Cyberattacks: What Are The Employers' Responsibilities?

On 23 July 2025, Luxembourg experienced a digital blackout. A nationwide telecommunications outage disrupted internet, mobile, and landline services, leaving businesses and emergency services scrambling.

This incident was not isolated. According to Microsoft's 2024 report, it was estimated that between July 2023 and July 2024, over 600 million cyberattacks occur every day worldwide.

• Cyberattacks and labour law: What are the employers' responsibilities?

Under Luxembourg labour law, employers are bound by a duty of care towards its employees that extends beyond physical safety.

In fact, the Labour Code specifies that employers must ensure the health and safety of their employees in all aspects of their work. This includes preventing occupational risks, providing information and training, and setting up the necessary organisation and resources.

Digital safety is, indeed, part of that obligation. Companies must ensure their systems are secure, their data protected, and their employees informed and trained.

• Training: The first line of defence

Employers have an operational responsibility to ensure that employees are trained to recognise threats, follow internal protocols, and respond appropriately.

It is therefore essential for employers to implement clear internal policies regarding the use of digital networks, and to provide regular training to employees on data processing and internet usage. Similarly, it is essential for employers to establish an emergency response plan that defines and specifies the measures to be taken in the event of a cyberattack.

Training is also a critical factor in disciplinary matters, as it ensures that employees are aware of the correct procedures and potential risks associated with their roles. However, before holding an employee accountable for any misconduct or negligence, employers must first demonstrate that they have met their own obligations, such as providing comprehensive training, clear instructions, and access to necessary resources. Only when these prerequisites are fulfilled can disciplinary action be justified.

As a reminder, dismissals must be based on real and serious grounds. In practice, this means the employer should have provided adequate training, communicated clear internal policies, and be able to demonstrate that the negligence was serious.

• But what happens when work itself becomes impossible?

Depending on the extent to which the breakdown is affecting operations, it is essential for employers to communicate with employees promptly to address their concerns and provide guidance on how to proceed.

However, the legal consequences of non-performance during a cyberattack or outage remain context-dependent and should be assessed on a case-by-case basis, considering factors such as the employer's preparedness, the adequacy of employee training, the timeliness of communication, and the specific contractual obligations involved.

In conclusion, the evolving landscape of cyberattacks places significant legal and managerial responsibilities on employers. Ensuring digital safety is not only a matter of operational efficiency but also a core element of the employer's duty of care. By proactively implementing robust internal policies, providing comprehensive and ongoing employee training, and establishing clear response protocols, employers demonstrate that they are complying with their legal obligations regarding health and safety.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.