Registration requirements under NIS2

Building on the foundation laid by the original NIS Directive of 2016, NIS2 aims to enhance the security of network and information systems across the European Union by addressing emerging challenges in the digital landscape. The directive establishes a comprehensive framework for the classification, registration and regulation of entities that are critical to the functioning of the EU internal market and the welfare of EU citizens.

In this article, we will delve into the registration obligations imposed by NIS2. Understanding this and various other obligations is crucial for a high level of cyber resilience of network and information systems within the EU. Please be referred to our NIS2 implementation tracker and NIS2 hub for the latest legal updates and further insights.

Registration obligations

The NIS2 Directive stipulates in Article 3 (3) that Member States must “compile a list of essential entities, important entities and entities that provide domain name registration services”. For the purpose of compiling this list, all these 3 categories of entities are obliged to share certain data and keep it up to date. Competent authorities, regulators and CSIRTs must have access to this data to perform their duties under the NIS2 Directive. In addition, Member States are required to share the number of entities on the list, broken down by sector and subsector, with the European Commission and the Cooperation Group.

To ensure that entities can provide and manage this information easily, we see Member States setting up registration mechanisms at competent governmental departments and designated CSIRTs. This is where in scope entities need to submit and manage the data mentioned in Article 3 (3) NIS2 Directive. This includes: contact details and IP ranges as well as the sector and member states in which the registering entity operates. Changes to these details must be reported within strict timelines.

In the Netherlands, based on the draft law, the central registration mechanism has been placed with the National Cyber Security Centre (NCSC). This ensures that the various involved authorities perform their tasks based on the same information, which is stored and kept up to date and in one place. Technical safeguards ensure that competent authorities, regulators and CSIRTs only have access to the data from the register as far as they need it to perform their legal tasks under the NIS2 Directive. This way, the group that has access to this data is kept as limited as possible.

The registration mechanism also serves Article 27 of the NIS2 Directive. This article prescribes that DNS service providers, top-level domain name registries, entities that provide domain name registration services, cloud computing service providers, data center providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, online search engines, and social networking service platforms must provide certain information for the ENISA register. This information largely corresponds to the information that entities must provide as a result of Article 3 (3) NIS2.

If an entity is established in more than one Member State, provides services to or carries out activities in the European Union and the ‘main establishment’ concept of Article 26 (2) NIS2 does not apply, it will have to register in each of those Member States and meet all the registration requirements stemming from their local NIS2 implementation laws. As most companies in scope of NIS2 cannot apply for the main establishment rule, registration in all EU member states where in scope services are offered is mandatory and a burdensome exercise.

Entities should take due care of registration deadlines in all relevant Member States, which may significantly vary. For example, in Hungary, registrations must be submitted to the SZTFH by June 30, 2024, whereas in Belgium, registration is due 5 months after 18 October 2024. Late registration will be punished with fines (f.e. EUR 50,000 in Austria).

Conclusion

The NIS2 Directive has far-reaching implications for entities that provide services or carry out activities within the EU. It is essential for entities that may fall under the directive to be aware of their obligations regarding registration in the various Member States. Additionally, it is crucial for entities to closely monitor registration deadlines to ensure timely compliance.