The classic trap
Article 29 designates the Member States as addressees of the directive: it is a reminder that an EU directive is not directly applicable and must be transposed into national law. The practical trap: too many Luxembourg organisations rely on Directive 2019/1937 when the Luxembourg law of 16 May 2023 actually applies, with its own thresholds, deadlines and penalties. Invoking the EU text instead of the national law before the OFRS, the CSSF or the CNPD means relying on the wrong legal basis, leading to incomplete compliance.
Why transposition changes everything
The directive sets a minimum floor; each State may go further or add detail. In Luxembourg, several transposition choices directly affect your scheme:
- The threshold triggering the mandatory internal channel (50 employees in the private and public sectors, no threshold for public bodies).
- The OFRS as the transversal external authority, alongside sectoral authorities (CSSF, CNPD, ITM, CAA, ILR).
- A penalty regime specific to Luxembourg that does not appear in the EU text.
- The acknowledgement deadline (7 days) and the feedback deadline to the whistleblower (3 months) that must be strictly respected.
- The material scope of covered breaches, which may exceed the directive baseline.
Operational conclusion: your internal policy, forms and procedures must cite the law of 16 May 2023, not the directive, and integrate the national specificities.
How Luxgap automates this risk
Our Luxgap Transposition Mapper ensures your whistleblowing scheme rests on the correct national legal basis, not on a directly inapplicable EU text. The tool cross-checks your internal documentation (M365 SharePoint policies, Odoo procedures, HR charters) against the consolidated Luxembourg law of 16 May 2023 and detects every wrong reference or obsolete clause.
- Scans your internal policies and reporting forms and detects references to Directive 2019/1937 where the national law should apply.
- Verifies the presence of the Luxembourg thresholds (50 employees private and public) and flags assujetted entities not yet covered.
- Calculates compliance with the mandated deadlines (acknowledgement within 7 days, feedback within 3 months) and flags procedures silent on these timeframes.
- Maps the relevant external authority by domain (OFRS, CSSF, CNPD, ITM, CAA, ILR) and proposes the routing adapted to your sector.
- Produces a timestamped PDF report enforceable before the OFRS and the sectoral authorities, demonstrating compliance with the law of 16 May 2023.
Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a personalised quote and our teams will prepare a demonstration on your real perimeter, with a free blind audit within 48h to measure your exposure before any commitment.