Minimum harmonisation

Directive on the security of network and information systems · UE 2022/2555

This Directive shall not preclude Member States from adopting or maintaining provisions ensuring a higher level of cybersecurity, provided that such provisions are consistent with Member States’ obligations laid down in Union law.

Luxembourg specificity

loi luxembourgeoise du 28 juillet 2023 relative a la cybersecurite, modifiee par la loi du 28 juillet 2025

In Luxembourg, the law of 28 July 2023 on cybersecurity (amended by the law of 28 July 2025) fully exercises the Article 5 option by going beyond the EU baseline on several points: the ILR can designate as essential entity organisations below the directive thresholds when deemed critical for the Grand Duchy (financial centre operators, sovereign communication infrastructure such as LuxConnect, eBRC). Administrative sanctions can reach EUR 10M or 2% of global turnover for essential entities, with immediate injunction power for the ILR.

Luxgap practice: verify without delay your designation status with the ILR, even if you believe you do not meet the European thresholds. Discretionary designation is possible and radically changes your obligations.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Article 5 of NIS 2 is deceptively short: it allows each Member State to tighten the European baseline. As a result, a Luxembourg company active in France, Belgium and Germany faces 27 potentially divergent frameworks (notification deadlines, sectoral scope, encryption requirements, reporting duties). The ILR sanctions groups that align with the lowest European common denominator when the Luxembourg law of 28 July 2023 (amended on 28 July 2025) imposes, on certain points, a higher standard. The defence 'we comply with the EU directive' does not hold before a national regulator.

The pitfalls of cross-border regulatory stacking

Incident notification: NIS 2 sets 24h for early warning, but some States require additional sectoral reporting (BaFin in Germany for finance, ANSSI in France for OIV).
Extended scope: a Member State may classify as 'essential entity' an organisation the directive would qualify as 'important', with direct consequences on ex-ante controls.
Reinforced technical requirements: mandatory MFA, imposed network segmentation, 12-month logging where the directive remains on 'appropriate measures'.
Cumulative sanctions: the same failure can be prosecuted by the ILR in Luxembourg AND by the authority of the country where the impacted service is located.
Critical subcontractors: the list varies from one State to another, and a cloud provider may face stricter requirements in one country than in its country of establishment.
Voluntary vs mandatory reporting: what is encouraged by ENISA may be imposed by a national text.

How Luxgap automates this risk

Our Luxgap Jurisdiction Matrix eliminates the multi-jurisdictional blind spot by mapping in real time the NIS 2 requirements applicable to each of your entities, country by country. The tool cross-references your footprint data (business registries, M365 tenants, Azure regions, AWS accounts per country) with a legal database updated daily across the 27 national transpositions and their amendments, to produce an opposable obligations differential.

Automatically detects each country where your group operates a NIS 2 service via Azure AD metadata, AWS Organizations and your connected tax filings.
Compares line by line the EU, Luxembourg (ILR), French (ANSSI), German (BSI), Belgian (CCB) and Dutch (NCSC) requirements to identify the highest standard applicable to each entity.
Alerts via Teams or Slack as soon as a national transposition evolves in a country where you are established, with immediate impact on your compliance.
Generates a consolidated obligations register per legal entity, cryptographically signed, presentable to the ILR as NIS 2 accountability evidence.
Produces the notification matrix: for each incident scenario, which authorities to alert, within what deadlines, with which pre-filled declaration template.
Calculates a multi-jurisdictional exposure score and prioritises gaps to close based on sanction risk.

Available as part of a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your actual entities, with a free 48h blank audit to measure your country-by-country gaps before any commitment.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Minimum harmonisation

They trust us

Before we chat