Updated: June 18, 2012 (Initial publication: June 9, 2012)

Breaking news

In Luxembourg, the Cyber Security Board decided on 4 June 2012 to centralize reports of incidents made by citizens to convey them to access providers, is legally mandated to ensure cyber security of networks


In Luxembourg, a regulator is especially in charge of "cybersecurity". The Cyber Security Board, created by the Act of February 27, 2011, on networks and electronic communications services has been implemented in July 2011. It is chaired by the Ministry of communication and media. On June 4, 2012, this regulator met on 4 June 2012. Based on the law that requires access providers to prevent and manage risks to ensure cyber security, the regulator decided to create a single window to centralize information on the cyber security incidents, information transmitted by the citizens, the regulator then transferring this information to companies for them to take adequate measures to fight the risk against security.

© thejournalofregulation


The Cyber Security Board is a Luxembourg regulator established by the Act of February 27, 2011 on networks and electronic communications services, implemented by the Government in July 2011. Its mission is to provide "cyber-security of networks".

There is therefore a kind of "spraying" of regulators, while subjects of regulations are multiplying and are refining, here security in networks, and more regulators are multiplying. It is unknown if, from the point of view of institutional design, it is necessarily very efficient to multiply to that point the control structures.

The future will tell. It is therefore the Cyber Security Board met on 4 June 2012 to establish which is the most effective mode of information for it to fight cybercrime, attacks, hacking, espionage, etc. Indeed, in the best position sensors are most often consumers themselves, because they are victims, while the operators who are the best placed to defend the system and victims’ attacks are the companies that provide access to networks.

The Act has already internalized the work of monitoring and sanction, that can be observed in many areas, for example banking and financial, since articles 45 and 46 of the Act of February 27, 2011 have assigned service providers to "take technical and organizational measures adequate to manage security risk and take appropriate measures to ensure the integrity of networks in order to secure the continuity of the services provided for them". It remains for the regulator to bringing the information to access providers to enable them to do this work.

This is why the regulator in its decision of 4 June 2012 adopts the centralizing role of focal point of information, citizens advising him of cyber security incidents. This thus allows the regulator to supply businesses with this information in order to allows them to make the work that the regulator should have done.

Thus, the regulator reappears; there where it does expected it more: after the Act has internalized the regulation in companies, the regulator leading a centralistic role of focal point of information between victims and businesses. Here have a classic function of control: centralizing information and forward them to those who are in a position to use in the system.

It remains that Luxembourg is always waiting to transpose the Convention of the Council of Europe to fight cybercrime, and the directive protecting people, States and businesses against the attacks of the information systems, Luxembourg has for the moment no effective criminal law in this area. There comes a time when, the classical criminal law must take the lead.

your comment