NIS2 Registration Obligations: What EU SMEs Must Do With Their National Authority

The NIS2 Directive (EU 2022/2555) introduced registration obligations that many European SMEs are still unprepared for. Understanding whether your organisation falls under scope, which authority to register with, and what happens if you miss the deadline is no longer optional - enforcement cycles are already underway across multiple member states.

This article gives you the practical framework to work through those questions without a lawyer on retainer.

Who Actually Has to Register

The Directive distinguishes between two tiers of regulated entities.

Essential entities are organisations in sectors considered critical to the functioning of society and the economy: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (including cloud providers, DNS operators, and internet exchange points), ICT service management, public administration, and space.

Important entities cover a broader set of sectors including postal and courier services, waste management, chemicals, food production and distribution, manufacturing (of medical devices, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networks), and research organisations.

The size thresholds matter enormously for SMEs. In most cases the Directive applies to:

• Medium-sized entities: 50 or more employees and annual turnover or balance sheet exceeding EUR 10 million.
• Large entities: 250 or more employees and annual turnover exceeding EUR 50 million (or balance sheet exceeding EUR 43 million).

There are exceptions. If your organisation is a sole provider of a critical service in a member state, or if a disruption to your service could create significant systemic risk, national authorities may pull smaller entities into scope regardless of headcount. DNS service providers, trust service providers, and public electronic communications networks are also subject to registration irrespective of size.

The practical question to ask: Does your company operate within one of the listed sectors AND meet the size threshold? If yes, registration is mandatory. If you are below the threshold but operate critical infrastructure, check with your national authority.

How National Competent Authorities Work

NIS2 requires each member state to designate one or more national competent authorities (NCAs) responsible for cybersecurity supervision in their territory. Some countries use a single authority (typically the national cybersecurity agency), others split responsibility by sector.

Examples of how this looks in practice:

• Germany: The BSI (Bundesamt fur Sicherheit in der Informationstechnik) serves as the central NCA for most sectors. Sector-specific regulators (Bundesnetzagentur for energy/telecom, BaFin for finance) may also hold supervisory authority.
• France: ANSSI (Agence nationale de la securite des systemes d'information) is the primary NCA. Sector regulators cooperate for banking and energy.
• Netherlands: NCSC-NL and the Rijksinspectie Digitale Infrastructuur (RDI) share responsibilities depending on sector.
• Poland: CSIRT GOV, CSIRT MON, and CSIRT NASK operate as sectoral authorities, with the Ministry of Digital Affairs coordinating overall NIS2 transposition.
• Belgium: CCN (Centre pour la Cybersecurite Belgique) is the designated NCA.
• Spain: INCIBE and the CCN-CERT hold supervisory roles depending on whether the entity is private or public sector.

The member state you primarily operate in determines where you register. For multinationals, the primary establishment rule applies - you register with the NCA of the member state where you have your main establishment (usually headquarters or primary decision-making location for cybersecurity matters).

Registration Timelines Across the EU

NIS2 entered into force on 16 January 2023. Member states had until 17 October 2024 to transpose it into national law. In practice, transposition timelines have varied significantly.

Most member states that completed transposition on time opened registration portals in Q4 2024 or Q1 2025. Several major economies experienced delays. As of early 2026, the situation across key markets is:

• Germany: NIS2UmsuCG (the German transposition act) is in effect. BSI has issued sector-specific guidance and expects self-registration to be completed through the BSI Portal.
• France: The French Cyber Resilience Act transposing NIS2 was adopted. ANSSI has published sector classification criteria and expects operators to self-declare.
• Italy: NIS2 transposed by Legislative Decree 138/2024. ACN (Agenzia per la Cybersicurezza Nazionale) manages registration. Deadlines have been phased across 2025 and 2026 depending on entity type.
• Spain: Transposition was still in progress in early 2026. Entities should monitor the official INCIBE and CCN channels for registration portal launch.
• Belgium: CCN has been running a registration process for entities in scope.

The key takeaway: do not wait for an authority to contact you. The burden of determining whether you are in scope and registering proactively sits with the entity, not the regulator.

What Registration Actually Involves

While each NCA has its own portal and process, registration under NIS2 typically involves submitting:

1. Organisation identification: Legal name, registration number, VAT number, main establishment address.
2. Sector and sub-sector classification: The sector that applies to your activity and whether you classify as essential or important.
3. Primary contact: Name and contact details of the person responsible for cybersecurity (often the CISO, DPO, or equivalent).
4. IP address ranges and domain names (for digital infrastructure and digital service providers - less commonly required for other sectors).
5. Declaration of applicable activities: A description of the service or activity that places you in scope.

Some authorities also ask you to acknowledge the incident reporting obligations and confirm that management is aware of their personal accountability under the Directive (Article 20).

Prepare these in advance so the actual registration takes minutes rather than days.

What Documents to Prepare Before You Register

Registration is not an audit, but being unprepared can create problems. Have the following ready:

• A confirmed decision on your entity classification (essential or important) with a brief rationale referencing the sector annex.
• An internal list of who holds cybersecurity responsibility and their contact details.
• A basic incident response procedure - even a one-page document showing you have a defined process for detecting, containing, and reporting incidents.
• Evidence of risk management measures aligned to Article 21: network segmentation approach, access control policy, backup procedure, MFA policy for remote access, and a log retention policy.

You do not need to be fully compliant to register. You need to be registered to demonstrate good faith and to have the chance to correct gaps before penalties apply.

What Happens if You Miss the Registration Deadline

Missing registration is treated as a compliance failure and can trigger supervisory attention independently of whether an incident has occurred.

Under Article 32 and 33 of the Directive, competent authorities have the power to issue binding instructions, require compliance programs, impose temporary bans on executives performing management functions, and levy administrative fines. For essential entities the ceiling is EUR 10 million or 2% of global annual turnover (whichever is higher). For important entities it is EUR 7 million or 1.4% of global annual turnover.

Enforcement priority across member states has generally focused first on large operators in high-risk sectors, but that is not a guarantee of safety for SMEs. Companies identified through incident reports, sector surveys, or third-party supply chain reviews can be pulled into enforcement proceedings regardless of size.

The practical risk for an SME that has not registered is not just a fine. It is being caught unprepared when an incident occurs - at the moment when you have the least capacity to handle regulatory scrutiny on top of an operational crisis.

A Three-Step Registration Plan for SMEs

Step 1 - Determine scope. Map your primary sector, sub-sector, and headcount/turnover against the NIS2 thresholds. If you are in a sector listed in Annex I or II and you meet the size thresholds, you are almost certainly in scope.

Step 2 - Identify your national authority. Find the official NCA for your member state. Bookmark the registration portal. Many authorities publish FAQ documents and sector guidance in local language. For multinationals, confirm which member state has jurisdiction based on primary establishment.

Step 3 - Register and document. Complete the registration. Retain a copy of your submission. Immediately after registration, begin closing the most visible gaps - if you lack centralised logging, incident procedures, or MFA on remote access, those are the first three things to address.

How SecBox Shield Supports Registration Readiness

Registration is the administrative step. Compliance is the ongoing operational state that authorities will verify.

SecBox Shield - managed firewall, AES-256 VPN with MFA, and immutable WORM logs - directly addresses the three most commonly checked technical controls: network perimeter management, authenticated remote access, and tamper-proof log retention.

WORM logs in particular are a practical answer to one of the most common gaps auditors find: the absence of reliable, unaltered records that can support incident timeline reconstruction and regulatory reporting.

You can review Shield plans starting at EUR 49/month at https://secbox.net/prezzi-shield/. If you would prefer to discuss your specific classification situation first, contact us at [email protected].

Registration is not the finish line. It is the starting point for demonstrating that your organisation takes NIS2 seriously - and that your technical foundation can back that up.