The classic trap
Article 36 delegates the penalty regime to national law, and that is exactly where the danger crystallises: many essential and important entities still reason as under the old NIS regime, where sanctions remained theoretical. Under NIS 2, the ILR wields a graduated arsenal (formal notices, injunctions, administrative fines reaching up to EUR 10 million or 2 % of global annual turnover for essential entities) and may, as a last resort, suspend a manager's certification or impose a temporary ban from management duties. The trap is not the incident itself: it is the inability to demonstrate, during an inspection, that risk-management measures and notification obligations were genuinely in place and up to date.
What the ILR actually penalises in practice
- Absent or insufficient technical and organisational measures (Article 21): no documented risk analysis, no continuity policy, MFA not deployed.
- Breach of incident notification deadlines (Article 23): early warning within 24h, notification within 72h, final report within one month not met.
- Failure to register with the ILR despite falling under Annex I or II.
- Lack of management body involvement: directors must approve and oversee measures, on pain of personal liability.
- Inability to provide documented, timestamped evidence of measures during a control (the burden of proof shifts to the entity).
The defence standard is not technical perfection: it is opposable traceability. An entity that can produce a dated, versioned and coherent compliance file drastically reduces the penalty quantum, because the ILR assesses proportionality in light of demonstrated diligence.
How Luxgap automates this risk
Our Luxgap Penalty Shield turns your NIS 2 compliance into a permanent, ILR-opposable defence file, ready to be handed over on inspection day. The tool continuously aggregates the compliance evidence scattered across your IT estate (Microsoft Defender, Azure Sentinel, CrowdStrike, Wazuh, Active Directory, eBRC, LuxConnect) and computes your exposure to the Article 36 penalty regime in real time, without ever asking your CISO to assemble a manual binder.
- Continuously scans your technical controls (MFA, encryption, backups, segmentation) via the Defender, Sentinel and CrowdStrike APIs and detects gaps against Article 21 requirements.
- Monitors incident notification deadlines and fires a Teams alert as soon as a security event approaches the 24h or 72h threshold imposed by Article 23.
- Computes a penalty exposure score, quantified in potential quantum (up to EUR 10 million or 2 %), weighted by the level of documented diligence.
- Automatically generates a timestamped governance log proving approval and oversight by the management body, a key element to deflect personal liability of directors.
- Produces a cryptographically sealed, opposable PDF defence file gathering risk analyses, incident registers and evidence of measures, ready for an ILR inspection.
Available as a complement to a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real environment, with a free blind audit within 48h to measure your penalty exposure before any commitment.