Article 5

Minimum harmonisation

Directive on the security of network and information systems · UE 2022/2555

Minimum harmonisation

This Directive shall not preclude Member States from adopting or maintaining provisions ensuring a higher level of cybersecurity, provided that such provisions are consistent with Member States’ obligations laid down in Union law.

Luxembourg specificity
loi luxembourgeoise du 28 juillet 2023 relative a la cybersecurite, modifiee par la loi du 28 juillet 2025

In Luxembourg, the ILR (Institut Luxembourgeois de Regulation) designates essential and important entities, receives incident notifications, conducts inspections and imposes administrative sanctions. The law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025, transposes NIS 2 and may, under Article 5, maintain or add requirements stricter than the European text. A group policy calibrated on the EU minimum is therefore not presumed compliant in the eyes of the ILR.

Luxgap practice: systematically verify that your notification deadlines and technical measures meet the most recent Luxembourg level, and keep timestamped proof that you apply the strictest requirement applicable to each entity.