Artifact GuideEU NIS2

NIS2 registration and authority notification

A source-linked workflow for deciding where a NIS2 entity must register, what information to submit, which authority route to use, and when changes must be reported.

Built for legal, security, compliance, public-policy, and country operations teams that need to separate EU-level duties from Member State portals and sector-specific authority routes.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

NIS2 registration work is not one generic filing. Article 3 requires Member States to establish lists of essential and important entities and entities providing domain name registration services. Article 27 separately creates an ENISA registry path for named digital and domain-related providers, based on information that Member States collect through competent authorities and single points of contact. Teams should treat each country, sector, establishment, and service model as a documented routing decision.

Section 1

What registration decision does NIS2 require?

Start with two separate questions: whether the organisation belongs on a Member State list under Article 3, and whether it is one of the Article 27 entity types whose information flows into the ENISA registry.

Article 3 covers the Member State list of essential and important entities and entities providing domain name registration services. Article 27 covers DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing providers, data centre providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines, and social networking services platforms.

  • Record the legal basis separately for Article 3 list inclusion and Article 27 registry submission.
  • Map the relevant Annex I or Annex II sector, subsector, and entity type before choosing a portal or authority contact.
  • For Article 27 providers, identify the Member State of main establishment under Article 26, or the EU representative if the provider is not established in the Union.
  • Do not assume one EU-wide registration form exists; national mechanisms and portals are implemented by Member States.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Primary legal source for Article 3 entity lists, Article 26 jurisdiction, and Article 27 registry duties.
Commission Guidelines on Article 3(4) NIS2 registration information
Commission guidance and template for information collected for Article 3(3) lists and Article 27(2) submissions.
Section 2

What information should the registration record contain?

For Article 3 list purposes, NIS2 requires at least the entity name, address, up-to-date contact details, email addresses, IP ranges, telephone numbers, relevant Annex I or Annex II sector and subsector where applicable, and the Member States where services in scope are provided where applicable.

For Article 27 providers, NIS2 requires the entity name, relevant sector, subsector and type of entity where applicable, the main establishment and other Union legal establishments or EU representative, up-to-date contact details, Member States where services are provided, and IP ranges.

  • Keep legal name, trading names, registration numbers, and group entity mapping with the submission file.
  • Store main establishment reasoning, EU representative details, and service-country mapping for Article 27 providers.
  • Keep IP ranges, security contact mailboxes, phone numbers, and escalation owners current enough for authority follow-up.
  • Save proof of submission, portal receipts, authority correspondence, and the source text used to decide the route.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 3(4) and Article 27(2) define the minimum information that Member States collect from entities.
Commission Guidelines on Article 3(4) NIS2 registration information
The Commission template combines Article 3(3) list information with Article 27(2) registry information.
Section 3

Which authority route should teams use?

NIS2 leaves national implementation and competent-authority routing to Member States. Article 8 requires Member States to designate competent authorities and single points of contact, and Article 10 requires CSIRTs. Registration, supervisory, and incident-notification routes can therefore differ by country and sector.

A practical registration file should name the country authority route actually used, not just the EU directive. Finland, for example, describes registration with the supervisory authority for the sector and says multi-sector organisations should register with each sector's supervisory authority. Ireland's NCSC page shows why status checks matter: it stated that its NIS2 registration and incident reporting portals were not available at that time pending legislation.

  • Check the Member State transposition page, national NIS2 page, and sector authority page before filing.
  • Separate registration with a supervisory authority from incident notification to a CSIRT or competent authority.
  • Where several sectors apply, record each sector authority decision and any reason a route was rejected.
  • If a portal is unavailable or legislation is incomplete, save the dated official source and assign a reassessment owner.
Sources for this answer
European Commission - NIS2 transposition in EU countries
Commission state-of-play page for national transposition and Member State contact pages.
Traficom - NIS2 obligations under Finland's Cybersecurity Act
National example showing registration with sector supervisory authorities and separate incident notification.
Ireland NCSC - NIS2
National example showing that registration and incident reporting portals may depend on local implementation status.
Section 4

When must registration details be updated?

Article 3 requires entities on the Member State list to notify changes to submitted details without delay and in any event within two weeks of the change. Article 27 requires listed digital and domain-related providers to notify changes without delay and in any event within three months of the change.

The difference matters operationally. A change in IP ranges, contact details, Member States served, main establishment, representative, or sector classification can reopen the registration record and may trigger a different national authority route.

  • Build separate change clocks for Article 3 and Article 27 instead of using one generic review date.
  • Trigger review on acquisitions, legal-entity changes, new EU establishments, new EU service countries, sector expansion, and contact or IP range changes.
  • Keep evidence showing when the change became known, when the filing owner was notified, and when the authority update was submitted.
  • Use national-law checks before applying any country-specific deadline; EU-level text does not supersede Member State implementation detail.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Primary source for Article 3 two-week update timing and Article 27 three-month update timing.
Commission Guidelines on Article 3(4) NIS2 registration information
Guidance repeats the Article 27 change-notification expectation for listed providers.
Section 5

Implementation checklist for NIS2 registration and authority notification

Use this checklist before submitting, updating, or closing a NIS2 registration decision. The goal is a record that a later reviewer can trace from service facts to EU article, Member State route, authority contact, and submission evidence.

Do not use this checklist to infer penalties, registration thresholds, or country deadlines that are not stated in the cited EU or national source.

Is NIS2 registration handled through one EU portal?

No. NIS2 requires Member States to establish lists and allows national registration mechanisms. Article 27 information for certain digital and domain-related providers is forwarded through Member State single points of contact to ENISA, but the practical filing route is national.

What is the biggest registration mistake under NIS2?

The biggest mistake is treating registration as a one-time compliance form. The record needs jurisdiction analysis, sector classification, authority routing, required data fields, and a change process for Article 3 and Article 27 updates.

  • Entity classification is documented for essential, important, domain name registration service, and Article 27 provider status.
  • Jurisdiction, main establishment, EU representative, and Member States served are recorded where relevant.
  • Competent authority, single point of contact, CSIRT, and sector supervisory route are checked against official national sources.
  • Submission data includes entity name, establishment address, contacts, sector and subsector, Member States served, and IP ranges where required.
  • Change-notification triggers distinguish Article 3 two-week updates from Article 27 three-month updates.
  • Evidence includes source URLs, short quotes, filing screenshots or receipts, authority correspondence, owner approvals, and next review triggers.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Primary legal source for classifying entities and tracking Article 3, Article 26, and Article 27 registration duties.
European Commission - NIS2 transposition in EU countries
Use to locate Member State implementation status and national contact pages before relying on a filing route.
Recommended next step

Use this guide to route NIS2 registration and authority notifications

Sorena can turn this NIS2 registration analysis into source-linked classification records, authority-route checks, submission evidence requests, and change-notification workflows.

Research workflow
Open Research Copilot for NIS2

Ask source-linked questions about Article 3 lists, Article 27 registry duties, competent authorities, and national portal evidence.

Explore next step
Talk to Sorena
Talk through implementation

Review your NIS2 registration route, country evidence, authority contacts, and change-notification workflow with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Primary legal source for classifying entities and tracking Article 3, Article 26, and Article 27 registration duties.
"ENISA shall create and maintain a registry"
Ireland NCSC - NIS2
ncsc.gov.ie
Referenced sections
  • National example showing that registration and incident reporting portals may depend on local implementation status.
"registration and incident reporting portals are not available"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.