How Public Administration Must Comply With NIS2: 10 Article 21 Obligations for Central and Regional Government
Government bodies across the EU are high-value targets for cyberattacks — a fact the NIS2 Directive addresses by placing public administration among its 11 sectors of “high criticality” in Annex I. Unlike most sectors, central government entities face no size threshold: a ministry with 50 staff qualifies as an essential entity by the same rule as one with 50,000.
But the scope question is more nuanced than most guides acknowledge. Regional government entities must clear a separate risk-based assessment. Parliaments, courts, and central banks are explicitly excluded from the definition of covered public administration. EU institutions operate under an entirely different regulation. And the procurement dimension — the obligation to cascade NIS2 requirements through ICT contracts — is almost universally overlooked in government compliance planning.
This guide covers all of it: who is in scope, the 10 Article 21 obligations that apply, what is genuinely excluded, how member state discretion shapes local government coverage, and the practical implementation path for government IT and compliance teams.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Is Your Entity in Scope? Annex I, Section 10 Explained
NIS2 Annex I lists 11 sectors of high criticality. Public administration is sector 10. The definition is precise — and a surprising number of government bodies misread their position, either assuming inclusion when excluded or assuming exclusion when firmly in scope.
Two categories of public administration entity fall within mandatory NIS2 scope [1][2]:
| Entity type | Coverage rule | Size threshold applies? |
|---|---|---|
| Central government | In scope automatically — defined by each Member State in accordance with national law. No risk assessment required. | No. In scope by category. |
| Regional government | In scope only if a risk-based assessment shows disruption would have a significant impact on critical societal or economic activities. | No. In scope by risk assessment outcome, not size. |
| Local government | Optional — Member States may extend NIS2 to local level under Article 2(5). | Varies by national transposition. |
The “central government” category is deliberately broad. Ministries, executive agencies, central government departments, and public bodies established under central government authority all fall within it. Each Member State defines what constitutes central government for NIS2 purposes — the precise list varies by jurisdiction, but the principle is consistent: if the entity exercises central government functions, it is in scope without further analysis.
Regional government entities face an extra threshold. In practice, regional health boards, major regional transport authorities, and regional councils delivering essential digital services typically clear the risk-based test. Smaller regional bodies with no critical digital service delivery may not. Crucially, regional entities should not assume exclusion — the risk-based assessment is an active determination, not an automatic carve-out. Obtain a written scope determination from your national competent authority if your entity’s status is unclear.
The Three Explicit Exclusions
Article 2(2)(f) of the NIS2 Directive is unusually precise about three categories that do not qualify as covered public administration entities [2]:
- National parliaments — legislative bodies are outside NIS2 scope
- Courts — judicial bodies at all levels, including supreme and constitutional courts
- Central banks — monetary authorities are outside the definition entirely
These exclusions reflect the constitutional independence guaranteed to legislative, judicial, and monetary institutions under EU and national law. They are not carved out of NIS2 obligations — they are outside the definition of covered entities altogether.
The practical implication: a ministry of justice falls within NIS2 scope; the courts it administers do not (unless the Member State separately designates them). A finance ministry is in scope; the national central bank is not. Government IT teams that support both an in-scope ministry and an excluded body must apply NIS2 to the ministry’s systems while that obligation does not flow automatically to the court or central bank’s separate systems.
National Security and Law Enforcement: The “Predominantly” Test
Article 2(7) removes public administration entities from NIS2 scope where their activities fall predominantly within national security, public security, defence, or law enforcement — including criminal investigation and prosecution [2].
Recital 8 introduces the key qualifier: an entity whose activities are only marginally related to those areas remains within NIS2 scope [5]. A cybersecurity coordination agency housed within a home affairs ministry but primarily serving civilian government bodies cannot claim the exclusion simply because of its ministry affiliation. Regulatory authorities are not automatically excluded even if they operate in sensitive sectors [5].
The practical test: if national security or law enforcement is the entity’s primary statutory purpose, the exclusion applies. If it is incidental to a predominantly civilian administrative function, NIS2 applies.
Essential Entity Status — What It Means for Government Bodies
Central government entities are not merely in NIS2 scope — they are automatically classified as essential entities under Article 3(1)(d), which cross-references Article 2(2)(f)(i) [4]. Regional entities that pass the risk-based assessment are designated essential too. This classification carries concrete supervisory and enforcement differences that government IT and legal teams must understand before planning their compliance programme.
The essential vs. important distinction matters in four practical areas:
| Criterion | Essential entities (government) | Important entities (most private sector) |
|---|---|---|
| Supervision model | Ex ante — proactive, ongoing supervision by the NCA, regardless of incidents | Ex post — supervision triggered by incident or complaint |
| Penalty ceiling | EUR 10 million or 2% of global annual turnover | EUR 7 million or 1.4% of global annual turnover |
| On-site inspections | NCA may conduct without a prior incident occurring | NCA conducts following incident or specific information |
| Security obligations | All 10 Article 21 measures, all-hazards approach | All 10 Article 21 measures (proportionality varies) |
Government entities sometimes assume that existing public accountability mechanisms — parliamentary oversight, audit court scrutiny, data protection compliance — substitute for NIS2 obligations. They do not. NIS2 adds a dedicated cybersecurity supervisory layer administered by the national competent authority for cybersecurity. In most Member States this is a purpose-built cybersecurity agency (ANSSI in France, BSI in Germany, NCSC in various countries), not the general administrative courts or audit body [6].
Management Accountability Under Article 20
Article 20 of NIS2 places personal accountability on the management body of essential entities for approving and overseeing cybersecurity risk management measures. In government structures, this typically means the head of the administrative body — a permanent secretary, director-general, secretary of state, or equivalent — holds formal accountability, not merely the IT directorate.
The management body must: approve the entity’s cybersecurity risk management framework; oversee implementation of all Article 21 measures; complete cybersecurity training (Article 20(2)); and remain personally accountable to the supervisory authority for compliance. For government IT and compliance teams, compliance reporting must be structured for senior leadership decision-making, not only for technical implementation teams. Our guide on board and management obligations covers the specific training and approval requirements.
The EU Agency Question — An Exemption That Does Not Apply to National Governments
A persistent misconception in government IT: because NIS2 does not apply to “EU institutions,” some national government bodies assume they fall under the same carve-out. This reasoning fails on two counts.
First, EU institutions, bodies, offices, and agencies — the European Commission, European Parliament, EU agencies such as ENISA and Europol — fall outside NIS2 scope because the directive applies to Member States’ national entities, not to EU-level bodies. EU institutions are governed instead by Regulation (EU) 2023/2841, a separate cybersecurity framework for Union institutions [6].
Second, national governments are not EU institutions. The carve-out that removes the European Commission from NIS2 scope has no bearing on a national ministry, a regional council, or a national agency. A German federal ministry, a Swedish regional authority, or an Irish government department is a national public administration entity — fully within NIS2 scope as an essential entity under Annex I, section 10, regardless of how closely it works with EU institutions or how much EU funding it receives [2].
The practical risk: government IT departments sometimes conflate “this is subject to European Commission cybersecurity policy” with “NIS2 does not apply to us.” They are entirely separate legal frameworks with separate obligations, timelines, and supervisory authorities.
The 10 Article 21 Measures: What Government Entities Must Implement
Article 21 is the core compliance obligation for all essential entities. Government bodies classified as essential must implement all 10 security measures under an all-hazards approach — covering cyberattacks, insider threats, supply chain compromise, and physical incidents. The measures are minimum requirements; Member States may impose stricter standards in national transposition [3].
The “proportionate” language in Article 21(1) acknowledges that a small regional authority and a central government ministry implement the same 10 measures at different scales and depths. The obligation to have all 10 in place is identical; the scope of implementation is calibrated to the entity’s risk profile and operational complexity. For a detailed breakdown, see our full NIS2 requirements guide.
| Article 21(2) | Measure | Government implementation notes |
|---|---|---|
| (a) | Risk analysis and information system security policies | Risk assessments covering all critical government IT systems; policies formally approved at management level under Article 20 |
| (b) | Incident handling | Documented response procedures and reporting chains to the NCA; 24-hour early warning obligation for significant incidents under Article 23 |
| (c) | Business continuity, backup management, disaster recovery, crisis management | Continuity plans for essential digital public services; tested recovery procedures with documented recovery time and recovery point objectives |
| (d) | Supply chain security (direct suppliers and service providers) | Cybersecurity clauses mandatory in ICT procurement contracts; supplier vetting against NIS2-equivalent standards before contract award |
| (e) | Security in NIS acquisition, development, maintenance; vulnerability handling and disclosure | Secure-by-design requirements embedded in software procurement specifications; published vulnerability disclosure policy |
| (f) | Policies and procedures to assess the effectiveness of cybersecurity risk management measures | Regular internal audits and effectiveness reviews; documented audit evidence maintained for NCA proactive supervision |
| (g) | Basic cyber hygiene practices and cybersecurity training | Mandatory training for all staff with access to government systems; completion records maintained per individual |
| (h) | Policies and procedures on the use of cryptography and encryption | Encryption policies for sensitive government data at rest and in transit; use of cryptographic standards approved by the national NCA or relevant authority |
| (i) | Human resources security, access control policies, asset management | Background checks for roles with privileged access; role-based access control; government IT asset register maintained and current |
| (j) | MFA or continuous authentication; secured voice, video, and text communications; secured emergency communication systems | MFA mandatory for all administrative system access; secure communication channels for sensitive government operations and crisis coordination |
NIS2 and Public Procurement — The Cascade Obligation
Government entities occupy a dual position under NIS2 that most compliance guides overlook: they are both regulated entities subject to the directive’s obligations AND among the largest ICT buyers in their respective Member States. That second role creates a legal duty to cascade security requirements through procurement activity.
The Mechanism: Article 21(2)(d)
Article 21(2)(d) requires risk management measures to address “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers” [3]. For a government ministry or regional authority operating critical IT infrastructure, this obligation breaks down into three concrete steps:
- Vendor assessment before award — evaluate whether an ICT supplier’s cybersecurity posture meets NIS2-equivalent standards before awarding any contract for services touching critical systems
- Contractual security clauses — embed minimum cybersecurity requirements, incident notification obligations, and audit rights in all ICT procurement contracts and framework agreements
- Ongoing monitoring — treat supplier cybersecurity as a continuous contractual obligation, not a once-at-onboarding check. The government entity remains responsible for its suppliers’ security posture throughout the contract lifecycle
Why Procurement Is Government’s Primary Leverage Point
NIS2 does not automatically make a commercial ICT supplier legally responsible under the directive simply because they serve a government entity. The directive applies to the government entity; the obligation to manage supply chain risk is the government entity’s. Through procurement contract terms, however, government bodies effectively extend NIS2-equivalent requirements into their supply chain and create contractual remedies when suppliers fall short.
Several Member States are codifying this in national transposition legislation, requiring that public authority procurement frameworks include mandatory cybersecurity annexes for ICT contracts above defined thresholds. Government procurement and legal teams should audit active ICT contracts for cybersecurity clause gaps and address them at the next renewal or, for high-risk suppliers, by contract amendment.
When Suppliers Are Also NIS2 Entities
An ICT provider serving a government essential entity may itself qualify as an essential or important entity — for example, a cloud provider (digital infrastructure, Annex I) or a managed security service provider (ICT service management, Annex II). Such suppliers face NIS2 obligations both as in-scope entities in their own right and as suppliers subject to the government entity’s supply chain security requirements.
In practice, a supplier who is already NIS2-compliant can demonstrate this through third-party audits or recognised certifications, reducing the government entity’s due diligence burden. Structuring procurement security clauses to accept certification evidence as satisfying contractual security requirements simplifies ongoing monitoring and creates a clear audit trail for NCA inspections.
Member State Discretion — Local Government and National Variation
Local government entities — municipal authorities, district councils, metropolitan administrations — are not automatically within NIS2 mandatory scope. Article 2(5) grants Member States the discretion to extend NIS2 application to local public administration, but does not require it [2].
| Approach | Examples (as of 2025) | Status for local government |
|---|---|---|
| Extended scope | Italy, Belgium, Hungary, Romania | Major municipalities included in national transposition; full NIS2 obligations apply |
| Mandatory baseline only | Most other Member States | Local government excluded from mandatory scope or covered only by voluntary frameworks |
If your Member State has extended NIS2 to local government, your entity faces the same essential entity obligations as central government, assuming your services clear the risk-based threshold. If not, NIS2 is not legally mandatory — but local authorities providing essential public services should apply the Article 21 framework voluntarily for two reasons:
- Member States can extend scope at any time; proactive compliance avoids the catch-up costs and supervisory scrutiny that follow a sudden scope expansion
- Local authorities increasingly procure from NIS2-in-scope ICT suppliers and face contractual cybersecurity requirements in supplier contracts regardless of their direct regulatory status
The NIS2 scope guide covers how size thresholds interact with sector-based rules for entities across the full range of Annex I and Annex II sectors.
Regional Government: Do Not Assume Exclusion
Regional government entities face the risk-based assessment threshold described earlier. What constitutes “significant impact on critical societal or economic activities” is interpreted by each Member State, and national implementations vary. Regional entities should not treat the threshold as a default carve-out — it is an active determination. If your entity has not obtained a formal scope determination from your national competent authority, schedule that engagement as a first-step compliance action.
Role-Specific NIS2 Obligations for Government Teams
The same Article 21 measures produce different deliverables depending on where you sit in a government organisation. Here is how NIS2 responsibilities map across the four key government roles:
| Role | Primary NIS2 responsibilities | Key deliverable |
|---|---|---|
| CISO / IT Security Manager | Own and implement all 10 Article 21 technical measures; lead incident response; manage the ongoing NCA relationship | Risk assessment, incident response plan, technical security policies, effectiveness audit evidence |
| Compliance Officer / Legal | Confirm scope determination; prepare NCA registration; draft supplier security clauses; manage documentation for NCA proactive supervision | Scope determination memo, NCA registration, supplier contract security annex |
| IT Procurement / Contracts | Embed NIS2 security clauses in ICT tenders and framework agreements; assess supplier cybersecurity posture before award | Procurement security annex template, supplier cybersecurity assessment questionnaire |
| Head of Entity / Management | Formally approve the cybersecurity risk management framework under Article 20; complete cybersecurity training; accept personal accountability for compliance | Signed framework approval, training completion record, board-level risk reporting |
NIS2 Compliance Checklist for Government Entities
Use this checklist alongside your gap assessment. Every item maps to a specific regulatory basis in the NIS2 Directive or its implementing acts.
| # | Obligation | Basis |
|---|---|---|
| 1 | Scope determination confirmed with national NCA (central / regional / local status) | Art. 2(2)(f), Art. 2(5) |
| 2 | Registered as essential entity with national NCA by April 2025 deadline | Art. 3 + national transposition |
| 3 | Risk analysis and information security policies approved at management level | Art. 21(2)(a), Art. 20 |
| 4 | Incident handling procedure documented with NCA reporting chain | Art. 21(2)(b), Art. 23 |
| 5 | Business continuity and disaster recovery plans documented and tested | Art. 21(2)(c) |
| 6 | Supply chain security policy with supplier vetting criteria defined | Art. 21(2)(d) |
| 7 | NIS2 cybersecurity clauses embedded in active ICT procurement contracts | Art. 21(2)(d) |
| 8 | Vulnerability handling and disclosure policy published | Art. 21(2)(e) |
| 9 | Effectiveness review process with documented audit evidence | Art. 21(2)(f) |
| 10 | Cybersecurity training programme deployed for all staff with system access | Art. 21(2)(g) |
| 11 | Cryptography and encryption policies approved for data at rest and in transit | Art. 21(2)(h) |
| 12 | Role-based access control and IT asset management register implemented | Art. 21(2)(i) |
| 13 | MFA deployed for all administrative system access | Art. 21(2)(j) |
| 14 | Management body formally trained; accountability documented | Art. 20 |
| 15 | Incident reporting chain to NCA established: 24-hour early warning, 72-hour notification, one-month final report | Art. 23 |
Frequently Asked Questions
Does NIS2 apply to local government?
Not automatically. Article 2(5) gives Member States the option to extend NIS2 to local government. Several countries including Italy, Belgium, and Romania have done so in national transposition; most others have not. Check your national competent authority’s published guidance for your specific jurisdiction, as this position can change when Member States update their implementing legislation.
Are courts and parliaments covered by NIS2?
No. Article 2(2)(f) explicitly excludes the judiciary, parliaments, and central banks from the definition of covered public administration entities. These institutions are outside NIS2 scope by definition — they are not merely exempt from certain obligations, they do not qualify as covered entities at all.
How does incident reporting work for government entities?
The reporting timelines for all essential entities are identical: a 24-hour early warning, a 72-hour incident notification, and a one-month final report to the national competent authority under Article 23. The NCA for a government entity is typically the national cybersecurity agency — the same authority that oversees private sector essential entities. Our incident reporting guide covers the full process, notification thresholds, and what constitutes a significant incident.
Can a government agency claim exemption because it handles classified information?
The national security exclusion in Article 2(7) requires that activities be “predominantly” in areas of national security, defence, or law enforcement. Recital 8 makes clear that entities only marginally related to those areas remain in scope. Handling classified information in a role that is predominantly civilian administration does not automatically trigger the exclusion. A written determination from the national competent authority or relevant legal counsel is advisable before relying on this exemption.
Does outsourcing IT functions transfer the NIS2 obligation to the service provider?
No. Article 21(2)(d) requires supply chain security measures covering direct suppliers and service providers. Outsourcing IT functions does not transfer the NIS2 obligation away from the government entity — the entity remains responsible for ensuring suppliers meet equivalent security standards through contractual requirements and ongoing monitoring.
What are the penalties for non-compliance?
Essential entities — which includes central and most regional government bodies — face penalties of up to EUR 10 million or 2% of global annual turnover under Article 34. Member States may apply additional administrative or criminal penalties under national transposition. Our NIS2 penalties guide covers the full enforcement framework.
Sources
[1] Directive (EU) 2022/2555 — EUR-Lex. NIS2 Directive primary text: Annex I sector 10, Article 2, Article 3, Article 20, Article 21, Article 23, Article 34.
[2] Article 2, Scope — NIS2 Resources. Article 2(2)(f) public administration scope definition including exclusions of judiciary, parliaments, and central banks; Article 2(5) member state discretion for local government; Article 2(7) national security exclusion.
[3] Article 21: Cybersecurity risk-management measures — nis-2-directive.com. Full text of all 10 measures under Article 21(2)(a)–(j).
[4] Article 3: Essential and important entities — nis-2-directive.com. Essential entity classification; public administration entities designated essential regardless of size via Article 3(1)(d) and Article 2(2)(f)(i).
[5] NIS2 Preamble Recitals 1–10 — nis-2-directive.com. Recital 8: “predominantly” test for national security exclusion; entities marginally related to national security remain in scope; regulatory authorities not automatically excluded.
[6] NIS2 Directive FAQs — European Commission. Public administration classified as highly critical sector; PA entities fall under jurisdiction of the Member State that established them.
