Spotlight: telecoms and internet access in Luxembourg

All questions

Telecommunications and internet access

i Internet and internet protocol regulation

Internet services were regulated, prior to the New Electronic Communication Law, by the Law of 21 March 1997 relating to telecommunication services and the operation of telecommunications networks (Law of 1997) and the Repealed Electronic Communication Law.

The Law of 1997 did not provide for specific internet protocol regulations, but covered telecommunications services and networks generally. The New Electronic Communication Law regulates the electronic communication networks and services in the broadest way and has been extended to cover OTT players and services that are not based on numbering.

The New Electronic Communication Law has introduced a certain number of changes, widened the scope of existing regulation to a larger range of communication technologies and introduced definitions of electronic communication network and electronic communication service, as opposed to the previously used generic term telecommunication services. The new terminology reflects the increased scope of the regulated services and networks, making an express reference to internet services. The New Electronic Communication Law takes a more global approach with respect to networks and electronic communication services as a result of the convergence between the telecommunication, media and information technology sectors.

Neither the Law of 1997 nor the Repealed Electronic Communication Law provided for any specific rules applicable to internet services or IP-based services as opposed to traditional telephony services, except that certain additional rules apply to the provision of telecommunication services that are offered to the public because of the specific nature of the telephony services. The Repealed Electronic Communication Law provided for certain specific obligations applying to publicly available telephony services and public telephone networks. The aim of these specific regulations was to ensure a universal service to the resident population and they applied only to traditional telephony. The New Electronic Communication Law, among other things, has introduced the access to high-speed internet as a universal service at an acceptable price.⁴⁶

As previously noted, the ILR is the competent regulator in charge of the supervision of the services rendered both in relation to internet services. The operation or provision of electronic communication services or networks (other than the number-independent interpersonal communication services) is subject to notification to the ILR.⁴⁷ No distinction as regards the notification requirement is made between the variety of the electronic communication networks and services, other than details regarding the differences in the various services notified. Although no licence is required, notified entities are subject to a certain number of obligations, formalities and filings largely derived from the Directive 2018/1972 and have to pay an administrative fee calculated on the generated turnover by the relevant entity with respect to the notified service.

The New Electronic Communication Law has profoundly changed the landscape of electronic communication legal and regulatory framework focusing on interconnectivity, competition, consumer protection, security of networks and equal access to services and network.

ii Universal service

The development of communication infrastructure in Luxembourg is among the top priorities of the governmental programmes in the field of information and communication technology. The government has been developing broadband infrastructure services for approximately 10 years.

Since the end of 2011, Luxembourg has a 100 per cent standard (fixed) broadband coverage ((DSL) up to 25Mbps) available to all Luxembourg households.⁴⁸ By 2024, the main operator, Post Luxembourg aims to have the standard fixed lines totally replaced by fixed lines provided via IP. According to the DESI, next generation access (NGA) coverage⁴⁹ reached 99 per cent (compared to a European Union average of only 90 per cent of the households).⁵⁰ 4G broadband availability in Luxembourg reached around 99.8 per cent in urban and rural areas.⁵¹ Luxembourg residents are very connected: 93 per cent are internet users compared to 85 per cent in the EU.⁵²

The installation of the optical fibre has been in constant progress since 1997 and LuxConnect,⁵³ the city of Luxembourg and POST are joining forces to cover the whole territory with optical fibre under the 'national ultra-high speed network strategy – ultra-high speed network for everyone'. Fibre to the home (FTTH), using fibre optic cable, is further progressing, and 85 per cent⁵⁴ of all Luxembourg households are connected to FTTH according to the latest activity report of the Ministry of State. In 2021, this percentage increased to reach 75.2 per cent⁵⁵ and 90.2 of DOCSIS 3.1.⁵⁶ Since the end of 2020, optical fibre became the most used technology for fixed internet access in Luxembourg and represents 55.3 per cent of all access.⁵⁷

In addition to work being carried out on the deployment of optical fibre throughout the country, efforts are also being made on the existing networks to increase the broadband speed. The Grand Duchy is connected through 28 different fibre routes to the main internet exchange hubs in Europe – Frankfurt, London, Paris, Brussels, Amsterdam and Strasbourg – with particularly low-latency rates of around five milliseconds.⁵⁸

The most recent ILR statistical report (ILR report) confirms that more than half of all internet connection subscriptions (72.3 per cent) are those with a speed equal or superior to 100Mbps.⁵⁹ The uptake of 1 Gbps is low and below average as offers introduced only in 2019.⁶⁰ Luxembourg ranks third in the European Union in terms of internet access (a bit less than 90 per cent of households).⁶¹

In Luxembourg, a notable market trend towards bundled offers (broadband mobile or fixed telephony and TV) continues. By the end of 2016, 84 per cent of all internet access was commercialised with at least one other service.⁶² The ILR report for 2020 confirms this trend, as 85.8 per cent of internet subscriptions are coupled with at least one other service.⁶³ The most subscribed offer is that of fixed internet and fixed telephone services.⁶⁴ Luxembourg benefits from an extremely well-developed FTTH architecture.

Since the end of 2021, Luxembourg has provided a very high capacity network (VHCN) with downstream speeds ranging up to 1GB/s to almost 96 per cent of all households and businesses.⁶⁵ POST and other alternative operators offer ultra-high speed internet access. Luxembourg is ranked within the three leaders on VHCN with 96 per cent coverage.⁶⁶

iii Restrictions on the provision of service

Pursuant to the Electronic Data Protection Law and the GDPR, internet service providers (ISPs) and operators of electronic communication services and networks are compelled to ensure the confidentiality of communications exchanged by way of electronic communication means. The general rule is that no person other than the user is allowed to listen to, intercept or store communications and data relating to traffic and location without the agreement of the user.

This prohibition does not apply to:

1. communications relating to emergency calls;
2. commercial transactions to the extent that they constitute proof of transactions; and
3. authorities investigating and acting in relation to a flagrante delicto act or within the scope of criminal offences to ensure national and public security.

An ILR regulation, adopted on 14 December 2017, provides for the conditions and limitations of any permitted interceptions.⁶⁷

In relation to data resulting from commercial transactions and cookies, the user or parties to the transaction must be informed that their data may be processed and of the conditions (in particular the duration) and aim of the storage, as well as of the possibility to oppose such data processing. Cookies may only be used with the express consent of the user. The user must have a real choice and there cannot be any risk of deception or negative consequences if the user chooses not to give his or her consent. For the purpose of criminal law enforcement, specific conditions must be met to have recourse to intercepted communications data. In addition, for the purpose of research, monitoring and pursuit of criminal offences, and with the sole aim of providing relevant information to the judicial authorities, each ISP or operator must store traffic information and locational data for a period of six months. The Law of 24 July 2010 has amended the scope of criminal offences by limiting the possibility of only consulting the data that relates to criminal offences resulting in penal sanctions of more than one year's imprisonment. The Grand-Ducal Regulation of 24 July 2010 relating to traffic data and localisation data determines the category of traffic data that may be useful for the research, observation and prosecution of criminal offences, as well as the manner pursuant to which such information is made available to the authorities. The Law of 28 May 2019 implementing the NIS Directive provides legal measures to further enhance and strengthen the level of cybersecurity.

Intellectual property theft and piracy are regulated by:

1. the Copyright Law;
2. the LCC;⁶⁸
3. the Privacy Law;
4. the Electronic Data Protection Law; and
5. the GDPR.

There is currently no public authority in Luxembourg that exercises global supervisory or monitoring power over the content and traffic data of network operators, ISPs and users, as this would violate the essential privacy principles.

Similarly, and for the same reasons, network operators may not control the content, application and services accessed by their network users.

The practice of deep packet inspection is prohibited in Luxembourg, as it infringes confidentiality rules and constitutes an invasion of privacy in complete violation of the above-mentioned legislation. The same analysis would apply to the filtering of data processed by means of electronic communication.

However, to comply with the secrecy or confidentiality requirements and to avoid invasion of privacy, piracy or intellectual property theft, network operators, data centre operators and PSF are obliged to take appropriate technical and organisation measures, and to have systems and procedures (firewalls, encryption, secured and restricted access, etc.) in place that render the network and the data processing via their network secure.

iv Privacy and data security National security

The New Electronic Communication Law, the Electronic Communication Data Protection Law and the Data Protection Law provide for specific applicable measures to ensure national interests.

In certain circumstances, where national security (including public health and public order) is endangered, the government may requisition the entire electronic communication network established in Luxembourg, as well as the connected equipment, or prohibit the provision of some or all electronic communication services.

To maintain access to the emergency services, the government may also dictate special conditions for the use of electronic communication services and networks. Although storage of personal data is generally prohibited, the New Electronic Communication Law provides for an exception in relation to the storage of traffic data relating to emergency calls or inspection of false alerts, attacks or abusive calls.⁶⁹

The Law of 23 July 2016, as amended by the Law of 28 May 2019, created a High Commission for national protection with special powers, allowing it to prevent, anticipate and manage a crisis and its effects in order to return to a normal state. For example, according to Article 4 of the Law of 23 July 2016, '[t]he protection of critical infrastructure includes all activities aiming to prevent, attenuate or neutralise the risk of a reduction or discontinuity . . . of services essential to the protection of vital interests or essential needs for all or part of the country or its population'.

Furthermore, following terrorist attacks, a law on the exchange of personal data and information in police matters was adopted on 1 August 2018.

Finally, the Law of 7 June 2017 abolished anonymous prepaid SIM cards for mobile phones. Mobile operators have to deactivate prepaid SIM cards with a Luxembourg number whose holders have not yet been identified. In return, they have to collect certain data in relation to the identification of their clients before activating the purchased prepaid cards.

The Law of 28 May 2019 relating to the implementation of the Directive on security of network and information systems (NIS Directive) creates a computer security incident response team network to contribute to the development of trust and confidence between Member States and to promote swift and effective operational cooperation.

Consumer protection

Consumer protection in the electronic communication domain is guaranteed by both the Consumer Code and the Media Law, as well as other general applicable laws in Luxembourg. They set guidelines and restrictions in relation to commercial advertisements and specific provisions for the protection of children.

Information about consumers must be treated confidentially and may not be made accessible to third parties, and the processing of consumer data is allowed only if it falls within the criteria defined by the relevant laws. Processing of data is subject to the principle of legitimacy of processing.

Luxembourg law prohibits in principle the addressing of advertisements or other unrequested communications to persons by electronic means without their consent. In any event, the consumer shall be able to object. If the supplier of a product received the email addresses during a previous sale, he or she can use those email addresses to promote analogous products and services unless the concerned person requests that such actions be stopped.⁷⁰

Specific Luxembourg provisions related to specific sectors (e-payment, financial services concluded or offered via electronic means) apply when the contractor or prospective client agrees to enter into contracts or receives services over the internet or other mobile means that do not necessitate direct human contact.

The New Electronic Communication Law has introduced an additional level of consumer protection and the proposal for an e-Privacy regulation that is currently being negotiated at EU level will further enhance consumer protection.

Protection of children

In Luxembourg, no specific legislation or regulations that ensure the online protection of children exist.

In 2011, Luxembourg ratified the United Nations Convention on the Rights of the Child and the Council of Europe Convention on Protection of Children against Sexual Exploitation and Sexual Abuse. It is also involved in the implementation of their provisions.

Moreover, the government is issuing a number of recommendations and is supporting various projects to make children and their parents aware of the risks related to use of the internet. The BEE Secure project was drawn up in the context of the EU Safer Internet Programme, which gives directions for the use of the internet to children, parents and educational staff. In this context, it provides 'trainings, which are mandatory for all 7th-grade classes in Luxembourg's secondary schools'.⁷¹ Plus, 'Luxembourg is the only country in Europe that has introduced mandatory trainings for safe internet use within the education system'.⁷² Furthermore, at the start of the 2021–2022 school year, a new subject called Digital Sciences was introduced in a pilot project with 18 secondary schools as part of the 'Easy Digital' initiative of the Ministry of Education, Children and Youth. This new course takes place in the first-year secondary school curriculum.⁷³

Generally, the policy aims to familiarise children with new technology rather than filtering or blocking access to various types of information (these two techniques might, however, be alternatives); the intention is to teach children how to use the internet safely and to always be aware of the risks related to such use.

Children's rights are protected by provisions of the LCC. After the adoption of the Law of 21 February 2013 amending Articles 372 and 377 of the LLC, the LLC provides for enhanced sanctions in relation to sexual child abuse matters. The BEE Secure Stopline is a project operated by a national consortium that provides a structure to report illegal information transmitted over the internet anonymously. The E-commerce Law requires information service providers to withdraw or render inaccessible any illegal content that they become aware of. The Media Law includes specific child protection provisions.

The University of Luxembourg is an active member of the EU Kids Online project, which is a multinational research network seeking to enhance European children's opportunities and safety and reduce risks.⁷⁴ A Safer Internet Day is organised every year.

In relation to the adoption of the 2014 Law, the CNP has lobbied to introduce an appropriate visual warning obligation. A Grand-Ducal Regulation was adopted on 8 January 2015 (as amended by Grand-Ducal Regulation of 31 May 2017) for the protection of minors regarding audiovisual media services.

The GDPR establishes enhanced protection for children when it comes to the processing of their data and to their consent in relation to information society services. The processing of the personal data of a child shall be lawful where the child is at least 16 years old. If the child is younger, 'such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child'.⁷⁵

Cybersecurity

Cybersecurity is a government priority.

Individuals and companies are encouraged to take appropriate technical measures to defend themselves against cyberattacks.

Similar to the internet project for children, the government created CASES Luxembourg, a project that is accessible by all internet users and the purpose of which is to make the public aware of potential cyberattacks that are inherent in internet use, and to advise on how to identify them. In this context, it is worth mentioning the certification authority, Luxtrust, which manages electronic certificates with the highest level of security.

Network operators and ISPs are required by applicable law to comply with stringent security measures.

As a response to the increasing number of cyberattacks, the LCC has been amended to include offences in the electronic communication sector.

The government pursues efforts to prevent and fight cybercrime and, in 2011, created two dedicated structures:

1. the Luxembourgish Cybersecurity Board (CSB), whose mission is to work on a strategic plan against attacks via the internet; and
2. GOVCERT, the governmental computer emergency response team, which is linked to the national agency for the security of information systems.

The ANSSI is the body authorised to deal with incidents of cybercrime in the information systems of the public sector and of operators of critical infrastructure. In addition, the Interministerial Coordination Committee for Cyber Prevention and Security, established in 2017, supports the CSB in its initiatives.

In continuation of existing cybersecurity strategies and plans adopted and followed over the past 10 years, Luxembourg, through a multidisciplinary working group, has drawn up the new national cybersecurity strategy⁷⁶ for 2021–2024, whose main objectives are to build trust in the digital world and protect human rights, strengthen the security and resilience of digital infrastructures in Luxembourg, and develop a reliable, sustainable and secure digital economy. LU-CIX's⁷⁷ infrastructure has been strengthened to create a national centre for filtering distributed denial of services (DDoS). Since its implementation, some entities have already been included and are protected, and further entities shall be included in 2021.⁷⁸ POST published with full transparency its figures starting from January 2019 concerning DDoS volumetric attacks recorded on its Backbone in Luxembourg. In 2021 they ranged between 95 and 155 attacks per month with alerts ranging between 170 and 330 per month.⁷⁹

The CSB acts as a central point of information and contact for users to report cybersecurity incidents, which should allow the CSB to supply businesses with this information and put them in a position to take appropriate action to fight risks against security.

The Computer Incident Response Centre Luxembourg (CIRCL), the official computer emergency response team (CERT) for 'Security made in Lëtzebuerg' (SMILE), is competent for the private sector, municipalities and non-governmental entities in Luxembourg. SMILE is an initiative that has the objectives of coordinating governmental initiatives, as well as supporting and making the public more aware of cybersecurity issues. In addition, SECURITYMADEIN.LU aims to develop an ecosystem for cybersecurity.

After the delay in the implementation of the European Council Convention on Cybersecurity (CCC)⁸⁰ and Directive 2013/40/EU relating to attacks against information systems, a law relating to cybercrime was adopted on 18 July 2014. This law adapted the national substantive and procedural criminal law to the specific needs of fighting cybercrime. The law introduced new criminal offences into the LCC, in particular the misuse of identity, phishing and illegal interception of computer data supplementing the legal instrument of computer-related crimes, which includes the illegal access, hacking and deletion of computer data. The law also amends the Criminal Procedure Code to achieve the requirements of the CCC regarding the prompt preservation of stored computer data and traffic data.

In May 2016, the government announced a collaboration between the ANSSI and SMILE through their respective CERTs⁸¹ in relation to all activities in connection with the detection, management and notification of incidents.

Given the importance of international cooperation on cybersecurity at an EU level, the NIS Directive establishes that computer security incident teams should be able to participate in international cooperation networks in conjunction with national authorities.

In October 2017, a national centre of expertise concerning cybersecurity was created in Luxembourg, which helps to strengthen the positioning and the economic attractiveness of the country for undertakings in the ICT sector.⁸²

Cybersecurity Week – Luxembourg takes place every year in October within the framework of the European Cybersecurity Month, an annual advocacy campaign organised by the European Union Agency for Network and Information Security and the European Commission.⁸³

Luxembourg is fully aware that security in the increasingly highly technological environment continues to be an important pillar and continues to be successful in a data-driven economy. It participates in initiatives and programmes that aim to share information on cybersecurity-related subjects, for instance through MONARC and MISP (malware information-sharing platform and threat sharing).

The ITU ranked Luxembourg seventh in Europe and 13th in the world in its latest edition of the global cybersecurity index 2020 (GCI). These rankings highlight the commitment of Luxembourg to cybersecurity and its growing position in the leader rankings.⁸⁴ Luxembourg ranks 39th out of 160 in the national cybersecurity index.⁸⁵

The launch by the ILR and the Luxembourg Institute of Science and Technology of SERIMA, a cybersecurity platform for security risk management, evidences Luxembourg players' awareness of the necessity and competence for developing new tools in the field of information security. While at first it will be used by operators of the electronic communications sector, it will soon be used in other sectors such as energy, transport, health, water distribution and IT infrastructure.⁸⁶

Emergency response networks

Traditionally, Luxembourg first responders and other emergency responders (such as the police, customs and civil protection) benefit from a dedicated network (RIFO), which was analogue in the beginning. With the adoption of the Law of 20 May 2014, as amended by the Law of 1 March 2019, for the financing of a national integrated radio communication network for Luxembourg, RIFO was replaced by RENITA. RENITA is based on the terrestrial trunked radio digital technology and, in the case of a congestion of mobile networks, the RENITA network is less exposed to inherent risks. RENITA has been operational since July 2015. A second mobile base was acquired in 2020.

On an international scale, the government has actively cooperated regarding the strengthening of emergency telecommunications and a rapid response in the event of disasters. It has developed a nomadic satellite-based telecommunication system, emergency.lu, which aims to assist 'humanitarian agencies respond to communities affected by natural disasters, conflicts or protracted crisis'.⁸⁷ As of 2012, this platform has been available as a public global service. The government decided to join the European Commission's European Response Coordination Centre, and thus Luxembourg will be the first state to bring in a common module to the voluntary pool.

At an EU level, harmonisation of the digital frequency relating to these services has been achieved, permitting interoperability.