In Brief
- 12 EU and US texts frame AI use in business in Luxembourg: AI laws, personal data, cybersecurity and data governance.
- Deadline: 2 August 2026, full applicability of the AI Act for high-risk systems (EU Regulation 2024/1689).
- AI literacy enforceable since 2 February 2025: every AI deployer must ensure sufficient AI understanding for its staff (Article 4 AI Act).
- CNPD: national authority designated for the AI Act (draft law n° 8476), in addition to its GDPR role.
Introduction: why an AI legal glossary now?
You run a Luxembourg SME, you keep hearing about the AI Act, GDPR, Cloud Act, DORA, NIS2, and you want one place that puts these texts side by side. This AI legal glossary for Luxembourg companies gathers the 12 terms of the AI regulatory framework in Europe and Luxembourg, each defined in one sentence with its SME relevance and official source.
The pivotal deadline: 2 August 2026, full applicability of the AI Act for high-risk systems. Around it, about a dozen texts stack up for any company deploying AI (chatbot, voice agent, internal copilot, analytics tool).
1. The 4 texts that frame AI itself
What is the AI Act?
The AI Act (EU Regulation 2024/1689) is the European regulation that frames AI systems across 4 risk categories (unacceptable, high, limited, minimal), with documentation, transparency and human oversight duties proportionate to the risk.
Key date: 2 August 2026, full applicability of the high-risk regime. The CNPD is designated reference authority (draft law n° 8476). See our AI Act 100-day guide. Source: EU Regulation 2024/1689.
What is AI literacy?
AI literacy (Article 4 AI Act) is the obligation for every AI provider or deployer to ensure its staff has a sufficient level of AI understanding, proportionate to the context of use.
Enforceable since 2 February 2025, sanctions applicable from 2 August 2026, with no size threshold. For law firms and notaries, documenting AI training is a priority. Source: Article 4 AI Act.
What is the Digital Services Act (DSA)?
The DSA (EU Regulation 2022/2065) frames intermediary digital services (platforms, marketplaces, search engines) with moderation duties, recommendation transparency and a reinforced regime for very large platforms.
For an SME, the DSA rarely applies directly but affects any actor publishing a front-facing AI chatbot or AI content on a covered platform. Source: EU Regulation 2022/2065.
What is the Digital Markets Act (DMA)?
The DMA (EU Regulation 2022/1925) frames "gatekeepers", large structuring digital platforms, to ensure contestability of digital markets.
Targets designated gatekeepers (Alphabet, Amazon, Apple, Meta, Microsoft, ByteDance, Booking). An SME relying on Microsoft Copilot or Google Workspace AI indirectly benefits from interoperability duties. Source: EU Regulation 2022/1925.
2. The 4 texts that frame personal data
What is the GDPR?
The GDPR (EU Regulation 2016/679) frames the processing of EU residents' personal data since 25 May 2018, with a sanctions regime reaching 4% of annual worldwide turnover.
Structural baseline of any AI compliance effort. The CNPD is the national authority. Any AI block processing personal data falls under GDPR in addition to the AI Act. Source: EU Regulation 2016/679.
What is the Schrems II ruling?
The Schrems II ruling (CJEU, C-311/18, 16 July 2020) invalidated the Privacy Shield on the grounds that US surveillance laws do not guarantee a level of protection equivalent to the GDPR.
This is why any transfer of personal data to the United States requires a valid DPF or reinforced standard contractual clauses. Starting point of any sovereignty analysis. See our use case protect your data with a private AI. Source: ruling C-311/18.
What is the Cloud Act?
The Cloud Act (H.R.4943, 23 March 2018) is the US law that allows US authorities to compel a US-nationality provider to disclose data it hosts, regardless of the country of physical hosting, including an EU data center.
A US AI provider remains within US jurisdiction with a data center in Dublin or Frankfurt. Structural argument for AI hosted by a non-US operator. See our GDPR, Cloud Act and AI Act comparison. Source: H.R.4943.
What is the Data Privacy Framework (DPF)?
The DPF (European Commission adequacy decision, 10 July 2023) authorises the transfer of EU personal data to DPF-certified US companies, under commitments to limit US authority access.
Checking a US provider's DPF certification is an operational prerequisite. It does not equal Cloud Act immunity. The DPF remains under judicial scrutiny, with several cases pending before the EU General Court. Source: CNPD US transfers file.
EU to US personal data transfers, the 3 successive legal frameworks: Schrems II (2020, transfer invalidated), DPF (2023, adequacy framework), Cloud Act (2018, US request).
Schrems II (2020), DPF (2023) and Cloud Act (2018): three cumulative frameworks for EU-US transfers.
💡 Worth knowing: Schrems II, Cloud Act and DPF stack up. A DPF-certified US AI remains subject to the Cloud Act: the DPF authorises the transfer, it does not protect against a US authority request addressed to the provider.
3. The 4 texts that frame infrastructure and data governance
What is DORA?
DORA (EU Regulation 2022/2554) is the European regulation on digital operational resilience that imposes on financial actors an ICT risk governance framework, resilience testing and oversight of critical providers.
Applicable since 17 January 2025. Concerns PSF fiduciaries, asset managers and regulated family offices, as well as their critical AI providers through the essential third-parties regime. Source: EU Regulation 2022/2554.
What is NIS2?
NIS2 (EU Directive 2022/2555) is the European cybersecurity directive that extends the NIS1 scope to more sectors (health, distribution, administration, digital services) and reinforces risk management and incident notification duties.
Luxembourg transposition is ongoing. Concerns "essential" and "important" entities, from the medium-enterprise threshold. An AI deployment inside a NIS2 entity inherits the associated cybersecurity duties. Para-public entities and administrations are particularly concerned. Source: EU Directive 2022/2555.
What is the Data Act?
The Data Act (EU Regulation 2023/2854) covers fair access to data generated by connected devices and digital services, requiring sharing with users and framing B2B contracts.
Applicable since 12 September 2025. Concerns SMEs manufacturing or deploying connected devices (industry, connected health, insurance telematics). Source: EU Regulation 2023/2854.
What is the Data Governance Act (DGA)?
The DGA (EU Regulation 2022/868) creates a framework for the reuse of protected public-sector data and for data intermediation services (European data spaces).
Applicable since 24 September 2023. Useful for an SME that wants to access sector data (health, mobility, finance) through European data spaces. Source: EU Regulation 2022/868.
4. Who enforces what in Luxembourg
|
Text |
Main authority |
Scope |
|---|---|---|
|
AI Act |
CNPD (draft law n° 8476) |
AI systems, regulatory sandbox |
|
GDPR, DPF, Schrems II |
CNPD |
Personal data, international transfers |
|
DORA |
CSSF |
Financial actors, PSF, asset managers |
|
NIS2 |
HCPN and sectoral authorities |
Essential and important entities |
|
DSA, DMA, Data Act, DGA |
Ministry of Digitalisation and ILR |
Platforms, gatekeepers, data sharing |
5. Funding compliance: SME Packages Digital and AI
Luxembourg offers two support schemes accessible via guichet.public.lu. The SME Package Digital targets digital transformation investments (storage, security, management tools). The SME Package AI targets AI projects: AI Act compliance documentation, AI literacy training, advisory support.
SME Package Digital and SME Package AI in Luxembourg: two cumulative aid schemes via guichet.public.lu to fund AI compliance for SMEs.
SME Package Digital and SME Package AI: two cumulative schemes via guichet.public.lu to co-fund AI Act compliance.
Combining these two aids with a sovereign AI project is a coherent trajectory to prepare for 2 August 2026. Medical practices, subject to strict GDPR and to the AI Act depending on their use, find a real lever here.
6. Where to start
Facing this stack, the first step breaks into 3 actions: map your existing AI uses (tools, data, providers), identify the texts that bind you (not all apply to you), plan a compliance path ahead of 2 August 2026.
To go further, our GDPR, Cloud Act and AI Act comparison articulates these three laws on a concrete business AI case, and our AI Act 100-day guide details operational preparation. See also why a sovereign AI in Luxembourg.
An AI project to scope? A free AI audit identifies in one session the texts that apply to you.
FAQ: your questions on the AI legal framework in Luxembourg
1. What is the key date to remember for the AI Act in Luxembourg?
2 August 2026 marks the full applicability of the high-risk regime of the AI Act (EU Regulation 2024/1689). Sanctions become applicable, including on AI literacy enforceable since 2 February 2025. The CNPD is the reference authority. Preparing for compliance is not an option, it is a calendar obligation.
2. What is the difference between the GDPR and the AI Act?
The GDPR (EU Regulation 2016/679) has framed personal data processing since 2018. The AI Act (EU Regulation 2024/1689) frames AI systems across 4 risk categories. The two stack up: an AI that processes personal data falls under both regimes. The CNPD is the national authority for both.
3. What is the Cloud Act for a European company?
The Cloud Act (H.R.4943, 23 March 2018) allows US authorities to compel a US-nationality provider to disclose data it hosts, even in an EU data center. A US AI provider remains within US jurisdiction with a data center in Dublin or Frankfurt. This is the structural argument for AI hosted by a non-US operator for sensitive workloads.
4. Is Data Privacy Framework certification enough to use a US AI?
DPF certification authorises EU transfers to a certified US provider since 10 July 2023. It does not neutralise the Cloud Act: a US authority can still compel the provider to disclose data. The DPF remains under judicial scrutiny. Checking certification is a prerequisite, it does not replace a sovereignty analysis.
5. What is the NIS2 directive for a Luxembourg SME?
NIS2 (EU Directive 2022/2555) is the European cybersecurity directive currently being transposed in Luxembourg. It concerns "essential" and "important" entities (health, distribution, administration, digital services), from the medium-enterprise threshold. An AI deployment inside a NIS2 entity inherits cybersecurity and incident notification duties. Checking your scope is a prerequisite for any sensitive AI project.
About this article
LetzAgents, a Luxembourg team specialised in sovereign AI for SMEs and mid-caps, supports mapping of AI uses, AI Act compliance, AI literacy and the choice of infrastructure hosted in Europe.
This article relies on the official texts cited (EUR-Lex, Congress.gov, Curia CJEU), CNPD thematic dossiers and the official AI Act calendar. References up to date as of 5 May 2026.
Keywords
ai legal glossary luxembourg, ai act gdpr cloud act glossary, ai legal terms sme, ai compliance luxembourg definitions, dora nis2 data act business, schrems ii data privacy framework ai, cnpd ai act authority luxembourg, ai literacy luxembourg, sme packages ai compliance
