NIS2 Directive Article 32 sets out the supervisory and enforcement powers Member States must give competent authorities in respect of essential entities. Each Member State must ensure these supervisory or enforcement measures are "effective, proportionate, and dissuasive," and must equip its competent authority with on-site inspections, off-site supervision, random checks, security audits, security scans, and information requests. Article 32 applies to essential entities; Article 33 mirrors most of these powers for important entities under a lighter, ex post regime.
Who Article 32 binds
Article 32 is addressed to Member States and to competent authorities; the powers it confers are exercised against essential entities. "Essential entity" is defined in Article 3 of NIS2 (sectors of high criticality in Annex I, plus public administration and certain entities designated by Member States). The obligation to make these powers available falls on Member States by the transposition deadline of 17 October 2024 set in Article 41; this page is silent on the transposition date because the obligation rows do not encode it.
Article 32 powers
The proportionality clause
Article 32 obligates Member States to "ensure that supervisory or enforcement measures imposed on essential entities are effective, proportionate, and dissuasive." This is the same triad used in GDPR Article 83(1) for fines, and in practice it is the legal hook competent authorities use to calibrate the severity of an enforcement action against the size of the entity and the gravity of the breach.
On-site inspections, off-site supervision, random checks
Competent authorities must have "the power to subject essential entities to on-site inspections, off-site supervision, and random checks." On-site inspections are physical visits; off-site supervision is desk-based review of documentation an entity has been ordered to submit; random checks are unannounced verification operations.
Regular and targeted security audits
Article 32 also requires the power to subject essential entities to "regular and targeted security audits carried out by an independent body or a competent authority." Targeted audits respond to a specific concern; regular audits run on a schedule the competent authority sets. The Article does not prescribe the audit frequency; that is left to the Member State and the authority.
Ad hoc audits triggered by incidents
The Article extends the audit power to "ad hoc audits justified by a significant incident or infringement." A significant incident is defined in Article 23(3) of NIS2 as one that has caused or is capable of causing severe operational disruption or financial loss to the entity, or that has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
Security scans
Article 32 requires that competent authorities have the power "to conduct security scans based on objective, non-discriminatory, fair, and transparent risk assessment criteria." A security scan in this context typically means active probing of internet-facing assets; the requirement that scans be based on transparent criteria is the safeguard against arbitrary use of the power.
Information and access requests
Two adjacent powers cover the documentary side of supervision. Competent authorities must be able to "request information necessary to assess cybersecurity risk-management measures and compliance with reporting obligations," and to "request access to data, documents, and information necessary to carry out supervisory tasks."
What this means in practice
An essential entity should expect its competent authority (in most Member States, the national cybersecurity agency) to combine documentary requests, scheduled audits, and incident-triggered ad hoc audits. Article 32 does not specify deadlines for responding to information requests; those sit in national transposition law. The risk-management measures the authority will assess are the ones in Article 21 of NIS2; the reporting obligations referred to are in Article 23. Compliance teams should map Article 21 measures and Article 23 reporting evidence to a single audit folder so that an Article 32 information request can be answered within the deadline a national law sets.