JAVASCRIPT
<h3>What is AI literacy?</h3>
<p>AI literacy (Article 4 AI Act) is the obligation for every AI provider or deployer to ensure its staff has a sufficient level of AI understanding, proportionate to the context of use.</p>
<p>Enforceable since 2 February 2025, sanctions applicable from 2 August 2026, with no size threshold. For <a href="https://letzagents.lu/en/solutions/lawyers-notaries">law firms and notaries</a>, documenting AI training is a priority. Source: <a href="https://artificialintelligenceact.eu/article/4/" rel="noopener">Article 4 AI Act</a>.</p>
<h3>What is the Digital Services Act (DSA)?</h3>
<p>The DSA (EU Regulation 2022/2065) frames intermediary digital services (platforms, marketplaces, search engines) with moderation duties, recommendation transparency and a reinforced regime for very large platforms.</p>
<p>For an SME, the DSA rarely applies directly but affects any actor publishing a front-facing AI chatbot or AI content on a covered platform. Source: <a href="https://eur-lex.europa.eu/eli/reg/2022/2065/oj" rel="noopener">EU Regulation 2022/2065</a>.</p>
<h3>What is the Digital Markets Act (DMA)?</h3>
<p>The DMA (EU Regulation 2022/1925) frames "gatekeepers", large structuring digital platforms, to ensure contestability of digital markets.</p>
<p>Targets designated gatekeepers (Alphabet, Amazon, Apple, Meta, Microsoft, ByteDance, Booking). An SME relying on Microsoft Copilot or Google Workspace AI indirectly benefits from interoperability duties. Source: <a href="https://eur-lex.europa.eu/eli/reg/2022/1925/oj" rel="noopener">EU Regulation 2022/1925</a>.</p>JAVASCRIPT
<h3>What is the Schrems II ruling?</h3>
<p>The Schrems II ruling (CJEU, C-311/18, 16 July 2020) invalidated the Privacy Shield on the grounds that US surveillance laws do not guarantee a level of protection equivalent to the GDPR.</p>
<p>This is why any transfer of personal data to the United States requires a valid DPF or reinforced standard contractual clauses. Starting point of any sovereignty analysis. See our use case <a href="https://letzagents.lu/en/use-case/protect-ai-data-privacy">protect your data with a private AI</a>. Source: <a href="https://curia.europa.eu/juris/liste.jsf?num=C-311/18" rel="noopener">ruling C-311/18</a>.</p>
<h3>What is the Cloud Act?</h3>
<p>The Cloud Act (H.R.4943, 23 March 2018) is the US law that allows US authorities to compel a US-nationality provider to disclose data it hosts, regardless of the country of physical hosting, including an EU data center.</p>
<p>A US AI provider remains within US jurisdiction with a data center in Dublin or Frankfurt. Structural argument for AI hosted by a non-US operator. See our <a href="https://letzagents.lu/en/blog/ai-act-cloud-act-gdpr-ai-business-luxembourg">GDPR, Cloud Act and AI Act comparison</a>. Source: <a href="https://www.congress.gov/bill/115th-congress/house-bill/4943" rel="noopener">H.R.4943</a>.</p>
<h3>What is the Data Privacy Framework (DPF)?</h3>
<p>The DPF (European Commission adequacy decision, 10 July 2023) authorises the transfer of EU personal data to DPF-certified US companies, under commitments to limit US authority access.</p>
<p>Checking a US provider's DPF certification is an operational prerequisite. It does not equal Cloud Act immunity. The DPF remains under judicial scrutiny, with several cases pending before the EU General Court. Source: <a href="https://cnpd.public.lu/en/dossiers-thematiques/transferts-internationaux-donnees-personnelles/transferts-usa.html" rel="noopener">CNPD US transfers file</a>.</p>JAVASCRIPT
<h3>What is NIS2?</h3>
<p>NIS2 (EU Directive 2022/2555) is the European cybersecurity directive that extends the NIS1 scope to more sectors (health, distribution, administration, digital services) and reinforces risk management and incident notification duties.</p>
<p>Luxembourg transposition is ongoing. Concerns "essential" and "important" entities, from the medium-enterprise threshold. An AI deployment inside a NIS2 entity inherits the associated cybersecurity duties. <a href="https://letzagents.lu/en/solutions/public-entities">Para-public entities and administrations</a> are particularly concerned. Source: <a href="https://eur-lex.europa.eu/eli/dir/2022/2555/oj" rel="noopener">EU Directive 2022/2555</a>.</p>
<h3>What is the Data Act?</h3>
<p>The Data Act (EU Regulation 2023/2854) covers fair access to data generated by connected devices and digital services, requiring sharing with users and framing B2B contracts.</p>
<p>Applicable since 12 September 2025. Concerns SMEs manufacturing or deploying connected devices (industry, connected health, insurance telematics). Source: <a href="https://eur-lex.europa.eu/eli/reg/2023/2854/oj" rel="noopener">EU Regulation 2023/2854</a>.</p>
<h3>What is the Data Governance Act (DGA)?</h3>
<p>The DGA (EU Regulation 2022/868) creates a framework for the reuse of protected public-sector data and for data intermediation services (European data spaces).</p>
<p>Applicable since 24 September 2023. Useful for an SME that wants to access sector data (health, mobility, finance) through European data spaces. Source: <a href="https://eur-lex.europa.eu/eli/reg/2022/868/oj" rel="noopener">EU Regulation 2022/868</a>.</p>JAVASCRIPT
<div class="article-table">
<table>
<caption>Luxembourg competent authorities by text</caption>
<thead>
<tr>
<th scope="col">Text</th>
<th scope="col">Main authority</th>
<th scope="col">Scope</th>
</tr>
</thead>
<tbody>
<tr>
<td>AI Act</td>
<td>CNPD (draft law n° 8476)</td>
<td>AI systems, regulatory sandbox</td>
</tr>
<tr>
<td>GDPR, DPF, Schrems II</td>
<td>CNPD</td>
<td>Personal data, international transfers</td>
</tr>
<tr>
<td>DORA</td>
<td>CSSF</td>
<td>Financial actors, PSF, asset managers</td>
</tr>
<tr>
<td>NIS2</td>
<td>HCPN and sectoral authorities</td>
<td>Essential and important entities</td>
</tr>
<tr>
<td>DSA, DMA, Data Act, DGA</td>
<td>Ministry of Digitalisation and ILR</td>
<td>Platforms, gatekeepers, data sharing</td>
</tr>
</tbody>
</table>
</div>JAVASCRIPT
<details>
<summary>1. What is the key date to remember for the AI Act in Luxembourg?</summary>
<p>2 August 2026 marks the full applicability of the high-risk regime of the AI Act (EU Regulation 2024/1689). Sanctions become applicable, including on AI literacy enforceable since 2 February 2025. The CNPD is the reference authority. Preparing for compliance is not an option, it is a calendar obligation.</p>
</details>
<details>
<summary>2. What is the difference between the GDPR and the AI Act?</summary>
<p>The GDPR (EU Regulation 2016/679) has framed personal data processing since 2018. The AI Act (EU Regulation 2024/1689) frames AI systems across 4 risk categories. The two stack up: an AI that processes personal data falls under both regimes. The CNPD is the national authority for both.</p>
</details>
<details>
<summary>3. What is the Cloud Act for a European company?</summary>
<p>The Cloud Act (H.R.4943, 23 March 2018) allows US authorities to compel a US-nationality provider to disclose data it hosts, even in an EU data center. A US AI provider remains within US jurisdiction with a data center in Dublin or Frankfurt. This is the structural argument for AI hosted by a non-US operator for sensitive workloads.</p>
</details>
<details>
<summary>4. Is Data Privacy Framework certification enough to use a US AI?</summary>
<p>DPF certification authorises EU transfers to a certified US provider since 10 July 2023. It does not neutralise the Cloud Act: a US authority can still compel the provider to disclose data. The DPF remains under judicial scrutiny. Checking certification is a prerequisite, it does not replace a sovereignty analysis.</p>
</details>
<details>
<summary>5. What is the NIS2 directive for a Luxembourg SME?</summary>
<p>NIS2 (EU Directive 2022/2555) is the European cybersecurity directive currently being transposed in Luxembourg. It concerns "essential" and "important" entities (health, distribution, administration, digital services), from the medium-enterprise threshold. An AI deployment inside a NIS2 entity inherits cybersecurity and incident notification duties. Checking your scope is a prerequisite for any sensitive AI project.</p>
</details>
