Public authorities that are open to cybersecurity measures but closed to fraudsters — that is what citizens expect!

Interview with LG magazine, translation by itrust consulting.

Are local authorities prepared to tackle the challenges of cybersecurity and the NIS2 Directive? How should they handle it? An interview with Lynn Pinto, DPO; Camar Houssein, SECaaS Manager; and Carlo Harpes, Managing Director of itrust consulting s.à r.l. and Chair of the (Luxembourg) Security Standards Committee.

How have public authorities been preparing for this new challenge?

Carlo: The text of the NIS2 Directive has been published since 2022; Luxembourg has opted for a transposition that is as simple and minimalist as possible; all entities involved in public procurement are covered; they will be required to manage cybersecurity risks, report their dependencies and security status as well as the outcome of their risk assessment to ILR. In addition, they must report incidents and, if necessary, will receive instructions from ILR on how to manage risks.
Minister Léon Gloden encouraged them to take this challenge seriously and not to wait for the law to come into force before preparing. The day after the vote, each entity must have an approved risk analysis demonstrating that it has found the right balance between investing in security measures and accepting residual risks; they must regularly submit improvement plans to ILR too.

What remains to be done by the organizations?

Camar: We agree with ILR that the NIS2 Directive requires nothing more than a designated security officer. However, it imposes a human resources security policy, a (formalized) access and asset management – that is to say, an inventory, with classification and assignment of responsibilities for these assets – and, most challenging of all, a risk assessment and management process that takes into account current norms, which are virtually unknown in the sector. We can easily train someone to assess risks, but such assessment remains uncertain, even for an expert. My manager always says that conducting a risk analysis is an art rather than a science, as this process must produce well-reasoned and ‘reproducible’ results.

Do organizations that are already GDPR-compliant have a head start?

Lynn: Clearly yes, and yet we still come across organizations that are badly prepared: with no record of processing activities, or incomplete ones; with no privacy notice easily available to data subjects; despite the law having been in force for seven years and the CNPD having hired over 60 officials to monitor and provide guidance. Recently, we have again come across municipal secretaries who are also DPOs, and are, therefore, in a conflict of interest, highlighting the decision-makers’ disregard for compliance, laws and regulations.

Who is responsible for this?

Carlo: The College of the Mayor and Aldermen – although we often feel sympathy for them, given how overwhelmed they are by such demands. Note that more than 100 local politicians have resigned since the start of their terms, three years ago. They cannot master every technical field, and the existing staff are reluctant to embrace change, sometimes refusing to accept responsibilities, despite enjoying exceptional job security. Added to this is overly rudimentary support from institutional bodies, with municipalities’ autonomy serving as a partially valid excuse. And for NIS2, a poorly drafted list of requirements from the regulator.

Could you explain this particular feature of Luxembourg?

Camar: NIS2 requires us to follow current security standards in order to identify the appropriate safeguards. We are very familiar with these measures, and they are often already implemented by our clients: these include ISO/IEC 27002 for general security measures, 27001 for management and governance, 27701 for data protection, and 22301 for business continuity, now referred to as resilience. This knowledge is not included in the risk analysis tool promoted by ILR, and each entity will have to study and add it manually. Whilst one could allow free choice of tools, as the CSSF does, ILR imposes a very specific format, defined by a Luxembourgish tool and guidance that shows signs of immaturity. Electricity operators in Germany have committed to independent certifications based on ISO 27001, 27002 and 27019, carried out by state-accredited bodies. This creates an ecosystem with well-established control mechanisms (via OLAS), at similar prices, but with guarantees and a level of security far superior to our self-assessments.
Another problem is that this self-assessment does not use the ISO 27002 standard, but a little-used European guide, and has not been integrated into the risk analysis tool.

How can we strengthen our collaboration?

Carlo: One model of collaboration is our joint project for Diekirch and Ettelbruck, which involves sharing the costs of our CISO support and which is already in place for the utilities sector. Some other municipalities wish to share a CISO role, just as some already share the municipal police service.
We have also proposed to ILNAS that a standardization committee be set up for the municipalities, so that the sector can develop common ground for their activities, not just in cybersecurity.
Finally, ILR announced that it would consult with cybersecurity service providers, who act as catalysts for implementation and designers of more effective solutions than those currently in place; however, this collaboration has never started.

What remains to be done for NIS2, given that the GDPR has already been implemented?

Lynn: All that is ‘needed’ is to extend the incident management procedure and to plan or create a security management system. In other words, an organization should ideally appoint an internal or external CISO to monitor security across IT and business units, to train senior management, to implement a few additional security policies based on norms and tailor them to the needs of a small organization. And, finally, to document and manage risks.

What is the cost of complying with NIS2?

Camar: It is easy to become ‘compliant’, provided that: 1. staff are willing to take on new responsibilities; 2. are available for an average of one day to undergo training, read the documentation, and help to identify and rectify issues. And, 3. provided there is a budget of €15,000 to €30,000 for external support to create initial documentation, coach staff, and guide managers in managing risks.
But compliant does not mean secure, and accepting responsibility does not mean having the time and skills to make the right decisions. Achieving a good level of security can take years, but NIS2 does not impose a deadline. In other words, NIS2 compliance does not guarantee security, but it enables managers to make the right decisions for better cybersecurity.

What experiences have you had?

Carlo: Having submitted 15 analyses to the ILR, we are familiar with their methods and requirements. Having implemented data protection measures in 15 municipalities with limited budgets, we understand the context and have successfully brought them into compliance.
We have developed a free tool, OpenTRICK, to simplify risk management. It imports assets from our inventory; documents risk parameters and compliance level both for the risk treatment plan and for self-assessment, as well as exports the information in the format and with the level of details required by ILR. It facilitates tracking within a ticketing system, such as Redmine, either in-house or hosted by us: redmine.opentrick.eu.
Adhering to security rules does, however, require extra effort and attention; but given current vulnerabilities and practices, the improvements required are well worth the cost.

And is artificial intelligence (AI) useful in this context?

Lynn: As part of the CyFORT initiative, we will soon be offering a free AI tool to assist local authorities to inventory their IT assets and documentation improvement, aiming at fostering interoperability between municipalities rather than with multinationals.
itrust consulting has benefited from AI in several ways: to improve our documentation, in our RADAR tool to detect the first signs of a cyberattack… But the biggest concern remains the advantages fraudsters gain from it: scams are becoming increasingly sophisticated and tailored to exploit victims’ vulnerabilities.

What are the biggest challenges in cybersecurity?

Carlo: Compliance is not security. It is easy to achieve compliance; it is difficult and costly to secure an infrastructure. We advocate quick wins: staff training, independent checks on system configurations, the use of open-source software, and thus investment in local skills rather than in IT licenses for poorly utilized IT products.
The hardest part is changing habits, accepting that we must justify our choices, and replacing trust with verifications, especially in IT management where mistakes are simply human, and often facilitated by lack of time. That is why the sector must collaborate and seek synergies.
Read the full interview in French (p. 36-38) published in LG | March 2026 | n° 36