How many NIS2 Directive obligations apply to online platforms and search engines?

10 obligations in the Fontvera corpus map to online platforms and search engines under NIS2 Directive. The breakdown above lists the most concrete 7 of them.

When is the next NIS2 Directive deadline for online platforms and search engines?

The earliest absolute deadline on the obligations mapped here is 17 October 2024.

Does NIS2 Directive conflict with any other EU regulation for online platforms and search engines?

Yes — at least 5 explicit conflicts in the corpus, including DSA Art 17 vs NIS2 Directive Art 12.

§ NIS2 Directive BRIEFING

NIS2 Directive Obligations for Online platforms

10 obligations from NIS2 Directive mapped to online platforms and search engines. Articles, deadlines, and penalties — extracted verbatim from the Regulation.

Summary

NIS2 Directive sets 10 obligations that apply to online platforms and search engines. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regulation, not paraphrased.

Use the obligation table and breakdown to scope a compliance programme. The cross-regulatory conflicts section surfaces places where this regulation pulls against neighbouring EU frameworks for the same sector.

Who this applies to

Companies operating in online platforms and search engines that fall within NIS2 Directive's scope.

Compliance deadline

17 October 2024 — earliest dated obligation on this page. __COUNTDOWN_DAYS__ days remaining.

§ Detail

In depth

Obligations in scope

Article 26 — DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines, or social networking services platforms not established in the Union

Entities not established in the Union but offering services within the Union must designate a representative in the Union. Action required: designate.

Article 26 — Representative designated by DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines, or social networking services platforms not established in the Union

The designated representative must be established in one of the Member States where the services are offered. Action required: establish.

Article 27 — ENISA

ENISA shall create and maintain a registry of specific digital service providers including DNS, cloud, data centre, CDN, MSP, MSSP, online marketplaces, search engines, and social networking platforms. Action required: create and maintain.

Article 27 — ENISA

ENISA shall allow competent authorities access to the registry upon request while ensuring the confidentiality of information is protected where applicable. Action required: allow access.

Article 27 — Member States

Member States shall require entities listed in paragraph 1 to submit specific identification and contact information to the competent authorities by 17 January 2025. Action required: require submission. Deadline: 17 January 2025.

Article 27 — DNS service providers, TLD name registries, domain name registration service providers, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines, social networking services platforms

Entities referred to in paragraph 1 must submit their name, sector, address, contact details, Member States of service provision, and IP ranges to competent authorities. Action required: submit. Deadline: 17 January 2025.

Article 27 — Member States

Member States shall ensure that entities notify the competent authority about any changes to the submitted information without delay and in any event within three months of the date of the change. Action required: ensure notification. Deadline: within three months of the date of the change.

Practical steps

What the obligations on this page actually require you to do, ordered by article. Use this as a starting checklist; verify each item against the underlying article text before treating it as legal advice.

Art 26 — designate (DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines, or social networking services platforms not established in the Union)
Art 26 — establish (Representative designated by DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines, or social networking services platforms not established in the Union)
Art 27 — create and maintain (ENISA)
Art 27 — allow access (ENISA)
Art 27 — require submission (Member States)
Art 27 — submit (DNS service providers, TLD name registries, domain name registration service providers, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines, social networking services platforms)
Art 27 — ensure notification (Member States)

Obligation reference table

Article	Obligated entity	Deadline	Penalty
Art 26	DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines, or social networking services platforms not established in the Union	—	—
Art 26	Representative designated by DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines, or social networking services platforms not established in the Union	—	—
Art 27	ENISA	—	—
Art 27	ENISA	—	—
Art 27	Member States	17 January 2025	—
Art 27	DNS service providers, TLD name registries, domain name registration service providers, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines, social networking services platforms	17 January 2025	—
Art 27	Member States	within three months of the date of the change	—
Art 27	DNS service providers, TLD name registries, domain name registration service providers, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines, social networking services platforms	within three months of the date of the change	—
Art 27	Entities referred to in paragraph 1	—	—
Art 21	Commission	17 October 2024	—

Penalty exposure

None of the 10 obligations on this page carry an explicit penalty figure in the NIS2 Directive text itself — the fine ceiling is set elsewhere in the regulation and applies by reference. Refer to NIS2 Directive's general penalties article (or the diagnostic below) to estimate exposure before signing off on a compliance programme.

Cross-regulatory conflicts

NIS2 Directive interacts with other EU regulations in ways that can pull compliance teams in opposite directions. The most concrete conflicts in the Fontvera corpus involving this regulation:

DSA Art 17 ↔ NIS2 Directive Art 12 (medium) — [entity affected: Providers of hosting services / ICT product providers] DSA requires providers to disclose reasons for content restrictions including notifier identity if strictly necessary, while NIS2 emphasizes anonymity for vulnerability reporters, creating tension in disclosure practices when a content restriction is based on a reported vulnerability.
DORA Art 19 ↔ NIS2 Directive Art 23 (high) — [entity affected: Financial entities classified as essential/important] DORA imposes specific, strict timelines for incident reporting to competent authorities, while NIS2 allows Member States to define reporting timelines, potentially creating contradictory compliance schedules.
DORA Art 18 ↔ NIS2 Directive Art 23 (high) — [entity affected: Financial entities classified as essential/important] DORA defines specific criteria for classifying 'major' ICT incidents, whereas NIS2 relies on Member State definitions for 'significant' incidents, leading to potential discrepancies in what triggers reporting obligations.
GDPR Art 33 ↔ NIS2 Directive Art 23 (high) — [entity affected: Essential and Important Entities] GDPR mandates notification within 72 hours of becoming aware of a breach, whereas NIS2 requires an initial notification within 24 hours of becoming aware of a significant incident, creating a stricter timeline conflict for overlapping incidents.
NIS2 Directive Art 13 ↔ ePrivacy Directive Art 5 (high) — [entity affected: Competent Authorities / CSIRTs] NIS2 encourages the exchange of incident information and cyber threats among authorities and CSIRTs, while ePrivacy strictly prohibits the interception or storage of communications and traffic data without user consent, potentially limiting the data available for sharing under NIS2.