Modern conflict is hybrid, with cyber operations now recognised as a frontline of defence alongside land, sea, and air. Yet beyond the battlefield, every company is a potential target. Survival increasingly depends on preparing staff to respond effectively when systems are threatened. In Luxembourg, public and private actors collaborate closely to secure the economic sphere, with a particular focus on the financial centre.
This already starts with awareness and hands-on training. The Luxembourg House of Cybersecurity (LHC), a state-backed institution tasked with implementing the national cybersecurity strategy, launched ROOM#42 in 2017. Hidden in the centre of the capital, this immersive simulation centre places corporate teams in crisis situations designed to test their resilience under pressure. Teams of around eight employees are confronted with high-stakes scenarios including ransomware, disinformation campaigns, or complete system shutdowns. “We drew inspiration from large-scale NATO cyber exercises (Locked Shields) to raise awareness among company staff,” explains Pascal Steichen, CEO of the LHC. “The goal is to create a real stress experience that puts teams into crisis mode in a very short time.” As in the most effective training simulations, sound and lighting effects heighten the intensity of the experience.
Beyond ROOM#42, the LHC houses 45 experts working across two operational units. The National Cybersecurity Competence Center (NC3) focuses on awareness and prevention. Among its tools is the Testing Platform, a lab enabling companies to evaluate the resilience of their security infrastructure at the outset of operations. The Computer Incidence Response Center Luxembourg (CIRCL) provides hands-on support when threats materialise. It manages detection, response, and incident notification while maintaining a substantial database of compromise indicators. Built from analyses of attacks, dark web monitoring, and incident reports, this information is shared with foreign partners and Luxembourg companies that also contribute their data. “We train preventively with the NC3, and we assist actors when they are attacked through the CIRCL. So we intervene at both ends of the process. But between those two phases, we leave it to the private sector, which has developed well in recent years,” notes Steichen.
Cybersecurity has become an industry in its own right in Luxembourg. An estimated 317 private companies are active in the field, of which 86 (including 29 start-ups) have made it their core business. This ecosystem supports the financial sector with solutions ranging from advanced technology to advisory services. “Both in terms of skills and technology, the specialised companies active in Luxembourg cover all the needs that financial players might have,” says Antoine Meyers, CISO at BGL BNP Paribas and vice-chair of the Luxembourg Bankers’ Association (ABBL) committee ‘Trust and Cybersecurity’. “The ABBL takes the cybersecurity issue very seriously and has made it one of its strategic priorities,” stresses Ananda Kautz, member of the management board in charge of Innovation, Payments and Sustainability. “This choice is justified in light of statistics from the European Union Agency for Cybersecurity (ENISA): between January and June 2024, 46% of cyberattacks targeted banking institutions.” For the ABBL, collaboration is essential. “The risk is very real and constantly evolving,” explains Ilker Tutu, Information Security Director at PayPal Europe and chair of the ABBL committee. “We must both raise awareness of risks and inform about best practices. At the same time, we collaborate with national actors such as the LHC to determine the best ways to protect financial sector participants and customers.”
“According to ENISA, between January and June 2024, 46% of cyberattacks targeted banking institutions.”
“The specialised companies active in Luxembourg cover all the needs that financial players might have.”
The Commission de Surveillance du Secteur Financier (CSSF) plays a central role in safeguarding the financial sector. Its mandate is to maintain a regulatory framework adapted to evolving threats and ensure compliance across institutions. “To meet these objectives, the CSSF has put in place numerous tools and practices. The most important concern incident management and the organisation of large-scale tests for actors—this latter measure being one of the most effective for improving protection against cyberthreats,” explain Cristina Spinelli, Head of Division, Supervision of Information Systems, and Jean de Chillou, TIBER/TLPT Test Manager at the CSSF.
“The CSSF has put in place numerous tools and practices. The most important concern incident management and the organisation of large-scale tests.”
The regulatory environment has been further strengthened with the entry into force of the Digital Operational Resilience Act (DORA) in early 2025, which introduced new obligations for financial entities. The CSSF has already prepared by issuing circulars requiring the reporting of all major ICT-related incidents via its e-desk platform. A dedicated team ensures consistent follow-up.
In addition, since 2021 the CSSF, together with the Central Bank of Luxembourg, has run the TIBER-LU programme – based on the European Central Bank’s TIBER-EU framework (TIBER for Threat Intelligence-Based Ethical Red Teaming). These exercises involve simulated surprise attacks using hacker techniques to test entities’ defences and resilience. Each cycle lasts over a year, with the attack phase itself stretching across several weeks. “Initially, TIBER exercises were organised on a voluntary basis,” explain Spinelli and de Chillou. “DORA has changed that by requiring TLPT (Threat-Led Penetration Test) for a selection of entities under its supervision. At the CSSF, we have integrated this new programme while retaining the TIBER framework.” Entities are now selected based on size and systemic importance, with evaluations generally taking place every three years. Others may also volunteer for testing.
A shortage of qualified professionals remains a global challenge. “The shortage of experts is a global problem, with the latest figures indicating a need for four million additional specialists globally. There are not enough people being trained at universities or through continuous education bodies,” says Pascal Steichen. Luxembourg has invested in education and training: the University of Luxembourg has offered a Master’s in Information and Computer Sciences for over 15 years. In 2023, it launched an Erasmus Mundus programme in cybersecurity with the University of Southern Brittany and the Université Libre de Bruxelles, focusing on systems and application security. In September 2024, a new Master’s in cybersecurity and cyberdefence was introduced, supported by the SnT/Cyber Research Hub and the Ministry of Defence.
Continuous professional training has also expanded. The Luxembourg Institute of Governance provides courses for board members to help them evaluate cyber risks and prepare companies for crises. The ABBL and the House of Training developed a five-day certification programme for cybersecurity professionals. “The training offer is indeed growing significantly in Luxembourg,” confirms Pascal Steichen. “But what companies must understand is that they should not look for one expert to cover the entire field of cybersecurity – it has become far too vast for one person to master everything.”
“Companies must understand that they should not look for one expert to cover the entire field of cybersecurity. It has become far too vast for one person to master everything.”
The Luxembourg Armed Forces also plays a strategic role. The LHC, under the Ministry of the Economy, recently appointed two new board members, including one from the Directorate of Defence. The armed forces’ Communication and Information Systems Departement safeguards military systems and contributes to national resilience. “Let’s be clear, we do not act directly to protect the financial centre, but we offer our support and expertise to national critical infrastructures such as the financial sector,” explain Lieutenant-Colonel Patrick Antony, head of department, and Dr Jan Beutler, Chief Cyber Defence. Financial actors regularly participate in NATO’s Locked Shields, the alliance’s largest annual cyber exercise. In 2021, the scenario explicitly required participants to handle major financial system disruptions. The army also collaborates with civilian cybersecurity bodies. “We have been funding the LHC for several years to ensure the development and maintenance of MISP (Malware Information Sharing Platform), a software tool that enables companies to share indicators of compromise they detect in their systems automatically and anonymously. We hold regular meetings with the LHC and occasionally use Room 42,” note Antony and Beutler.
“We do not act directly to protect the financial centre, but we offer our support and expertise to national critical infrastructures such as the financial sector.”
No government or board of directors can claim to be 100% protected against cyberattacks. But Luxembourg’s model, built on tight cooperation between public authorities, private actors, the regulator, and the military, strengthens the resilience of its financial centre and the wider economy. Vigilance remains essential in a threat landscape that continues to evolve.