NIS2 Directive Article 7 obligates each Member State to adopt a national cybersecurity strategy that sets out the strategic objectives, resources, and policy measures needed to achieve a high common level of cybersecurity. Article 7 is addressed to Member States, not to private entities, and prescribes the minimum content of the strategy: objectives covering the sectors in Annexes I and II, a governance framework, a risk assessment mechanism, preparedness and recovery measures, and a list of authorities and stakeholders involved.
Who Article 7 binds
Article 7 is a Member State obligation. It does not impose direct compliance duties on essential or important entities, but its outputs (the national strategy, the governance framework, the list of authorities) are the documents through which national NIS2 enforcement structure is announced. For multinational compliance teams, Article 7 strategies are the authoritative source for understanding which national authority will supervise which entities under the Directive in each Member State.
Article 7 obligations
Adoption of a national strategy
Article 7 requires that "each Member State shall adopt a national cybersecurity strategy that provides for strategic objectives, resources, and policy measures to achieve a high level of cybersecurity." The strategy is the foundation document: every operational decision at competent-authority level rests on it.
Sectoral coverage of Annexes I and II
The strategy "shall include objectives and priorities covering the sectors referred to in Annexes I and II." Annex I lists sectors of high criticality (energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space). Annex II lists other critical sectors (postal services, waste management, chemicals, food, manufacturing of certain products, digital providers, research). Member States must address both sets in their strategy.
Governance framework
Article 7 obligates Member States to include "a governance framework to achieve objectives and priorities, including the policies referred to in paragraph 2." The same paragraph also requires the framework to clarify "roles and responsibilities of stakeholders and underpinning cooperation between competent authorities, single points of contact, and CSIRTs." The single point of contact is the national clearing house Article 8 of NIS2 requires for cross-border supervisory cooperation; the CSIRTs are the operational incident response teams under Article 10.
Asset identification and risk assessment
The strategy must include "a mechanism to identify relevant assets and an assessment of the risks in that Member State." This is the national-level mirror of the entity-level risk-management measures in Article 21. The Article does not prescribe a methodology; Member States typically rely on ENISA-published guidance.
Preparedness, response, and recovery
Article 7 requires "an identification of measures ensuring preparedness for, responsiveness to, and recovery from incidents, including public-private cooperation." This is the policy hook for national exercises, sectoral information-sharing arrangements, and the public-private cooperation under Article 29.
List of authorities and stakeholders
The strategy "shall include a list of the various authorities and stakeholders involved in its implementation." For compliance teams managing presence in several Member States, the Article 7 list is the cleanest single source for who does what at national level: which authority supervises which sector, where the single point of contact sits, and which CSIRT handles incidents.
What this means in practice
For an essential or important entity, Article 7 is not a direct compliance obligation; it is the document that explains the national supervisory landscape. Multinational compliance teams should read each Member State's national cybersecurity strategy alongside the national transposition law, because the strategy answers questions the transposition statute typically does not: how often the competent authority will run sectoral audits, which stakeholder fora the entity is expected to participate in, and how the public-private cooperation under Article 29 has been operationalised. Where an entity is supervised in several Member States, the comparative review of Article 7 strategies is the fastest way to spot divergent enforcement intensities.