NIS2 Directive Article 33 sets out the supervisory powers Member States must give competent authorities in respect of important entities. Article 33 mirrors the powers under Article 32 (which covers essential entities), but with one critical difference: the supervisory regime for important entities is ex post. Competent authorities are required to "take action through ex post supervisory measures when provided with evidence of non-compliance," rather than carrying out routine ex ante supervision. Member States must still ensure these measures are effective, proportionate, and dissuasive.
Who Article 33 binds
Article 33 is addressed to Member States and to the competent authorities they designate. The powers are exercised against important entities, defined in Article 3 of NIS2 (entities of medium size, or large entities in the sectors of Annex II, that fall outside the essential-entity scope of Article 3(1)). The architectural difference between Articles 32 and 33 is the trigger: under Article 33 the supervisory cycle starts when there is evidence of non-compliance, not on a calendar-driven inspection plan.
Article 33 powers
Ex post supervision triggered by evidence
Article 33 obligates Member States to ensure that "competent authorities take action through ex post supervisory measures when provided with evidence of non-compliance by an important entity." Evidence can come from a complaint, a reported incident under Article 23, intelligence sharing through the CSIRTs network, or a referral from another supervisory authority. The Article does not specify the evidentiary threshold; that is set by national transposition.
The proportionality clause
Article 33 requires that "supervisory measures taken by competent authorities are effective, proportionate, and dissuasive." This is the same triad as Article 32, and it is the legal hook competent authorities use to scale the response to the size of the important entity and the gravity of the breach.
On-site inspections and off-site ex post supervision
Competent authorities must have the power to "subject important entities to on-site inspections and off-site ex post supervision." Note the missing element compared to Article 32: there are no random checks listed for important entities. The supervisory presence is meant to be lighter and reactive.
Targeted security audits
Article 33 limits the audit power for important entities to "targeted security audits carried out by an independent body or a competent authority." There is no equivalent of the Article 32 "regular and targeted" formula and no ad hoc incident-triggered audit clause spelt out at the same level. In practice the targeted audit is the main on-site instrument under Article 33.
Security scans
Article 33 also requires the power "to conduct security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria." This mirrors Article 32 and applies the same safeguards: any scanning programme must rest on transparent risk criteria, not on arbitrary selection.
Information and access requests
Two information-gathering powers complete the toolkit. Competent authorities must be able to "request information necessary to assess ex post the cybersecurity risk-management measures adopted by the entity," and to "request access to data, documents and information necessary to carry out their supervisory tasks." Both are scoped to the ex post posture: they are the means by which the authority assembles a non-compliance case after a triggering event.
What this means in practice
An important entity should not expect routine compliance audits the way an essential entity should under Article 32. The realistic supervisory pattern is that a competent authority will engage following an Article 23 incident report, a third-party complaint, or evidence developed by another authority. Compliance leads at important entities should therefore prioritise two artefacts: a current Article 21 risk-management measures dossier ready to produce on demand, and an incident-handling playbook that produces an Article 23 notification record that does not itself open avoidable lines of supervisory inquiry.