NIS 2 Directive Article 27 – Registry of Entities
The NIS 2 Directive, which stands for the Network and Information Security Directive, is a regulation within the European Union aimed at enhancing cybersecurity across critical infrastructure sectors.
Article 27 of the NIS 2 Directive focuses on the establishment and maintenance of a registry of various entities that play essential roles in the digital ecosystem. Let's delve deeper into the key aspects of this directive and its implications.
- Purpose of the Registry: ENISA, the European Union Agency for Cybersecurity, is tasked with establishing and maintaining a registry of specific entities. These entities include DNS service providers, TLD name registries, domain name registration services, cloud computing services, data centers, content delivery networks, managed services, online marketplaces, search engines, and social networking platforms. The registry aims to centralize information about these critical service providers for regulatory and security purposes.
- Information to be Submitted: According to Article 27, entities falling under the specified categories are required to submit certain information to competent authorities by January 17, 2025. This includes the entity name, relevant sector and subsector classification as per Annex I or II of the directive, addresses of establishments within the EU, contact details, member states where services are provided, and the entity's IP ranges.
- Obligation for Notification: Entities must ensure that the information submitted to competent authorities is kept updated. Any changes to the provided information, such as new addresses or contact details, must be communicated within three months of the change. This continuous updating process ensures that the registry remains current and accurate.
- Role of Competent Authorities: Each Member State is responsible for establishing a single point of contact to receive and forward the information from entities to ENISA. This mechanism streamlines the reporting process and facilitates the sharing of information across borders while maintaining confidentiality as required by the directive.
- Ensuring Accessibility and Security: The registry created under Article 27 is intended to provide competent authorities with up-to-date information on critical service providers operating within the EU. By centralizing this data, authorities can swiftly access essential details in case of cybersecurity incidents or regulatory requirements. The protection of sensitive information, particularly IP ranges, is emphasized to maintain the security and integrity of the registry.
In conclusion, the NIS 2 Directive Article 27 establishes a structured approach to managing and monitoring critical entities in the digital domain. By creating a registry of key service providers and enforcing regular information updates, the directive enhances cybersecurity readiness and response capabilities across Member States. Compliance with these requirements ensures a more secure and resilient digital infrastructure within the EU.