The classic trap
Article 46 is a purely formal rule of Union law: a directive is addressed to the Member States, not directly to companies. The trap therefore lies not in this article, but in its direct consequence: NIS 2 has no effect until it is transposed into national law. Organisations waiting for some imaginary directly applicable NIS 2 regulation are fighting the wrong battle. In Luxembourg, it is the law of 28 July 2023 on cybersecurity, amended on 28 July 2025, that creates enforceable obligations, and it is the ILR that imposes sanctions. Your compliance is measured against the Luxembourg text, not the raw EU text.
Why this article changes your monitoring method
A directive with a single addressee (the Member States) demands a two-headed monitoring discipline: watch the EU text to anticipate, but steer your compliance on the national transposition, the only source of direct obligations.
- The scope of essential and important entities (Annexes I and II) may be clarified or extended by the Luxembourg legislator when the ILR designates entities.
- The applicable thresholds, incident notification deadlines and sanction caps are those of the LU law, not those cited for guidance in the directive.
- A Luxembourg subsidiary of a multinational group must comply with the LU transposition for its main establishment under NIS 2, not with that of another Member State.
- ENISA technical guides remain de facto references, but create no standalone obligation: they inform the interpretation of the national text.
How Luxgap automates this risk
Our Luxgap Transposition Radar eliminates the blind spot between the EU text and your actual obligation by continuously tracking the transposition status of NIS 2 and its related acts into Luxembourg law. A specialised AI agent reads the Memorial publications, the ILR communications and the Commission implementing acts, then maps each development onto your declared scope (Annex I/II sector, essential or important qualification, main establishment).
- Detects automatically each amendment to the law of 28 July 2023 and its grand-ducal regulations as soon as it is published in the Luxembourg official journal.
- Classifies your entity (essential or important) according to the sectoral and size criteria adopted by the ILR, and alerts on any change of qualification.
- Generates a time-stamped correspondence table between each NIS 2 article and its applicable LU transposition provision, with the thresholds and deadlines that actually apply.
- Alerts via Teams or email on any new designation, threshold update or change to the sanction cap.
- Produces a time-stamped PDF report enforceable before the ILR, demonstrating that your regulatory monitoring is active and documented.
Available as a complement to a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request a personalised quote and our teams will prepare a demonstration on your real scope, with a free white audit within 48h to measure your exposure before any engagement.