NIS2 Supervisory Measures Explained: What Articles 32 and 33 Mean for Your Next Inspection
Twenty-one of 27 EU member states have now transposed NIS2, and competent authorities in countries that completed transposition earliest — including Ireland, the Netherlands, and Croatia — are well into their supervisory cycles. Germany’s NIS2 implementation act entered into force on 6 December 2025. Enforcement is no longer a countdown exercise. For many organisations, it has already started.
Most compliance programmes have focused on implementing security controls under Article 21. Fewer have modelled what actually happens when a competent authority initiates supervisory action — what triggers an inspection, what evidence is requested, how a compliance notice works, and what escalation looks like when an entity does not respond in time.
NIS2 creates two distinct supervision regimes: one for essential entities under Article 32 of Directive (EU) 2022/2555, and one for important entities under Article 33. The difference is not cosmetic. Essential entities can be inspected at any time, without prior warning or a preceding incident. Important entities are supervised reactively, but once a trigger fires, the supervisory tools available to authorities are almost identical.
This guide maps both regimes and the full inspection lifecycle: trigger conditions, evidence requests, compliance notices, management suspension powers, and documentation preparation for when the inspector arrives.
The Two Supervisory Regimes: Essential vs. Important Entities
NIS2 draws a sharp distinction at the supervisory level — and nowhere is that line more consequential than in how and when your organisation will face regulatory scrutiny.
Essential entities under Article 32 face ex-ante supervision. Competent authorities can initiate supervisory action proactively, without any prior incident, complaint, or evidence of wrongdoing. This is not an exceptional mechanism — it is the default operating mode for essential entities. Your organisation can be subject to a random check, targeted audit, or on-site inspection as part of routine supervisory activity.
Important entities under Article 33 face ex-post supervision. Supervisory action is reactive — triggered only when there is evidence or signs that an entity may not be meeting its obligations, particularly under Articles 21 (risk management measures) and 23 (incident reporting). If no complaint is filed, no incident is reported, and no audit tip-off reaches the authority, important entities typically operate outside the active supervisory cycle.
| Feature | Essential Entities (Art. 32) | Important Entities (Art. 33) |
|---|---|---|
| Supervision model | Ex-ante — proactive | Ex-post — reactive only |
| Inspection trigger | None required | Evidence of non-compliance required |
| Random checks | Permitted without prior notice | Not applicable (trigger required first) |
| Ad hoc audits | Yes, including post-incident | Yes, once triggered |
| Management suspension | Competent authority may request | Not directly available under Art. 33 |
| Independent audit costs | Typically authority-borne | Entity-borne by default |
| Applies to public bodies | Yes, with modifications | Yes, with modifications |
| Maximum fine | EUR 10 million or 2% global turnover | EUR 7 million or 1.4% global turnover |
Which category applies to your organisation depends on sector classification, annual turnover, and employee thresholds defined by your Member State’s transposition legislation. Classify incorrectly and you either under-prepare for ex-ante scrutiny or fail to identify the triggers that expose you to ex-post supervision.
Article 32 Supervision in Practice: What Essential Entities Face
Article 32 gives competent authorities a broad toolkit — and critically, no threshold requirement to use it.
On-site inspections and off-site supervision are the core instruments. These can include random checks conducted by trained professionals. A random check does not require a pre-existing compliance concern — it is a scheduled or spontaneous examination of your security measures, documentation, and governance processes. The absence of a recent incident does not protect an essential entity from routine supervisory attention.
Security audits take two forms. Regular and targeted audits are carried out by an independent body or the competent authority itself, typically on a planned cycle or in response to sector-wide risk assessments. Ad hoc audits are triggered by a significant incident or a material risk indicator — and can be initiated without notice, often following an Article 23 incident notification that reveals potential control weaknesses.
Security scans based on objective, non-discriminatory, fair, and transparent risk assessment criteria may also be conducted. These are technical assessments of your network and information systems, typically using automated scanning tools applied against documented risk criteria.
Information requests form the documentary backbone of any supervision. Competent authorities can demand access to your cybersecurity documentation, the results of security audits and penetration tests, and evidence that your security policies are actually implemented — not merely drafted. When making information requests, authorities must state the purpose and specify the information required. This creates a formal framing requirement you can use to scope and prioritise your response.
The enforcement toolkit at Article 32 includes: warnings that an infringement has occurred, binding instructions with specific remediation requirements and deadlines, orders to cease infringing conduct, compliance orders directing alignment with Article 21 security requirements, orders to notify customers of significant cyber threats, mandatory implementation of security audit recommendations, public disclosure orders naming the entity as non-compliant, and administrative fines under Article 34 — up to EUR 10 million or 2% of global annual turnover, whichever is higher.
Article 33 Supervision in Practice: The Trigger Requirement and Its Implications
The practical effect of the Article 33 ex-post model is that important entities are not under active supervisory scrutiny during normal operations. This does not mean they can deprioritise readiness — it means they need to understand precisely what events will activate the supervisory cycle.
What constitutes a trigger? Article 33 activates when a competent authority receives evidence that an important entity allegedly does not comply with the directive. In practice, triggers include:
- An incident report submitted under Article 23 that reveals inadequate controls or delayed detection
- A complaint by a customer, employee, contractor, or third party
- A tip-off from a sector regulator or another national competent authority
- Findings from a sector-wide assessment or thematic supervisory review
- Cross-border information sharing through the NIS Cooperation Group
Once triggered, the investigative powers available to the authority are substantively the same as those applicable to essential entities: on-site inspections, off-site supervision, targeted security audits, security scans, and information requests. The trigger is different; the investigative toolkit that follows is not.
A critical procedural point: under Article 33(3), when competent authorities exercise their powers to request information or access documents under paragraphs (d), (e), or (f), they must state the purpose of the request and specify the information sought. This creates a formal framing obligation — authorities cannot issue open-ended requests without identifying their basis. Entities receiving a request that appears to exceed its stated scope have a documented procedural foundation for seeking clarification before responding.
Audit costs under Article 33 fall on the audited entity by default. Targeted security audits carried out by an independent body are funded by the organisation being audited, unless the competent authority decides otherwise and provides justification. An independent NIS2 security audit can reach tens of thousands of euros depending on scope and sector complexity — this is a supervisory cost to budget for, not just an optional compliance investment.
The enforcement powers following an Article 33 investigation are identical to those under Article 32 — warnings, binding instructions, compliance orders, public disclosure, and administrative fines of up to EUR 7 million or 1.4% of global annual turnover for important entities. The trigger threshold is higher; the consequences once reached are not materially different.
The Inspection Lifecycle: From Trigger to Resolution
Whether your organisation is an essential or important entity, the supervisory process follows a recognisable procedural structure once initiated. Understanding this sequence before it begins is your primary preparation advantage — each stage has an intervention opportunity.
Stage 1 — Trigger
For essential entities: may be a scheduled periodic inspection, a random check, or a post-incident ad hoc audit — no prior compliance concern required. For important entities: must be evidence of non-compliance, an incident report, a complaint, or a cross-border referral from another authority.
Stage 2 — Information Request
The competent authority issues a formal request stating its purpose and specifying the information required. Typical scope includes: cybersecurity risk-management policies, incident response procedures, the results of security audits and penetration tests along with their underlying evidence, supply chain security assessments, and access control documentation. The request will specify a deadline for compliance. This is also the point where you assess whether the request is within scope of its stated purpose.
Stage 3 — Evidence Submission and Assessment
Your organisation submits the requested documentation. Inspectors assess whether the evidence demonstrates actual implementation of required controls — not merely the existence of policies. The distinction between a policy that exists and a policy that is demonstrably applied drives outcomes at this stage. On-site verification may accompany documentary review.
Stage 4 — Preliminary Findings
Before issuing formal enforcement measures, competent authorities must provide a statement of preliminary findings and allow a reasonable period for your organisation to respond. This is the critical intervention window. Engaging substantively and promptly — providing additional evidence, correcting factual inaccuracies, or presenting a credible remediation plan with milestones — can prevent escalation to formal enforcement. Many investigations close at this stage for entities that respond effectively.
Stage 5 — Compliance Notice
If preliminary findings identify non-compliance, the authority issues a formal compliance notice containing: a statement of the alleged contravention, the specific directions and remedial measures required, and a deadline for compliance. The compliance notice has binding legal effect from the point of issuance and is the formal record of the supervisory proceeding.
Stage 6 — Binding Instructions
The competent authority may issue binding instructions specifying exactly what security measures must be implemented and by when. These are legally enforceable directives, not recommendations. They may accompany the compliance notice or follow it if the entity’s initial response is inadequate.
Stage 7 — Escalation
If the entity fails to comply with binding instructions within the specified deadline, the authority may pursue: administrative fines under Article 34, public disclosure of the infringement, suspension of relevant certifications or authorisations, and — for essential entities — the management suspension mechanism described in the following section.
Management Suspension: The Escalation Tool Most Organisations Have Not Modelled
Article 32(5) contains a supervisory power that receives relatively little attention in compliance planning: the authority to seek temporary prohibition of a senior manager’s functions.
If an essential entity fails to take the necessary action within the deadline set after receiving binding instructions, competent authorities can request that relevant courts or tribunals temporarily prohibit any natural person responsible for discharging managerial responsibilities at CEO or legal representative level from exercising their management functions in that entity.
Several operational points matter for boards and senior executives preparing their governance posture:
Who is in scope? The provision targets individuals at CEO or legal representative level — not mid-level IT managers or compliance officers. Personal liability exposure sits at the top of the executive structure, regardless of whether that individual was the direct cause of the compliance failure. The governance accountability model NIS2 uses means that board-level oversight failures carry the same exposure as operational failures.
When does it apply? Management suspension is an escalatory measure, not a first-response tool. It requires prior failure to act after formal enforcement measures have been issued. The sequence is: compliance notice, then binding instruction, then failure to act within the specified deadline, then escalation to suspension request. Organisations that engage effectively at Stage 4 and Stage 5 of the inspection lifecycle eliminate the conditions for management suspension to arise.
When is it lifted? The suspension is temporary and has no fixed maximum duration. It applies until the entity demonstrates to the competent authority that the necessary action has been taken and compliance restored. The mechanism is designed as a compliance lever, not a permanent sanction.
Who is exempt? Article 32(5) explicitly excludes public administration entities from the management suspension mechanism. Private essential entities operating across all in-scope sectors — energy, transport, banking, healthcare, digital infrastructure, water supply, and others — are fully subject to this power.
National procedural variations are significant. In Ireland, the NIS 2 Regulations require a High Court order to give effect to a management suspension — providing a judicial oversight layer before the power takes effect. In Germany, the BSI Act grants the BSI direct enforcement powers, including binding orders, without requiring court intervention for most measures. The procedural route differs by jurisdiction; the underlying exposure does not.
For boards and senior executives, this mechanism transforms NIS2 compliance from an organisational obligation into a matter of personal professional risk. Ensuring the board is informed about compliance status, that escalation pathways are documented before an inspection begins, and that evidence of governance oversight exists as a matter of course — rather than assembled under investigatory pressure — is directly relevant here. For a detailed look at what NIS2 requires from management bodies specifically, see our guide to NIS2 board and director responsibilities.
Preparing Your Documentation for an Inspection
The most effective preparation step is not implementing additional controls — it is ensuring that the controls already in place are demonstrably evidenced.
Competent authorities do not expect perfect security. They examine governance patterns. Regulators consistently identify four failure signals that indicate systemic governance weakness: delayed incident detection, unclear ownership of security responsibilities, repeated misconfigurations, and poor documentation practices. Any one of these patterns, visible in your evidence pack, will shape the scope and severity of supervisory action.
The most common documentation gap is not missing policies — it is policies that exist on paper but cannot be traced to actual implementation. A risk management policy dated three years ago with no subsequent review record signals a governance process that exists nominally. A business continuity plan with no attached test records signals the same. Inspectors are experienced at distinguishing active compliance programmes from documentation exercises — and the distinction determines whether a review closes at Stage 3 or escalates to Stage 5.
| Documentation Type | What Inspectors Examine | Evidence Format Required |
|---|---|---|
| Risk management policy | Scope, methodology, review cadence | Dated, version-controlled, board-approved, with review log |
| Incident response plan | Procedure completeness, testing evidence | Dated document with attached tabletop or live exercise results |
| Security audit results | Findings, remediation actions taken | Full audit report plus remediation tracker with completion dates |
| Supply chain assessments | Third-party risk coverage, contractual controls | Vendor assessments, reviewed contracts, supplier inventory |
| Access control policy | MFA implementation, privileged access management | Policy document plus system configuration or IAM platform evidence |
| Business continuity plan | Recovery time objectives, last tested date | BCP document plus test records showing outcomes and gaps addressed |
| Training records | Who was trained, on what, and when | Completion records by role and date, with training material samples |
| Incident notification history | Article 23 reports submitted, timeliness of reporting | Copies of notifications with timestamps confirming 24-hour and 72-hour deadlines met |
Germany’s BSI practice under the December 2025 implementation act provides a useful specificity benchmark: entities must maintain detailed documentation of their cybersecurity methods and disclose the specific types of critical components they deploy. This level of specificity — not generic policies but documented evidence of the actual systems, vendors, and configurations in scope — reflects what demonstrable implementation means in an enforcement context. Generic documentation does not demonstrate implementation; system-specific evidence does.
For a complete methodology covering how to structure your pre-inspection evidence pack, see our NIS2 audit preparation guide. The NIS2 compliance checklist maps each Article 21 requirement to its corresponding evidence type, providing a ready-made framework for internal gap assessment before a supervisory request arrives.
Key Takeaways
- Identify your regime first. Essential entities face proactive ex-ante supervision with no trigger required. Important entities face reactive ex-post supervision — but investigative powers are nearly identical once activated. The difference is in when supervision begins, not what it looks like.
- Essential entities should treat inspection readiness as permanent. Any day can be a random check day. Your documentation evidence pack should be ready to submit on short notice, not assembled under deadline pressure after an information request arrives.
- Important entities should map their triggers. An Article 23 incident report, a third-party complaint, or a sector-wide assessment can initiate the full investigatory sequence. Knowing your triggers before they fire is your window for proactive remediation.
- The inspection lifecycle is predictable — use its structure. Information request to evidence submission to preliminary findings to compliance notice to binding instruction is a defined procedural sequence. Stage 4 (preliminary findings) is your critical intervention point. Entities that respond effectively at Stage 4 rarely reach Stage 7.
- Management suspension is real and escalatory. CEO and legal representative functions can be temporarily prohibited if an essential entity fails to act after binding instructions. Boards need to model this scenario — not when an inspection begins, but before one ever does.
- Documentation is your primary defence. Inspectors examine governance patterns. Dated, version-controlled, demonstrably implemented documentation — not policies in isolation — distinguishes a functioning compliance programme from a paperwork exercise.
For penalty structures and fine calculations associated with NIS2 non-compliance, see our detailed NIS2 penalties guide.
Frequently Asked Questions
What triggers an inspection for an important entity?
Article 33 requires evidence that an important entity allegedly does not comply with the directive, specifically Articles 21 or 23. Triggers include incident reports that reveal inadequate controls, third-party complaints, cross-border information sharing between national authorities, and findings from sector-wide supervisory assessments. There is no minimum threshold for what constitutes evidence — a credible complaint is sufficient to open an investigation.
Can an important entity be subject to an on-site inspection without a prior incident?
Not directly under Article 33’s ex-post model. A trigger event must first provide the competent authority with evidence of potential non-compliance. Essential entities, by contrast, can face random on-site inspections with no prior trigger — this is the core operational difference between the two supervisory regimes and the reason essential entities must maintain permanent inspection readiness.
What does an independent Article 33 security audit cost the entity?
Under Article 33(2)(b), independent security audits are funded by the audited entity unless the competent authority decides otherwise and provides justification. A targeted NIS2 security audit by an independent firm can reach tens of thousands of euros depending on scope, sector complexity, and the number of systems in scope. Budget for this as a potential supervisory cost — not just an optional compliance investment.
What is the difference between a compliance notice and a binding instruction?
A compliance notice is the formal document setting out the alleged contravention, the specific remediation directions, and a response deadline. It establishes the supervisory record of non-compliance. A binding instruction is the legal mechanism through which the authority directs specific security measures to be implemented within a defined timeframe. Both are legally enforceable; in practice they may be issued together or sequentially, depending on the member state’s procedural rules and the severity of the findings.
Can regulators suspend a CEO’s functions for NIS2 non-compliance?
Yes — for essential entities. Article 32(5) allows competent authorities to request that courts or tribunals temporarily prohibit a CEO or legal representative from exercising management functions when the entity has failed to act after receiving binding instructions. The suspension is lifted once the entity demonstrates compliance to the authority. This power applies specifically to essential entities and does not extend to important entities under Article 33.
Do public administration entities face the management suspension power?
No. Article 32(5) explicitly excludes public administration entities from the management suspension mechanism. Private essential entities across all in-scope sectors are fully subject to this power. Public bodies may face other enforcement measures — compliance orders, binding instructions, and fines — but not the suspension of management functions.
Sources
- NIS2 Directive FAQs — European Commission Digital Strategy
- NIS 2: A New Era for Management Bodies — Matheson
- NIS2 Enforcement and Supervision — William Fry
- Flipping the NIS2 Switch: What Germany’s Implementation Means for 2026 Compliance — Morrison Foerster (December 2025)
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
