Transposition

Directive on the security of network and information systems · UE 2022/2555

Transposition

1. By 17 October 2024, Member States shall adopt and publish the measures necessary to comply with this Directive. They shall immediately inform the Commission thereof.

They shall apply those measures from 18 October 2024.

2. When Member States adopt the measures referred to in paragraph 1, they shall contain a reference to this Directive or shall be accompanied by such reference on the occasion of their official publication. The methods of making such reference shall be laid down by Member States.

Luxembourg specificity

loi luxembourgeoise du 28 juillet 2023 relative a la cybersecurite, modifiee par la loi du 28 juillet 2025

In Luxembourg, the NIS 2 directive was transposed by the law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025. The ILR (Luxembourg Regulatory Institute) is the competent authority: it designates essential and important operators, receives incident notifications, conducts inspections and imposes administrative sanctions. The Luxembourg transposition is ahead of many Member States, which means ILR inspections have already started in the country.

Luxgap practice: check your qualification without delay via the ILR form and proceed to the mandatory registration on the dedicated platform. Our teams prepare the registration dossier and the article 21 risk mapping within 4 to 6 weeks, with board approval minutes ready to sign.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Article 41 sets 17 October 2024 as the transposition deadline and 18 October 2024 as the effective application date. The trap is not legal but operational: many essential and important entities waited for the national law to be published before launching their compliance project, and now face a 12 to 18 month structural delay against an ILR that already inspects on the basis of the Luxembourg law of 28 July 2023. Authorities do not sanction the Member State's transposition delay, they sanction the entity that failed to anticipate and discovers its obligations during the first inspection.

What 18 October 2024 actually triggers

Obligation to notify significant incidents to the ILR within 24h (early warning) and 72h (notification), from day one.
Obligation for the management body to have approved the cyber risk management measures (article 20) and to evidence it through board minutes.
Registration obligation with the ILR for entities listed in annexes I and II, with continuous updates of scope, contacts, IP ranges for DNS, TLD and cloud providers.
Sanctions clock starts: up to EUR 10 M or 2% of global turnover for essential entities, EUR 7 M or 1.4% for important ones.
Immediate application of supervisory powers: on-site inspections, ad hoc security audits, information requests, with no grace period.

The strategic mistake: waiting for the first ILR inspection

NIS 2 is not a documentation project. It is a shift in directors' liability regime. Article 20(1) makes the management body personally liable for approving and monitoring the measures. An entity that wakes up six months after 18 October 2024 with no risk mapping, no tested continuity plan, no supply chain policy and no board approval minutes is in characterised breach from day one of the inspection.

How Luxgap automates this risk

Our Luxgap NIS2 Readiness Radar computes in real time your NIS 2 compliance gap against the 18 October 2024 application date, by cross-checking 47 obligations stemming from the directive and the Luxembourg law of 28 July 2023 with the actual state of your IT environment. The tool queries Microsoft Defender, Azure Sentinel, Active Directory, CrowdStrike, Wazuh, your CMDB and your supplier contracts to produce an opposable exposure score, without asking the CISO to fill a single Excel questionnaire.

Automatically determines your qualification as essential or important entity by cross-referencing NACE code, headcount and turnover via the Luxembourg trade register API.
Continuously scans the 10 measures of article 21 (risk analysis, incident handling, continuity, supply chain, cryptography, MFA, etc.) and identifies missing controls with technical evidence attached.
Generates the ILR registration dossier prefilled with IP ranges, contact points, territorial scope and critical services, ready to submit via MyGuichet.
Produces the board approval minutes with the risk mapping annexed, timestamped and cryptographically sealed, opposable during an ILR inspection.
Alerts the CISO and DPO in real time (Teams, Slack, email) whenever a significant incident under article 23 is detected, with the 24h notification draft prefilled.
Computes an ILR inspection probability score based on your sector, historical incidents and the regulator's announced priorities.

Available as a complement to a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams prepare a demonstration on your actual perimeter, with a free 48h white audit to measure your exposure before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Transposition

They trust us

Before we chat