NIS2 Article 27 Entity Registration: Exact Fields, Country Portals, and What Happens After You Submit

Who This Article Is For

Article 27 of the NIS2 Directive creates a registration obligation that applies to a specific subset of digital and online service providers — not to all NIS2 entities. If you operate a DNS service, a cloud platform, a managed security service, or one of eight other digital infrastructure types, you are required to register with your national competent authority and provide six defined data points. This guide gives you the exact fields to gather, the portal to use in your country, the applicable deadline, and a clear picture of what your competent authority does once your submission lands.

If you are unsure whether your organisation falls within NIS2 scope at all, read Who Must Comply with NIS2 first. For the distinction between essential and important entity classification — which affects your obligations but not your Article 27 registration duty — see Essential vs Important Entity Under NIS2.

Who Must Register Under Article 27 — and Who Does Not

Plain-language summary: Article 27 applies exclusively to eleven digital and online service provider categories. If your organisation falls in energy, healthcare, banking, or another sector from Annex I or II but does not provide one of these eleven service types, Article 27 registration does not apply to you — you are subject to other NIS2 obligations, but not this one.

Article 27(1) lists the entity types that ENISA must include in its pan-EU registry. These are the same types required to register with national competent authorities under Article 27(2):

Entity Type	What It Covers	Example Providers
DNS service providers	Recursive or authoritative DNS resolution services	Cloudflare DNS, Google Public DNS, enterprise DNS operators
TLD name registries	Operators of country-code or generic top-level domains	.de registry (DENIC), .nl registry (SIDN), .eu registry (EURid)
Domain name registration service providers	Domain registrar services	GoDaddy, Namecheap, OVH
Cloud computing service providers	IaaS, PaaS, SaaS cloud platforms	AWS, Azure, Google Cloud, OVHcloud
Data centre service providers	Colocation and managed data centre operators	Equinix, Digital Realty, Interxion
Content delivery network providers	CDN and edge caching services	Akamai, Cloudflare CDN, Fastly
Managed service providers (MSPs)	Third-party IT management services	Accenture Managed Services, Capgemini, regional MSPs
Managed security service providers (MSSPs)	Outsourced security monitoring and management	IBM Security, Secureworks, Arctic Wolf
Online marketplace providers	B2C and B2B online trading platforms	Amazon Marketplace, eBay, Allegro
Online search engine providers	Internet search services	Google Search, Bing, DuckDuckGo
Social networking services platforms	Social media and professional networking	Facebook, LinkedIn, X (Twitter)

The registration obligation attaches to the type of service, not to the size of the organisation or whether it is classified as essential or important. A small MSP with 60 employees must register under Article 27 just as a large cloud provider must. The essential/important classification affects your security requirements under Article 21 and your penalty exposure — not whether Article 27 applies [1].

Does This Apply to Your Organisation? — Decision Logic

• Step 1: Do you provide any of the eleven service types listed above? If no → Article 27 registration does not apply. Stop here.
• Step 2: Do you provide those services to customers in the EU (or are you established in the EU)? If no → see the non-EU entity section below before concluding you are out of scope.
• Step 3: Does your organisation meet the NIS2 size threshold (50+ employees OR turnover above €10 million)? Very large providers of online search engines and social networks are subject to Article 27 regardless of size. For other types, confirm your threshold against national implementing law.
• Step 4: Identify which member state has jurisdiction — where your main EU establishment is located. That country’s competent authority is your registration destination.

The 6 Information Fields You Must Submit

Plain-language summary: Before you open any registration portal, gather these six data points. Having them ready turns a registration session into a 20-minute task. Missing one — particularly the IP range data or the correct Annex I/II sector code — will require you to return and update.

Article 27(2) specifies exactly what must be submitted to the competent authority [1]:

1. Entity name — your legal registered name, not a trading name or brand.
2. Relevant sector, subsector, and entity type — drawn from Annex I (essential entities) or Annex II (important entities) of the directive. You will need to identify your correct classification before registration; check your member state’s national implementing regulation as some have added or reordered categories.
3. Address of main establishment and other Union legal establishments — the registered address of your EU headquarters plus any other EU legal entities in your corporate group that fall within scope. For non-EU entities, the address of your Article 26(3) designated representative substitutes here.
4. Up-to-date contact details — current email addresses and telephone numbers for the entity itself, and separately for the designated representative where applicable. These are used for official regulatory communications and incident notification — an outdated phone number is a compliance risk, not just an administrative gap.
5. Member States where services are provided — list every EU/EEA member state where you actively provide the service in question. This determines which other national registrations you may need and contributes to cross-border supervision decisions.
6. IP address ranges — the entity’s assigned IP address ranges. This field is collected by national competent authorities but is explicitly excluded from the data forwarded to ENISA under Article 27(4). It remains within the national competent authority’s systems for national-level threat mapping and incident response [1].

Changes to any of these fields must be notified to the competent authority without delay and in any event within three months of the change [1]. That window is shorter than it sounds — an IP range expansion, a new EU subsidiary, a change of primary contact, or the addition of a new member state’s customer base all trigger the obligation.

Deadlines — Initial Registration and Ongoing Notifications

The NIS2 Directive set January 17, 2025 as the EU-wide initial registration deadline for entities already in operation at the time of transposition [1]. In practice, the picture is more complicated.

Most member states did not transpose the directive into national law by the October 17, 2024 deadline. Without national law in force, there is no competent authority designated and no registration mechanism available. This means the actual operative deadline for most entities is the deadline set by national implementing legislation, not the directive’s January 17, 2025 date — and those national deadlines vary significantly across the EU. The country-by-country section below covers this in detail.

The ongoing notification obligation is straightforward in principle but easy to underestimate in practice. Any change to the submitted information — new contact details, an IP range expansion, adding a member state, a corporate restructuring that changes your main establishment — must be notified within three months of that change [1]. Build this into your change management process; it should not require a compliance review to trigger.

Country Registration Portals and National Deadlines

Plain-language summary: This section gives you the specific portal and deadline for five of the largest EU markets. For countries not listed, identify your national competent authority from the ENISA NIS2 country page or your member state’s official cybersecurity agency website.

Germany — BSI, Deadline March 6, 2026

Germany transposed NIS2 into national law (BSIG-Neu) on December 6, 2025. Entities have three months from that date to register — deadline March 6, 2026 [7].

Registration uses a two-step process. First, create a “Mein Unternehmenskonto” (MUK — My Company Account) at the German government portal. Once that account is established, complete your NIS2 entity registration via the BSI portal at bsi.bund.de. The same BSI portal subsequently serves as the platform for incident reporting obligations (24-hour early warning, 72-hour notification, 30-day final report) [3]. Registering early gives your team time to familiarise with the portal before an incident forces you to use it under pressure.

Germany’s law applies to organisations operating in covered sectors with annual turnover exceeding €10 million or 50 or more employees. Approximately 29,500 entities are in scope — a significant expansion from the 4,500 KRITIS operators under the previous framework [3].

Italy — ACN, Deadline February 28, 2025

Italy’s competent authority is the Agenzia per la Cybersicurezza Nazionale (ACN). The ACN operates a digital registration portal that requires authentication via SPID (Sistema Pubblico di Identità Digitale) or CIE (Carta d’Identità Elettronica — the national identity card) [4].

Italy applied a split deadline. Entities listed under Article 42 of the Italian NIS2 Decree — specifically DNS service providers, TLD registries, domain registrars, cloud computing providers, data centres, CDN providers, MSPs, MSSPs, online marketplaces, search engines, and social network providers — were required to register by January 17, 2025. All other in-scope entities had until February 28, 2025 [4].

After registration, the ACN prepared an official list of entities falling within scope and notified each registered entity whether it was included or excluded by April 15, 2025. Entities that disagree with their classification can challenge that decision — registration is the prerequisite for that challenge process [4].

Belgium — CCB / Safeonweb@Work, Deadline March 18, 2025

Belgium’s competent authority is the Centre for Cybersecurity Belgium (CCB). Registration is handled through Safeonweb@Work, the CCB’s dedicated portal for NIS2 entities at atwork.safeonweb.be [5].

Belgium also applied a staggered deadline. Digital service providers — cloud computing services, social networking platforms, and domain registration services — were required to register by December 18, 2024. Most other in-scope entities had until March 18, 2025 [5]. A compliance documentation deadline followed on April 18, 2025, covering risk management documentation, governance structures, and incident response capability evidence [2].

Romania — DNSC / NIS2@RO, Deadline September 22, 2025

Romania transposed NIS2 with implementation orders effective August 20, 2025. Entities had 30 days from that date — deadline September 22, 2025 [6].

Registration uses the NIS2@RO Tool or the NIS2@RO Platform. An important procedural note: any registration submitted before August 20, 2025 is not legally valid and must be resubmitted under the new framework [6]. Romanian entities that registered early under a prior provisional process need to confirm their registration status under the implementing orders.

Romania’s post-registration obligations are the most structured of any member state in this comparison. Within 60 days of DNSC registration confirmation, entities must submit a risk-level assessment using the Order No. 2/2025 methodology. A cybersecurity maturity self-assessment follows within another 60 days, and a remediation plan must be submitted within 30 days after that [6]. Article 27 registration is the entry point into a three-stage compliance timeline.

Ireland — NCSC, Portal Pending

Ireland did not meet the October 17, 2024 transposition deadline and had not enacted national NIS2 legislation as of early 2025. The NCSC’s registration and incident reporting portals were not yet available at that point [10]. For context on Ireland’s approach once legislation is enacted, see NIS2 in Ireland: National Implementation, Authorities, and Registration.

Until the Irish portal goes live, organisations with queries can contact the NCSC directly at NIS2Queries@ncsc.gov.ie [10].

Multi-State Providers: When One Registration Is Not Enough

The NIS2 “main establishment” principle — which allows entities to deal with a single lead supervisory authority — applies to essential and important entities under Article 26. However, for Article 27 entities specifically, the obligation is to register in each member state where services are provided if the entity cannot point to a single main EU establishment [2][8].

In practice: a cloud provider headquartered in Ireland with active enterprise customers in Germany, Belgium, and Italy may need to register in all four jurisdictions unless Irish law establishes an exemption or the entity can demonstrate a clear “main establishment” claim. Monitor each country’s national implementing legislation — several member states have introduced or are developing simplified procedures for cross-border providers.

The Registration Process — Step by Step

The following steps apply across all member states, with country-specific portal and deadline substituted at Step 3:

1. Confirm Article 27 scope (Effort: Low) — Use the decision logic above. Verify the specific service type you provide maps to one of the eleven listed categories. Check your national implementing regulation for any scope adjustments. Owner: Legal / Compliance Officer.
2. Identify your main establishment jurisdiction (Effort: Low) — If your organisation has a principal EU establishment, that member state’s competent authority governs your registration. If you are a non-EU entity, identify the member state where your Article 26(3) representative is or will be located. Owner: Legal.
3. Locate the competent authority portal (Effort: Low) — Use the country list above, or locate your national authority via the ENISA NIS2 country overview page. Confirm the portal URL from an official government or agency source — do not rely on third-party directories. Owner: Compliance Officer.
4. Gather the six required data fields (Effort: Medium) — Collect your legal entity name, Annex I/II sector code, establishment addresses, current contact details, member states served list, and IP ranges. For IP ranges, coordinate with your network/IT team early — this data is not always readily available in a compliance team’s files. Owner: IT Security Manager + Compliance Officer.
5. Submit via portal (Effort: Low) — Complete the registration form. Some portals (Italy: SPID/CIE; Germany: MUK account) require identity verification steps before the registration form is accessible. Allow additional time for this pre-registration setup if you have not used these identity systems before. Owner: Compliance Officer.
6. Retain proof of submission (Effort: Low) — Save the submission confirmation, reference number, or portal receipt. Competent authorities in some member states will issue a formal acknowledgement; others do not. A submission record protects you if enforcement queries arise. Owner: Compliance Officer.
7. Set change notification reminders (Effort: Low) — Calendar a review of your submitted data every quarter. Article 27(3) requires notification within three months of any change. Quarterly review keeps that deadline manageable. Owner: Compliance Officer.

What Happens After You Submit

Plain-language summary: Submission is not the end of the process — it is the beginning of a chain that eventually builds the pan-EU registry ENISA is required to maintain under Article 27(1). Here is what that chain looks like, and what to expect in your jurisdiction.

The EU-Level Flow

Your submission goes to the national competent authority. That authority’s designated single point of contact then forwards the data to ENISA “without undue delay” [1]. The data forwarded excludes IP ranges — those remain within the national authority’s systems [1]. ENISA uses the aggregated data from all 27 member states’ single points of contact to build and maintain the pan-EU registry. Competent authorities across the EU can access this registry upon request, subject to confidentiality protections [9].

The practical significance: once you register in your main establishment country and that data reaches ENISA, your entity becomes visible to competent authorities in other member states as a cross-border digital service provider. This is relevant for supervisory jurisdiction decisions under Article 26.

Country-Level Follow-On — What to Expect

Italy: The ACN compiles an official list of all entities falling within NIS2 scope and notifies each registered entity of their inclusion or exclusion by April 15 (in the cycle initiated by the February 2025 registration window). Entities on the list then face formal NIS2 security obligations. Entities notified of exclusion know their registration was considered but the authority determined they fall outside scope [4].

Romania: The DNSC confirmation of registration starts a formal 60-day clock for risk-level assessment submission. This is followed by a cybersecurity maturity self-assessment and remediation plan. Romanian entities should treat DNSC confirmation of registration as Day 0 of a compliance timeline, not as a completion event [6].

Germany: The BSI portal becomes your ongoing regulatory interface — not just for registration status but for all security incident reporting obligations. The same account used for registration will receive regulatory communications and is used to file the 24-hour early warning, 72-hour incident notification, and 30-day final report required under Article 23 [3].

Belgium: Registration was followed by a separate April 18, 2025 deadline for compliance documentation — evidence of risk management measures, governance structures, and incident response capability. Registration did not itself satisfy these documentation obligations [5].

Non-EU Entities Providing Services in the EU

A DNS provider headquartered in the United States, a cloud platform operating from Singapore, or a social networking service based in Canada — if they provide services to EU users and meet the NIS2 scope thresholds, they face Article 27 registration obligations.

The mechanism is Article 26(3): non-EU entities that fall within NIS2 scope must designate a legal representative in a member state where they provide services. That representative becomes the entity’s point of contact for competent authorities, and the entity registers under the jurisdiction of the member state where the representative is located [1][2].

In practice, this means the representative’s EU address substitutes for the establishment address in field (c) of Article 27(2), and the representative’s contact details supplement field (d). The choice of representative member state is a strategic decision — it determines which national competent authority oversees the entity and under which national implementing law penalties are calculated.

Non-EU entities that have not designated a representative and not registered remain subject to NIS2 enforcement in any member state where they provide services. The absence of a representative does not create an exemption.

Frequently Asked Questions

Do all NIS2 entities need to register under Article 27?

No. Article 27 applies only to the eleven digital and online service provider types listed in Article 27(1). Energy operators, healthcare providers, financial entities, water utilities, and other sectors covered by Annexes I and II are subject to NIS2 obligations — but not the Article 27 registration procedure specifically. Their registration and supervision mechanisms are handled through sector-specific competent authority relationships established by national implementing law.

What if my member state has not yet transposed NIS2?

If national implementing law is not yet in force, there is no legally operative registration deadline or competent authority to register with. Monitor your national cybersecurity authority’s website for transposition updates and portal launch announcements. Several member states — Ireland, France, the Netherlands, Spain, and others — had not completed transposition as of 2025. When the law enters into force, the national deadline clock starts — often 30 days to three months from that date.

What is the penalty for failing to register under Article 27?

Penalties are set by national implementing law and vary by member state. Under the directive, essential entities face maximum fines of at least €10 million or 2% of global annual turnover (whichever is higher); important entities face at least €7 million or 1.4% of turnover. Non-registration is a discrete compliance failure separate from security obligation failures — it can be penalised independently. In Germany, personal liability for management board members applies alongside organisational fines [3].

How do I update my registration after changes?

Return to the same national portal you used for initial registration and update the relevant fields. Article 27(3) requires notification “without delay and in any event within three months” of the change. Most portals allow direct amendment of submitted data rather than requiring a fresh submission. Keep your submission confirmation number — you will need it to locate your registration record.

Does Article 27 registration fulfil all NIS2 compliance obligations?

No. Registration is a data submission obligation under Chapter V of the directive. It does not satisfy the security measures required under Article 21 (risk management), the incident reporting obligations under Article 23, or the governance requirements under Article 20. Registration tells authorities you exist; the security obligations govern how you operate. The two run in parallel.

I operate in five EU countries — must I register five times?

Potentially, yes. For Article 27 entities, the main-establishment rule under Article 26 can limit registration to one member state if you have a genuine single principal EU establishment. If you cannot establish a clear main establishment, or if national implementing law in your operating jurisdictions requires local registration regardless, you may need to register in each country separately [2][8]. Legal advice tailored to your corporate structure is recommended for multi-state providers.

Key Takeaways

• Article 27 applies to eleven specific digital and online service provider types — not to all NIS2 entities.
• Gather six data fields before opening any portal: entity name, sector code, establishment address, contact details, member states served, and IP ranges.
• The EU directive set January 17, 2025 as the initial deadline, but the operative deadline is your national implementing law’s date — which varies from December 2024 (Belgium) to March 2026 (Germany).
• After you submit, your data travels from competent authority to ENISA’s pan-EU registry via the single point of contact — minus your IP ranges, which stay national.
• Romania adds a three-stage post-registration compliance timeline; Germany’s registration portal doubles as your incident reporting interface; Italy confirms entity inclusion or exclusion formally.
• Non-EU entities must designate an Article 26(3) representative in the EU before registering — the representative’s member state determines your supervisory jurisdiction.
• Registration is the start of compliance, not the finish. Article 21 security obligations and Article 23 incident reporting requirements continue to apply independently.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. NIS 2 Directive, Article 27: Registry of entities — nis-2-directive.com
2. Registration requirements under NIS2 — Eversheds Sutherland
3. Germany Implements NIS2: Registration portal will open on January 6, 2026 — Privacy World
4. NIS 2 Registration in Italy: ACN publishes a guide to complying with its portal requirements — Gaming Tech Law
5. NIS2 | Centre for Cybersecurity Belgium — ccb.belgium.be/regulation/nis2
6. Deadline approaches: NIS2 registration and risk evaluation in Romania — Wolf Theiss
7. Germany Implements NIS2: Immediate Effect, Broad Scope, Near-Term Registration — Reed Smith
8. Navigating NIS2: What Organisations Need to Know as EU Implementation Unfolds (Goodwin Law) — Goodwin Law
9. ENISA — NIS Directive 2 — enisa.europa.eu/topics/state-of-cybersecurity-in-the-eu/cybersecurity-policies/nis-directive-2
10. NIS2 | NCSC Ireland — ncsc.gov.ie/nis2/