I need to bring my Luxembourg organisation into compliance with recital 21 of NIS 2 (UE 2022/2555). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 21 NIS 2 — Recital 21

EU frameworkGDPRNIS 2DORA AI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 21

Directive on the security of network and information systems · UE 2022/2555

(21)

The Commission could provide guidance to assist Member States in implementing the provisions of this Directive on scope and evaluating the proportionality of the measures to be taken pursuant to this Directive, in particular as regards entities with complex business models or operating environments, whereby an entity may simultaneously fulfil the criteria assigned to both essential and important entities or may simultaneously carry out activities, some of which fall within and some of which are excluded from the scope of this Directive.

Luxembourg specificity

loi luxembourgeoise du 28 juillet 2023 relative a la cybersecurite

In Luxembourg, the ILR designates essential and important operators under the law of 28 July 2023 on cybersecurity (amended by the law of 28 July 2025). In case of mixed qualification or proportionality doubt, the ILR can be petitioned for ad hoc qualification, and takes into account the European Commission guidance referred to in recital 21.

Luxgap practice: before any self-qualification, file a reasoned memorandum with the ILR via the dedicated notification form. This secures your position and avoids retroactive requalification during an incident.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 21 acknowledges a reality many Luxembourg groups underestimate: a single legal entity can hold multiple qualifications. An industrial holding running an internal datacenter, intra-group transport and a CSSF-regulated fintech may be simultaneously essential (digital infrastructure) and important (other NIS 2 activities), with parts out of scope. The ILR typically sanctions organisations that applied a single uniform perimeter, forgetting that an essential sub-perimeter triggers reinforced obligations (proactive audits, ex-ante supervision).

The proportionality and mixed-qualification test

Recital 21 calls for an activity-by-activity reading, not entity-by-entity. Concretely, you must document:

The exhaustive breakdown of your economic activities (NACE codes, business lines, BUs) mapped to Annex I, Annex II or out-of-scope.
The triggering criterion per activity: size (headcount, turnover), sector, ad hoc ILR designation.
The hierarchy of obligations when one entity cumulates essential and important: the stricter regime prevails on the affected perimeter.
The transverse flows (shared IT, group HR, group finance) that can extend the essential perimeter by technical contamination.
The proportionality of measures: the same control (MFA, EDR, segmentation) may be adequate for the important activity and insufficient for the essential one.
The written trace of this analysis, opposable to the ILR during inspection or qualification request.

How Luxgap automates this risk

Our Luxgap Scope Cartographer eliminates the blind spot of mixed qualifications by automatically mapping each business line in your group and attaching it to the correct NIS 2 regime. The tool ingests your trade register (RCSL), filed annual accounts, ERP (Odoo, SAP, Sage BOB 50) and Active Directory to reconstruct operational reality, then produces a reasoned qualification opinion activity-by-activity, ready to be filed with the ILR.

Automatically detects each real economic activity by cross-referencing RCSL NACE codes, accounting revenue lines and business applications connected to the IS.
Classifies each activity against Annexes I and II of NIS 2 and computes the applicable threshold (consolidated headcount, turnover, ad hoc ILR designation) in real time.
Identifies essential/important cumulation zones and automatically applies the stricter-regime principle on shared resources.
Generates a proportionality matrix that modulates expected technical controls (ISO 27001, ENISA Good Practices) per sub-perimeter.
Produces a timestamped, cryptographically sealed qualification memorandum PDF, opposable to the ILR during a clarification request or inspection.
Instantly alerts when a new subsidiary, acquisition or business line shifts the group into an essential perimeter.

Available as a complement to a Luxgap CISO mandate or as a standalone SaaS module depending on your scope. Request a tailored quote and our teams prepare a demonstration on your real structure, with a free 48-hour blank audit to materialise your NIS 2 exposure before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 21

They trust us

Before we chat