NIS2 Directive Obligations for Public sector

Obligations in scope

Article 31 — Member States

Member States shall ensure that competent authorities have appropriate powers to carry out supervision of public administration entities with operational independence vis-à-vis the public administration entities supervised. Action required: ensure.

Article 2 — Member States

Member States may provide for the Directive to apply to public administration entities at local level. Action required: provide for application.

Article 2 — Member States

Member States may exempt specific entities providing services exclusively to public administration entities referred to in paragraph 7 from obligations in Articles 21 or 23. Action required: exempt.

Article 34 — Member States

Each Member State may lay down rules on whether and to what extent administrative fines may be imposed on public administration entities. Action required: lay down.

Practical steps

What the obligations on this page actually require you to do, ordered by article. Use this as a starting checklist; verify each item against the underlying article text before treating it as legal advice.

• Art 31 — ensure (Member States)
• Art 2 — provide for application (Member States)
• Art 2 — exempt (Member States)
• Art 34 — lay down (Member States)

Obligation reference table

Penalty exposure

None of the 4 obligations on this page carry an explicit penalty figure in the NIS2 Directive text itself — the fine ceiling is set elsewhere in the regulation and applies by reference. Refer to NIS2 Directive's general penalties article (or the diagnostic below) to estimate exposure before signing off on a compliance programme.

Cross-regulatory conflicts

NIS2 Directive interacts with other EU regulations in ways that can pull compliance teams in opposite directions. The most concrete conflicts in the Fontvera corpus involving this regulation:

• DSA Art 17 ↔ NIS2 Directive Art 12 (medium) — [entity affected: Providers of hosting services / ICT product providers] DSA requires providers to disclose reasons for content restrictions including notifier identity if strictly necessary, while NIS2 emphasizes anonymity for vulnerability reporters, creating tension in disclosure practices when a content restriction is based on a reported vulnerability.
• DORA Art 19 ↔ NIS2 Directive Art 23 (high) — [entity affected: Financial entities classified as essential/important] DORA imposes specific, strict timelines for incident reporting to competent authorities, while NIS2 allows Member States to define reporting timelines, potentially creating contradictory compliance schedules.
• DORA Art 18 ↔ NIS2 Directive Art 23 (high) — [entity affected: Financial entities classified as essential/important] DORA defines specific criteria for classifying 'major' ICT incidents, whereas NIS2 relies on Member State definitions for 'significant' incidents, leading to potential discrepancies in what triggers reporting obligations.
• GDPR Art 33 ↔ NIS2 Directive Art 23 (high) — [entity affected: Essential and Important Entities] GDPR mandates notification within 72 hours of becoming aware of a breach, whereas NIS2 requires an initial notification within 24 hours of becoming aware of a significant incident, creating a stricter timeline conflict for overlapping incidents.
• NIS2 Directive Art 13 ↔ ePrivacy Directive Art 5 (high) — [entity affected: Competent Authorities / CSIRTs] NIS2 encourages the exchange of incident information and cyber threats among authorities and CSIRTs, while ePrivacy strictly prohibits the interception or storage of communications and traffic data without user consent, potentially limiting the data available for sharing under NIS2.

Related Fontvera pages

• nis2 directive art 14 cooperation group obligations
• nis2 directive art 32 competent authorities obligations
• nis2 directive art 33 competent authorities obligations
• nis2 directive art 7 member state obligations

Check your full compliance exposure with the 5-minute Fontvera diagnostic →