The classic trap
Article 5 sets a simple but dangerous rule in practice: NIS 2 is only a floor, not a ceiling. Multi-jurisdiction organisations often build a cybersecurity baseline calibrated on the European text, then discover during an inspection that Luxembourg, through the ILR, or another Member State imposes stricter requirements (shorter notification deadlines, reinforced sectoral measures, specific registration obligations). The trap is not ignorance of NIS 2, but the belief that uniform compliance is enough when each country can tighten the standard. The ILR sanctions any entity that applies the European minimum where the national transposition requires more.
Why minimum harmonisation is a hidden risk for groups
In practice, Article 5 creates a regulatory patchwork that cybersecurity leaders systematically underestimate.
- A group present in Luxembourg, France and Germany must align its posture with the strictest requirement of each country, not with the common European denominator.
- The Luxembourg transposition (law of 28 July 2023, amended in 2025) can specify deadlines, thresholds or reporting obligations that the EU text leaves open.
- Sectoral measures (energy, health, finance, digital infrastructure) add national layers that stack on top of the NIS 2 baseline.
- A group security policy drafted in Brussels or Paris may be non-compliant with the ILR without any warning signal.
- The compliance test is never binary: you must demonstrate that you apply the highest level applicable to each entity and each country.
How Luxgap automates this risk
Our Luxgap Jurisdiction Gap Mapper makes the minimum-harmonisation blind spot impossible: it continuously compares your actual control baseline with the strictest requirement applicable to each of your entities, country by country. The tool cross-references your control framework (ISO 27001, your M365 policies, Defender, Azure Sentinel, your CMDB) with a living regulatory database of national NIS 2 transpositions, and automatically surfaces every gap between what you apply and what the ILR or another national regulator requires.
- Automatically detects each group entity subject to NIS 2 and maps it to its regulatory jurisdiction (ILR for Luxembourg) through your Active Directory and legal register.
- Compares your control baseline against the reinforced requirements of each national transposition and flags where your European minimum falls short.
- Calculates a jurisdictional gap score per country and per entity, prioritising the strictest obligations (notification deadlines, sectoral measures, registration).
- Alerts in real time on Teams whenever a national transposition changes and impacts your scope, notably after the Luxembourg law of 28 July 2025.
- Produces a timestamped PDF report enforceable before the ILR during an inspection, demonstrating that you apply the highest applicable level of cybersecurity and not merely the European floor.
Available as a complement to a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request a personalised quote and our teams will prepare a demonstration on your real perimeter, with a free blind audit within 48h to measure your exposure before any commitment.