Luxembourg’s Draft Law No. 8476: Implementing the EU AI Act

Luxembourg advances implementation of the EU AI Act

On 23 December 2024, the Luxembourg government introduced Draft Law No. 8476 as part of its national strategy to implement the EU’s landmark Artificial Intelligence Act (AI Act). The bill is currently under review by the Chambre des Députés and focuses on setting up the legal and institutional mechanisms needed to enforce the EU regulation at national level.

The AI Act imposes harmonized rules for the development, marketing, and use of AI systems in the EU, relying heavily on Member States to appoint competent authorities and structure enforcement mechanisms. Draft Law No. 8476 fills this role in Luxembourg’s legal framework.

Scope and objectives

The draft law’s core objective is to provide a procedural and organizational foundation for Luxembourg’s enforcement of the AI Act. It addresses:

• Designation of notifying authorities to accredit and monitor conformity assessment bodies (CABs);

• Identification of market surveillance authorities based on sectoral competence;

• Establishment of a cooperation framework for national and EU-level enforcement;

• Creation of AI regulatory sandboxes for supervised innovation;

• Specification of enforcement powers and sanctions.

Notifying authorities and conformity assessment

The draft law identifies the following bodies as notifying authorities:

• Office luxembourgeois d’accréditation et de surveillance (OLAS) – general oversight and accreditation;

• Agence luxembourgeoise des médicaments et produits de santé (ALMPS) – oversight in the medical and health sectors;

• Commissariat du gouvernement à la protection des données (CGPD) – competent for AI systems involving personal data processed in state procedures.

These authorities are tasked with supervising conformity assessment bodies (CABs), which certify whether high-risk AI systems meet the requirements of the AI Act based on standards, documentation, and technical testing.

For high-risk systems used by law enforcement, immigration or asylum authorities, assessments will be carried out directly by the Commission nationale pour la protection des données (CNPD), reflecting the sensitivity of such use cases.

Market surveillance authorities

The bill adopts a sector-specific approach to enforcement by assigning market surveillance functions to a range of authorities based on their existing regulatory remit:

• CNPD – Default horizontal surveillance authority and single contact point with the European Commission.

• Commission de surveillance du secteur financier (CSSF) – Financial services and markets.

• Commissariat aux assurances (CAA) – Insurance sector.

• Autorité de contrôle judiciaire – Judiciary and prosecution bodies.

• ILNAS – Products and services regulated under EU harmonisation legislation.

• ILR – Critical infrastructure and digital services.

• ALMPS – Healthcare and medical devices.

• ALIA – Compliance with content transparency obligations, including AI-generated or manipulated media.

These authorities are granted investigatory and enforcement powers, including inspections, orders to correct or remove non-compliant AI systems, and—where necessary—application of penalties.

Regulatory sandboxes

The draft law introduces a legal basis for the establishment of AI regulatory sandboxes, a feature encouraged by the AI Act. These are supervised environments where businesses can test innovative AI systems in collaboration with regulators, promoting early-stage compliance and responsible development.

Each surveillance authority will be expected to administer sandboxes within its sector, enabling tailored support for participants.

Coordination and EU cooperation

To ensure alignment with EU enforcement, the CNPD is designated as the single national contact point under Article 70(2) of the AI Act. The CNPD will coordinate Luxembourg’s cooperation with the European Commission, other Member State authorities, and relevant EU bodies such as the AI Office.

The draft law also contains provisions for structured inter-agency cooperation at national level and anticipates Union safeguard mechanisms, which may be triggered for serious cross-border compliance issues. In such cases, enforcement measures taken in Luxembourg could be escalated to EU level, potentially resulting in coordinated market restrictions.

Sanctions and enforcement powers

In line with the AI Act, the bill outlines a graduated system of sanctions:

• Up to €35 million or 7% of global turnover for prohibited AI practices (Article 5 AI Act);

• Up to €15 million or 3% for violations involving high-risk AI systems;

• Up to €7.5 million or 1% for providing false or misleading information.

Fines are subject to proportionality rules for SMEs and startups. Competent authorities may also issue warnings, orders, and public notices. Decisions may be appealed before the Administrative Court of Luxembourg.

Strategic implications for businesses

As implementation of the AI Act progresses, companies developing or deploying AI systems within Luxembourg or across borders should begin preparing for compliance. Immediate steps may include:

• Classifying systems under the AI Act’s risk tiers (e.g. high-risk under Annex III);

• Reviewing documentation and governance to ensure transparency, human oversight, and post-market monitoring;

• Assessing contractual frameworks with deployers, importers, and distributors;

• Engaging with potential CABs for early-stage guidance;

• Preparing for sandbox participation in case of novel or complex AI applications;

• Aligning GDPR compliance, particularly in cases involving personal data or AI-generated content.

Conclusion

Draft Law No. 8476 provides Luxembourg’s legal backbone for enforcing the AI Act. It takes a structured, competence-based approach, emphasizing coordination between national agencies and with the European Commission. The bill reflects Luxembourg’s dual commitment: encouraging trustworthy AI innovation while ensuring robust enforcement and protection of fundamental rights.

Businesses active in Luxembourg’s AI ecosystem should view this development as both a compliance imperative and a strategic opportunity to engage proactively with regulators. The first key provisions of the AI Act will begin to apply six months after entry into force—which may be as early as February 2025.