Out-Law / Your Daily Need-To-Know
A new law in Luxembourg has been proposed that would give the country’s data protection authority and a range of other sectoral regulators powers to enforce compliance with the EU AI Act.
The draft law, filed with Luxembourg’s parliament just before Christmas, would make the National Data Protection Commission (CNPD) the primary authority for EU AI Act matters in Luxembourg.
Among other things, it would take on responsibility for supervision of AI systems in cases where those systems are not subject to existing sectoral regulation in Luxembourg – in that regard, the draft law provides for the country’s banking, insurance and medicines regulators, among others, to play an important role in supervising AI use by businesses where that use falls under their existing remits. The Luxembourg Regulatory Institute (ILR) would be responsible for supervision of businesses deploying ‘high-risk’ AI systems which are also operators of essential or important services for the purposes of Luxembourg law transposing the EU’s second Network and Information Security (NIS) Directive, according to the proposals.
Aurélie Caillard, technology law at Pinsent Masons in Luxembourg, said discussion on the bill in Luxembourg’s parliament had clarified that the fact that a large amount of data processed by AI systems will be personal data and that a majority of AI practices covered by the EU AI Act involve the use of personal data were motivations behind the designation of the CNPD as the default authority, with sector regulators remaining responsible for AI supervision within their own area of competence, without gaps or overlaps in responsibility.
The draft law further specifies sanctions powers that the CNPD and the other Luxembourg authorities will be able to exercise to enforce compliance with the EU AI Act.
“The draft law proposes to give the competent authorities the power to impose administrative penalties,” Caillard said. Fines of up to €35 million or 7% of the company’s total global annual turnover for the preceding financial year can be imposed for breaches of the rules on prohibited AI practices; €15 million or 3% of the company’s turnover for other violations around AI use; and €7.5 million or 1% of the company’s turnover for the supply of incorrect information to competent authorities.
Caillard said: “In addition to the penalties provided for, the competent authorities may issue a warning or reprimand. This provision enables the competent authorities to sanction an operator without having to immediately impose a financial penalty that could be disproportionate to the violations observed.”
Under the draft law, the CNPD would also be required to set up a regulatory sandbox for AI as part of its proposed new duties.
The CNPD said it “will seek to establish supervision, in coordination with other competent authorities, that promotes responsible innovation while ensuring compliance with the European General Data Protection Regulation (GDPR) and other fundamental rights”.
Most of the provisions of the EU AI Act will apply as of August 2026, however Chapters I and II of the regulation apply from February 2025. This notably includes articles on prohibited AI practices. Some other provisions will apply from August 2025 onwards, including the notification obligations pertaining to high-risk AI as well as the classification of so-called ‘general purpose’ AI models.
Contact an adviser
