Which EU Authority Actually Supervises Your Organisation Under NIS2? Article 26 Explained

When your organisation faces a NIS2 supervisory inquiry, one authority sends the letter. One authority accepts your incident notifications. One authority can levy penalties of up to €10 million or 2% of global turnover. Getting the jurisdiction question wrong — reporting to the wrong authority, failing to register, or claiming a Member State without evidence — creates regulatory exposure that compounds over time.

Article 26 of Directive (EU) 2022/2555 establishes the complete jurisdictional framework. For most organisations, the answer is straightforward: you are supervised by the Member State where you are established. But for a specific list of digital service providers — cloud computing providers, DNS operators, content delivery networks, managed service providers, and eight other categories — the rule is different. Jurisdiction follows the main establishment, determined by a three-tier legal test that the directive defines precisely but that many organisations struggle to apply in practice.

This guide explains the full Article 26 framework: which jurisdiction track applies to your organisation, how to apply the three-tier main establishment test with evidence, what documentation constitutes a defensible jurisdiction determination, how the ENISA registry formalises your position, and how proposed 2026 amendments would change the coordination structure.

The Two-Track Jurisdiction System Under Article 26

Article 26(1) establishes two main jurisdiction tracks, plus two specific exceptions. Understanding which track your organisation follows is the first and most critical step — everything downstream depends on it.

Track 1 — Standard establishment rule: The default. Entities are supervised by the Member State where they are established. An energy company registered in Poland is supervised by Polish authorities. A hospital group incorporated in Spain falls under Spanish jurisdiction. If you have subsidiaries in multiple EU countries, each subsidiary is individually supervised by its own national authority.

Track 2 — Main establishment rule: Applies to specific digital service provider categories listed in Article 26(1)(b). These entities are supervised by the Member State where their main establishment in the Union is located — regardless of how many countries they serve. This is the jurisdiction track that requires active determination and documentation.

Two further exceptions apply. Providers of public electronic communications networks or services fall under the jurisdiction of the Member State where they provide their services, not where they are established. Public administration entities fall under the jurisdiction of the Member State that established them.

Entity Type	Jurisdiction Rule	Lead Authority
General essential/important entities (energy, health, transport, finance, manufacturing)	Standard — MS of establishment	National authority where entity is registered
DNS providers, TLD registries, cloud, data centre, CDN, managed service providers, online platforms (Art. 26(1)(b))	Main establishment rule	National authority of main establishment MS
Telecoms / electronic communications providers	Where services are provided	Each MS where services are delivered
Public administration entities	MS that established the entity	National authority of that MS
Non-EU entities (no EU establishment)	Representative designation (Art. 26(3))	National authority of representative’s MS

Which Entities Follow the Main Establishment Rule?

Article 26(1)(b) lists the entity types subject to the main establishment rule. These are not general sector categories — they are specific service type definitions. Your organisation falls under Track 2 if it is any of the following:

• A DNS service provider
• A TLD name registry
• An entity providing domain name registration services
• A cloud computing service provider
• A data centre service provider
• A content delivery network (CDN) provider
• A managed service provider (MSP)
• A managed security service provider (MSSP)
• A provider of online marketplaces
• A provider of online search engines
• A provider of social networking services platforms

The scope is broader than it appears. Baker McKenzie notes that a US parent company providing intragroup IT managed services to EU affiliates is subject to NIS2 — and the main establishment rule determines which single authority supervises it, even when services are delivered from outside the Union. If your organisation provides managed IT services as an ancillary function to EU-based group companies, seek legal advice on whether Article 26(1)(b) applies.

If your organisation is a manufacturer, hospital, energy operator, or financial institution, you follow Track 1 and the standard establishment rule applies. Understanding who must comply with NIS2 and whether the size thresholds apply to your entity is the prior question — Article 26 applies only once you have confirmed in-scope status.

The Three-Tier Main Establishment Test

Article 26(2) defines main establishment through a sequential three-tier test. The tiers apply in strict order — you apply the next tier only when the prior tier is genuinely indeterminate, not when it produces an inconvenient result.

Tier 1: Where Cybersecurity Risk-Management Decisions Are Predominantly Taken

The primary criterion is the Member State “where the decisions related to the cybersecurity risk-management measures are predominantly taken.” This is the operative test for most organisations with EU governance. It requires an honest assessment of where your cybersecurity governance actually operates, not where you would prefer your jurisdiction to be.

Per DLA Piper’s November 2025 analysis, this criterion “will generally refer to the location within the EU where strategic decisions on cybersecurity risk management are made and implemented.” The CISO’s permanent working location is a strong indicator — but only where the CISO is the individual who actually approves and implements NIS2-level risk management policies, not merely a technical operations lead.

Tier 2: Where Cybersecurity Operations Predominantly Occur

If Tier 1 is genuinely indeterminate — because risk-management decisions are made outside the Union, or are distributed across multiple Member States in a way that cannot be resolved to a single country — the fallback is where cybersecurity operations predominantly take place. Your Security Operations Centre location, primary network operations hub, or incident response team base can each be relevant under Tier 2.

Tier 3: Highest EU Employee Headcount

Only when both prior criteria fail does headcount decide. The Member State where the entity has the highest number of Union employees becomes the default jurisdiction. This tier is a backstop, not a shortcut. Applying Tier 3 when Tier 1 was determinable is a documented position that a competent authority can and will challenge.

What “Cybersecurity Decisions Predominantly Taken” Actually Means in Practice

This phrase generates the most compliance uncertainty because the directive does not elaborate on it further. Based on practitioner guidance from DLA Piper and Baker McKenzie, the following evidence is most probative in establishing a cybersecurity decision-making location.

Strong indicators of cybersecurity decision-making location:

• The CISO is permanently located there and personally approves risk-management policies
• The management body or board-level security committee convenes there and reviews cybersecurity risks in line with Article 20 NIS2 obligations
• NIS2-mandated policies — incident response plan, supply chain security, access control, business continuity — are formally approved there
• Annual risk assessments and cybersecurity investment decisions are signed off there
• Security vendor contracts and incident response retainer agreements are executed from that location

Weaker indicators (supporting but insufficient alone):

• The Security Operations Centre (SOC) is there
• The largest concentration of security engineers works there
• The primary data centre estate is there
• The registered head office address is there

The distinction between decision-making and operations is deliberate. Cybersecurity operations — running a SOC, maintaining infrastructure — can be in one country while governance decisions (board sign-off, CISO policy approval, risk-management investment authorisation) are made in another. The directive tests for decisions. Operations are the Tier 2 fallback. Conflating the two is the most common jurisdiction determination error.

Documentation strategy: DLA Piper advises organisations to “document their rationale for main establishment selection and maintain evidence of governance structures to defend their position if challenged.” A defensible jurisdiction file contains at minimum:

• An organisational chart showing the CISO’s reporting line and permanent working location
• Meeting minutes from the body that formally approves cybersecurity risk-management policy
• Policy sign-off records identifying the approving authority and their location
• A written jurisdiction determination memo, dated and reviewed by legal counsel, retained as a compliance record

The essential vs. important entity classification affects the intensity of supervisory scrutiny your organisation faces — but both essential and important entities must document their jurisdiction determination with equal rigour. The classification determines supervisory frequency; jurisdiction determines who supervises.

Non-EU Entities: The Representative Route Under Article 26(3)

Article 26(3) applies to organisations not established in any EU Member State that nonetheless offer services within the Union. These entities must designate a representative in the Union, in a Member State where their services are offered.

The representative’s Member State becomes the entity’s jurisdictional anchor — that national authority becomes the lead supervisor for incident notifications, supervisory inquiries, and compliance assessments. This mirrors the GDPR Article 27 representative model in structure and strategic logic.

You have strategic discretion in choosing the Member State for your representative, provided you genuinely offer services there. Key factors to weigh:

• Transposition completeness: As of August 2025, only 14 of 27 EU Member States had fully transposed NIS2 into national law. A jurisdiction with active transposition, published national guidance, and an operational national authority reduces interpretive uncertainty considerably.
• Enforcement posture: Penalty implementation and supervisory intensity vary by Member State. This is a legitimate factor — not to minimise compliance, but to select a predictable regulatory environment.
• Operational presence: The representative must be in a Member State where you genuinely offer services. The designation cannot be purely strategic with no substantive connection.

Two limitations are firm. First, Article 26(4) states that representative designation “shall be without prejudice to legal actions, which could be initiated against the entity itself.” The representative establishes jurisdiction; it does not shield the entity from direct liability. Second, non-EU entities cannot benefit from the main establishment rule — that rule applies exclusively to entities established within the Union.

Lead Authority and Article 26(5): Why Other Member States Can Still Act

The most consequential misconception about the main establishment rule is that it creates exclusive jurisdiction for one authority. It does not.

Article 26(5) permits any Member State to “take appropriate supervisory and enforcement measures” against an entity that provides services or has network and information systems on their territory — provided that Member State has received a mutual assistance request from the lead authority. NIS2 Article 15 requires competent authorities to cooperate, provide mutual assistance, and carry out joint supervisory actions where appropriate. This is an active coordination mechanism, not a theoretical backstop.

The practical consequence: your main establishment determines your primary regulator. It does not create a compliance boundary at your main establishment’s borders. Incident notifications go to your lead authority, which coordinates with local authorities as needed. But local national authorities may independently request information or participate in enforcement actions regarding services delivered in their territory.

For multinationals operating in ten or more EU Member States, this means that identifying the correct lead authority under Article 26 is necessary but not sufficient. You still need incident notification infrastructure that can reach multiple national authorities if required, and compliance documentation that stands up to scrutiny in every operating jurisdiction.

Proposed 2026 amendments and ENISA’s expanding role: The European Commission has proposed targeted amendments to NIS2 that would formalise ENISA’s coordination role in the lead authority system. Under the proposals, ENISA would facilitate cooperation among national authorities, help determine lead authorities for joint supervisory actions, and reduce duplicative supervisory requests against cross-border providers. ENISA would also prepare an EU-wide cybersecurity risk analysis within 15 months to assess incidents affecting cross-border service providers. These proposals do not create a GDPR-style one-stop-shop — entities would continue reporting to national authorities, not to ENISA directly. The amendments remained under legislative consideration as of mid-2026.

The ENISA Registry: Formally Registering Your Jurisdiction

For entities under Article 26(1)(b), jurisdiction determination must be formally registered — it is not sufficient to make an internal determination without filing it. Article 27 requires submission of the following information to the competent national authority:

Required Field	Detail
Entity name and legal form	Full registered name
Physical address and contact details	Postal address, email address, phone numbers
Relevant sector and subsector	Per Annex I or Annex II of the Directive
IP address ranges	Used for network attribution and incident routing
Member States where services are provided	Informs the ENISA Union-level registry and cross-border coordination

The submission deadline prescribed in the NIS2 Directive was January 17, 2025. If your organisation has not yet submitted, you are in breach of this notification obligation. Prioritise immediate registration with the competent authority in your determined jurisdiction and retain all submission confirmation records.

ENISA consolidates registration data from national single points of contact into a Union-level registry covering all entities in the Article 26(1)(b) categories. The registry enables cross-border supervisory coordination and makes lead authority assignments visible across Member States.

Ongoing obligations apply automatically: entities must notify the competent authority of any changes to registered information within three months. The Irish NCSC specifies a shorter window — within two weeks of the date of the change. If your main establishment shifts — because decision-making governance relocates to another Member State — that is a material change requiring prompt notification. A change without notification is itself a compliance breach.

Jurisdiction Determination Workflow for Compliance Teams

The following five-step workflow consolidates the Article 26 legal framework into an actionable sequence for in-house compliance and legal teams.

Step 1 — Identify your entity type
Check whether your organisation falls within the Article 26(1)(b) list. If not, your jurisdiction is the Member State where you are established — proceed to Step 4. If yes, your main establishment must be formally determined — proceed to Step 2.

Step 2 — Apply the three-tier test sequentially
Document where cybersecurity risk-management decisions are predominantly taken (Tier 1). If genuinely indeterminate, document where cybersecurity operations predominantly occur (Tier 2). If still indeterminate, identify the Member State with the highest EU employee count (Tier 3). Stop at the first tier that produces a definitive, evidenced answer.

Step 3 — Prepare a jurisdiction determination memo
This document is your audit defence. It should include: entity classification rationale, evidence supporting the operative tier (governance records, CISO location documentation, policy approval records), the legal conclusion identifying the Member State of main establishment, legal counsel review and sign-off, and the date of determination. Store it with your compliance records and update it when circumstances change.

Step 4 — Register with the competent national authority
Submit the Article 27 information to the national authority in your determined jurisdiction. If the national transposition portal is not yet operational, submit by email and retain all confirmation of receipt. Do not wait for a portal to launch — submit now.

Step 5 — Set a change-monitoring calendar alert
Review main establishment status annually and whenever significant governance changes occur: CISO relocation, corporate restructuring, merger, or re-organisation of the cybersecurity decision-making structure. A change in the operative criterion triggers a notification obligation within the prescribed period.

Documentation red flags that attract competent authority challenge:

• CISO permanently in Country A, but jurisdiction claimed in Country B with no written rationale
• Jurisdiction selection shifted since prior registration without a change notification filed
• No written determination memo — verbal or informal positions are not defensible under audit
• Jurisdiction claimed in a Member State with lighter enforcement posture but no substantive governance connection
• Three-tier test applied out of order — Tier 3 (headcount) selected without demonstrating Tiers 1 and 2 were indeterminate

Frequently Asked Questions

My cloud provider has offices in Germany and France. Which country supervises me?
Your lead authority is determined by the Member State where cybersecurity risk-management decisions are predominantly made. If your CISO and board-level cybersecurity governance operate from Germany, Germany is your main establishment and the BSI is your lead authority. If governance is genuinely split, document the evidence for each country and apply the three-tier test sequentially to reach a definitive conclusion.

My CISO is based in the US. How does this affect my main establishment?
If cybersecurity risk-management decisions are not predominantly taken within the Union, Tier 1 cannot identify an EU jurisdiction. Apply Tier 2: identify the Member State where cybersecurity operations predominantly occur. If that is also outside the EU, apply Tier 3: the Member State with the highest EU employee count. You may additionally need to designate an EU representative under Article 26(3) if your EU establishment is insufficient.

Does main establishment mean I only need to comply in one Member State?
No. It means you have one lead supervisory authority. Your substantive NIS2 obligations — security measures, incident reporting, supply chain security — apply in every Member State where you provide services. Article 26(5) ensures other national authorities retain enforcement capacity for services delivered on their territory.

Our organisation has not yet registered with any competent authority. What should we do?
The Article 27 deadline was January 17, 2025. Non-registration is an active compliance breach. Complete your jurisdiction determination (Steps 1–3 above), then register immediately with the competent authority in your determined jurisdiction and retain all submission records.

Can our jurisdiction change after initial registration?
Yes. If the operative criterion changes — cybersecurity decision-making governance relocates to another Member State, or a merger shifts the main establishment — your jurisdiction changes. Notify the competent authority within the prescribed period (three months under Article 27; some Member States require two weeks) and update your ENISA registry entry.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. Directive (EU) 2022/2555 — NIS2 Directive full text — EUR-Lex
2. NIS2 directive explained: Part 1 — Main establishment rules — DLA Piper (November 2025)
3. NIS2 Directive — Frequently Asked Questions — European Commission
4. NIS2 FAQ — Irish National Cyber Security Centre
5. Cybersecurity and the EU NIS 2 Directive: What should multinationals do now? — Baker McKenzie
6. European Commission Proposes Targeted Amendments to NIS2 — Inside Privacy (Covington & Burling)
7. NIS2 Update: EU Cyber Authority Sets Out Compliance Expectations — Skadden (August 2025)