Statement on the critical insecurity of the LuxTrust certificate

The total failure of the LuxTrust service for more than 24 hours from 16 to 17 December, followed by further ongoing disruptions, is an alarming warning sign. This incident is not merely a technical mishap, but reveals serious structural weaknesses in Luxembourg's basic digital infrastructure. For Volt Luxembourg, it is clear that the current situation is unacceptable and requires immediate political action.

Dec 17, 2025
woman sitting in front of her laptop which shows

LuxTrust bears enormous responsibility for key digital processes in our country – from government services to education and the financial sector. At the same time, it is a relatively small company. This discrepancy between responsibility and organisational resources is highly problematic. Critical national infrastructure must not depend on an undersized player that clearly reaches its limits in a crisis.

LuxTrust's de facto monopoly position in Luxembourg is particularly serious. There are no serious alternatives and, above all, no functioning backup or alternative systems. If LuxTrust fails, the country comes to a digital standstill. Such a ‘single point of failure’ structure contradicts all the basic principles of security, resilience and risk management, especially in a country that sees itself as digitally advanced and an international financial and administrative centre.

Dependence on a single certificate has become so widespread that a failure has immediate and massive consequences for people's daily lives. Schools are unable to function: teachers cannot enter grades, view student data or fulfil their legal obligations. Banks cannot enable logins or transfers, which causes serious difficulties for both individuals and businesses. Citizens lose access to MyGuichet, cannot submit applications, meet deadlines or even view their own data. The functioning of the state apparatus itself is also severely restricted. A single technical defect is enough to paralyse central social processes.

It is also extremely worrying that this failure occurred at the end of the year, of all times – a period when schools, banks and government institutions are under considerable time and work pressure to complete their tasks. Whether this was a targeted cyberattack or simply an overload of the system is secondary. In both cases, such a scenario should not be possible in a modern constitutional state. The lack of resilience is a systemic failure.

In the worst case, such failures could even endanger human lives, for example if critical administrative or financial processes in the health or social sector were blocked. Against this backdrop, any discussion of digital elections based on the LuxTrust certificate seems downright negligent. A failure during an election process would be a digital worst-case scenario and would inevitably lead to a massive and lasting loss of trust in democratic institutions and processes.

The recent incident proves we need European interoperability, not Luxembourg-specific patches.

At the same time, the government must be transparent about the strategic choices it is making. Luxembourg is part of the European efforts to introduce a European Digital Identity (eID) and strengthen cross-border authentication. If the government is de facto waiting for the rollout of the European alternative instead of investing in structural reforms of the current system, it must say so openly.

Citizens, schools, businesses and administrations have a right to understand the roadmap and how long Luxembourg will continue to rely on LuxTrust as a single pillar. 

We also demand that the government lays out a plan on how the transition to European solutions will be organised and what interim safeguards will protect them against further large-scale failures.

Volt Luxembourg emphasises that the core issue is architectural: a critical national infrastructure must not be designed around a single proprietary authentication provider. Luxembourg urgently needs a shift towards open, interoperable standards, so that multiple certified providers public and private can offer secure access to state and financial services. Allowing other secure APIs and standards-compliant identity providers would immediately reduce the systemic risk posed by a single point of failure and align Luxembourg with best practices and European developments.

Volt Luxembourg therefore calls on the government to take urgent actions:

  • the establishment of independent and regular monitoring of security, resilience and failure mechanisms for all critical digital identity and authentication services, with transparent public reporting proportionate to the importance of this infrastructure;

  • a clear, public roadmap for Luxembourg's transition to European digital identity solutions, including the European Digital Identity framework, with concrete timelines, milestones and interim safeguards, so that citizens and businesses understand how long they will remain dependent on LuxTrust and how continuity of service will be guaranteed; 

  • the immediate opening of government and public-service authentication interfaces to secure, standards-based alternatives, enabling multiple certified identity and authentication providers (using recognised open protocols and complying with European regulation) to connect alongside LuxTrust, thereby breaking the existing monopoly and ensuring that no single failure can again paralyse the entire country.

Digital services are critical infrastructure. Their stability, security and redundancy are a government responsibility. Anything else jeopardises not only people's everyday lives, but also their trust in the state and ultimately in our democracy.