents in a secure and virtualised environment.
Users can upload their suspicious software or document files via a web interface and select a specific target platform. The request is then automatically processed and executed within the selected target. Afterwards, additional analysis is performed, such as memory analysis and comparative analysis. Then a report is made available including the complete dynamic analysis, memory analysis and additional information.
BEE SECURE is a joint initiative of the Ministry of the Economy, the Ministry of Education, Children and Youth, and the Ministry of Family Affairs and Integration. It is coordinated and operated by three complementary partners: National Youth Service (SNJ), SECURITYMADEIN.LU and KannerJugendTelefon (KJT), a government-supported organisation that operates the national helpline for children, young people and parents.
BEE SECURE promotes information safety and a secure use of Internet devices among the general public in Luxembourg. Four main activities work towards this objective:
- National thematic campaigns
- Training in schools – these are mandatory for all 7th grade classes in secondary schools. Training sessions are also offered for primary school classes as well as for teachers and parents
- The BEE SECURE Stopline allows the reporting of illegal content (operational since 2008)
- A helpline for children, youths and their parents, offering information, advice and help on ICT-related topics
This project is part of the global digital skills development policy (“ICT skills”) of the Ministry of Economy. It is the first national resource centre for ICT skill development, targeting every generation.
Hack4Kids is the first step of this approach, promoting coding amongst young children by teaching and raising awareness about information technologies, new tools and trends. Another key objective is to develop the next generation’s e-skills, entrepreneurship and ICT skills.
The IT for Innovative Services (ITIS) department at the Luxembourg Institute of Science and Technology (LIST) bolsters this domain through multi-disciplinary scientific and technological research. This leads to the development of innovative IT services. ITIS brings together about 140 highly-skilled researchers and engineers from various disciplines to address technological, organisational, human, and economic aspects of innovative IT services.