2026-04-17·15 min read·

NIS2 Art.24: Registration Obligations for Essential and Important Entities — What to Register, Where, and When (2026)

Post #417 in the sota.io EU Cyber Compliance Series

If you have already determined that your SaaS falls within NIS2 scope — as an essential or important entity under Annex I or II — then Art.21's security measures and Art.23's incident reporting are the obligations that dominate compliance discussions. But there is a prerequisite that many developers overlook: Art.24's registration requirement. Before you can be supervised, before an NCA can reach you after an incident, before the Art.32/33 audit machinery activates — you have to be registered.

Art.24 is administrative, but non-trivial. The information requirements are specific, the deadline was 17 January 2025 (the NIS2 transposition date), updates are mandatory within two weeks of any change, and multi-jurisdictional entities must register in every Member State where they operate. For cloud-native SaaS with European customers in critical sectors, this is an active obligation right now.

This guide covers:

Art.24 text and structure — the exact registration requirements
Entity type self-assessment: essential vs. important
What information must be provided (all 7 data fields)
Registration deadlines and ongoing update obligations
Cross-border registration for multi-jurisdictional SaaS
Country-specific NCA portals: Germany (BSI), Netherlands (NCSC), Austria (CERT.at/BMLV), France (ANSSI)
Python NIS2RegistrationManager — automated registration tracker and change notifier
NIS2 × GDPR cross-map for registration data handling
20-item compliance checklist

NIS2 Chapter IV Context: Where Art.24 Fits

Art.24 sits between the operational obligations (Art.21 measures, Art.23 incident reporting) and the vulnerability framework (Art.26 CVD). It is the administrative foundation that makes supervision possible:

Article	Topic	Who it Applies To
Art.20	Management body obligations	Essential + Important entities
Art.21	Cybersecurity risk management measures	Essential + Important entities
Art.23	Incident reporting (24h / 72h / 1 month)	Essential + Important entities
Art.24	Registration obligations	Essential + Important entities
Art.25	Domain name database	DNS providers, TLD registries
Art.26	Coordinated vulnerability disclosure	Essential + Important entities

Without Art.24 registration, NCAs have no reliable way to know which entities are in their supervisory perimeter. Art.24 is how you raise your hand and say "I am in scope."

Art.24 Text: What the Directive Actually Requires

NIS2 Art.24 has seven paragraphs. The key obligations:

Art.24(1) — The registration duty: Member States shall ensure that essential and important entities submit at least the following information to the competent authority:

Entity name
Address and up-to-date contact details (email address and telephone numbers)
Relevant IP address ranges
The Member State(s) in which the entity operates
The sector(s) referred to in Annex I or II under which the entity falls

Art.24(2) — Deadline: Entities shall submit this registration information by 17 January 2025 — the NIS2 transposition deadline. Newly in-scope entities (e.g., a startup that grows to meet the threshold, or a sector newly added to scope) must register without undue delay after becoming in scope.

Art.24(3) — Change notifications: Entities shall notify the competent authority of any changes to the information submitted without undue delay, and in any event within 3 months of the date on which the change took place. Note: the Directive says 3 months but most Member State implementations are stricter — many require notification within 2 weeks.

Art.24(4) — NCA acknowledgement: The competent authority shall acknowledge receipt of the notification. The acknowledgement shall include:

Confirmation of receipt
Assignment of a unique identifier
The contact details for the supervisory authority responsible for the entity

Art.24(5) — Lists by Member States: Member States may establish mechanisms to allow entities to self-register as essential or important. NCAs compile lists of essential and important entities in their jurisdiction and share them with ENISA (for EU-level statistics, not public disclosure).

Art.24(6) — Multi-sector entities: Where an entity operates in multiple sectors covered by both Annex I and Annex II, it shall inform the competent authorities of all relevant sectors. The entity may be designated as essential in one sector and important in another.

Art.24(7) — Cross-border: Where an entity provides services in more than one Member State, it shall register with the competent authority of each Member State where it provides services. The obligation is not one-time EU-wide registration — it is per-Member-State.

Step 1: Determine If You Must Register

Before registering, confirm your entity status.

Size Thresholds (Art.3)

NIS2 defines essential and important entities partly by size:

Category	Size	Threshold
Essential entity	Large enterprise	≥250 employees OR annual turnover ≥€50M AND balance sheet ≥€43M
Important entity	Medium enterprise	≥50 employees OR annual turnover ≥€10M AND balance sheet ≥€10M

Small enterprises (< 50 employees, < €10M turnover) are generally not in scope — unless they are in sectors listed as "Qualified" in Annex I where size thresholds don't apply (TLD registries, DNS providers, cloud providers, data centre operators, CDN providers, managed security services, certain digital infrastructure).

Sector Classification (Annex I vs Annex II)

Annex I — Highly critical sectors (essential entities):

Energy (electricity, oil, gas, hydrogen, district heating)
Transport (air, rail, water, road)
Banking and financial market infrastructure
Health (hospitals, pharmaceuticals, labs)
Drinking water and wastewater
Digital infrastructure (DNS, TLD registries, IXPs, cloud, data centres, CDN, MSSP, trust services, electronic communications)
ICT service management (B2B managed service providers)
Public administration
Space

Annex II — Other critical sectors (important entities):

Postal and courier services
Waste management
Manufacture of chemicals
Food production and distribution
Medical devices and machinery manufacturing
Digital providers (online marketplaces, search engines, social networks)
Research organisations

SaaS Developer Quick-Check

Most SaaS developers reading this will be relevant if they:

Operate in the digital infrastructure sector (cloud IaaS/PaaS/SaaS serving critical sectors)
Are a managed service provider (MSP) or managed security service provider (MSSP)
Provide B2B software to entities in Annex I sectors
Run a digital marketplace, search engine, or social network with EU users

If you are purely a small B2B SaaS with < 50 employees and < €10M revenue and your customers are not in critical sectors, you are likely out of scope for the registration obligation — though Art.21's supply chain security requirements mean your customers may impose equivalent security standards contractually.

Step 2: What Information to Provide

Art.24(1) lists the minimum required fields. In practice, Member State implementations add detail:

Field 1: Entity Name

Legal entity name as registered in the commercial register. For groups: each operating entity separately (not parent company only).

Field 2: Contact Details

At minimum:

Primary email address — typically a security or compliance team address (security@ or compliance@)
Primary telephone number — including country code, reachable 24/7 for incidents
Postal address — registered office address

Best practice: Use a role-based email (nca-contact@yourcompany.com) not a personal one, and ensure it is monitored.

Field 3: IP Address Ranges

This is where cloud-native SaaS gets complex. "Relevant IP ranges" means IP address ranges from which the entity provides its services — not just internal office networks.

For SaaS developers:

API/application servers: List the CIDR blocks or Elastic IPs of your production infrastructure
Cloud provider IPs: If you use AWS/GCP/Azure, list the specific ranges assigned to your infrastructure (not the entire cloud provider range)
CDN/edge IPs: Cloudflare, Fastly etc. — list your assigned IP ranges
Outbound IPs: Used for notification services, webhooks, email sending

Practical approach: Export your infrastructure IP allocations from your cloud provider's console, or use terraform show / aws ec2 describe-addresses. For dynamic IP environments, document the /24 or /16 CIDR range you operate within.

Field 4: Member States Where You Operate

List every EU/EEA Member State where you actively provide services to customers. "Provide services" typically means:

You have a contractual relationship with a customer in that country
Your service is available and marketed there
You have infrastructure or staff there

For EU-wide SaaS: this commonly means 27 EU Member States plus Norway, Iceland, Liechtenstein (EEA).

Field 5: Sector Classification

Specify which Annex (I or II) and which subsector. Example format:

Annex I, Section 8: Digital infrastructure — subsector: cloud computing service providers
Annex I, Section 9: ICT service management (B2B) — managed service providers

Field 6: Registration Number (where applicable)

Where an entity holds a license, authorization, or registration number relevant to its regulated activity (e.g., a trust service provider under eIDAS, or a telecoms operator), include it.

Field 7: Point of Contact for Supervisory Authority

Many NCAs ask for a named Data Protection Officer equivalent for NIS2 — sometimes called the "NIS2 Contact Person" or "Security Officer." Include name, title, email, and phone.

Step 3: Deadlines and Update Obligations

Initial Registration: 17 January 2025

The transposition deadline for NIS2 was 17 October 2024. Member States were required to have their NCA registration systems operational by 17 January 2025 (three months after transposition).

If your entity was in scope in January 2025 and has not yet registered, you are currently non-compliant. Art.34 penalties for violations include fines up to:

Essential entities: higher of 2% of global annual turnover or €10 million
Important entities: higher of 1.4% of global annual turnover or €7 million

Change Notifications: Within 2 Weeks

The Directive says "without undue delay, in any event within 3 months." Most national implementations are significantly stricter:

Member State	Change Notification Deadline
Germany (BSI)	2 weeks
Netherlands	2 weeks
Austria	4 weeks
France (ANSSI)	1 month
Belgium (CCB)	2 weeks

Changes that trigger notification:

IP range changes (scaling, migration, new CDN)
New Member States where you start providing services
Contact person changes
Corporate restructuring affecting the entity name or legal status
Sector classification changes (e.g., if you enter a new critical sector)

Practical Change Trigger: Infrastructure Events

For cloud-native developers, these infrastructure events typically require a registration update:

Region migration (e.g., eu-central-1 → eu-west-1)
Major cloud provider change (AWS → GCP)
New product launch in a new EU country
Acquisition or subsidiary creation

Step 4: Country-Specific NCA Registration Portals

Germany — BSI (Bundesamt für Sicherheit in der Informationstechnik)

Portal: BSI MELN (Melde- und Erfassungsportal für KRITIS und NIS2) — meln.bsi.bund.de
Process: ELSTER-based identity verification → entity profile creation → sector classification
Language: German required for most fields
KRITIS overlap: If you are already registered as KRITIS operator, NIS2 registration is simplified
Contact: nis2-registrierung@bsi.bund.de
BSI Act (BSIG): German transposition. Essential entities in Germany face additional audit obligations under BSIG §8a

Netherlands — NCSC / Ministry of Infrastructure

Portal: Rijksinspectie Digitale Infrastructuur (RDI) handles most digital infrastructure sectors; sector-specific NCAs for others (e.g., DNB for banking)
Process: DigiD or eHerkenning authentication → entity profile
Multi-NCA: Netherlands has 12+ sector-specific NCAs. You may need to register with the correct one for your sector

Austria — CERT.at / BMLV

Portal: portal.nis2.gv.at (under development as of 2025)
NCA: Federal Chancellery and sector ministries (energy = BMKLIMA, digital = RTR)
RTR: Rundfunk und Telekom Regulierungs-GmbH for digital infrastructure entities

France — ANSSI

Portal: MonEspaceCyber (MEC) — monespace.cyber.gouv.fr
Process: FranceConnect+ identity verification → entity declaration
NIS2 Law: LOI n°2023-703 (NIS2 transposition, June 2023) — France was early
Language: French required

Belgium — CCB (Centre for Cybersecurity Belgium)

Portal: SafeOnWeb Business — safeonweb.be/en/business
Language: French/Dutch/English accepted

Multi-Jurisdictional SaaS: Registration Strategy

For SaaS with customers in 10+ EU countries, per-country registration is the reality. The practical approach:

Option 1: Lead Authority Coordination (Informal)

Art.24 has no "lead authority" concept (unlike GDPR's one-stop-shop). However, you can notify your primary NCA (where your EU headquarters or main operations are) and reference this when registering in other Member States. Some NCAs accept this as satisfying the local registration requirement — check with each country.

Option 2: Full Per-Country Registration

Register separately in each Member State. This is strictly compliant but operationally intensive for 27 countries. Use a registration tracker (see Python implementation below).

Option 3: ENISA Voluntary Registration

ENISA is building EU-level voluntary registration mechanisms. Monitor enisa.europa.eu for updates. This may eventually simplify multi-country registration, but is not yet operational as a substitute.

Practical Minimum for SaaS Startups

If you have < 100 EU customers and operations concentrated in 2-3 countries:

Register in your HQ country first (highest NCA scrutiny)
Register in Germany (largest market, strictest enforcement)
Register in Netherlands or France (second-tier)
Expand registration as you scale

Python: NIS2RegistrationManager

from dataclasses import dataclass, field
from datetime import date, timedelta
from typing import Optional
import json

@dataclass
class EntityProfile:
    legal_name: str
    address: str
    contact_email: str
    contact_phone: str
    ip_ranges: list[str]
    member_states: list[str]
    annex: str  # "I" or "II"
    sector: str
    subsector: str
    registration_number: Optional[str] = None
    nis2_contact_person: Optional[str] = None

@dataclass
class RegistrationRecord:
    member_state: str
    nca_name: str
    portal_url: str
    registration_id: Optional[str] = None
    registered_on: Optional[date] = None
    last_updated: Optional[date] = None
    status: str = "pending"  # pending, registered, update_required

class NIS2RegistrationManager:
    DEADLINE = date(2025, 1, 17)
    CHANGE_DEADLINE_DAYS = 14  # conservative: 2 weeks

    NCA_REGISTRY = {
        "DE": {"name": "BSI", "portal": "https://meln.bsi.bund.de"},
        "NL": {"name": "RDI/NCSC", "portal": "https://rdi.nl/nis2"},
        "AT": {"name": "CERT.at/RTR", "portal": "https://portal.nis2.gv.at"},
        "FR": {"name": "ANSSI", "portal": "https://monespace.cyber.gouv.fr"},
        "BE": {"name": "CCB", "portal": "https://safeonweb.be"},
        "SE": {"name": "NCSC-SE/MSB", "portal": "https://msb.se/nis2"},
        "PL": {"name": "CERT.PL/UODO", "portal": "https://incydent.cert.pl"},
        "ES": {"name": "CCN-CERT/INCIBE", "portal": "https://incibe.es/nis2"},
        "IT": {"name": "ACN", "portal": "https://acn.gov.it"},
        "DK": {"name": "CFCS/DCIS", "portal": "https://cfcs.dk/nis2"},
    }

    def __init__(self, entity: EntityProfile):
        self.entity = entity
        self.registrations: dict[str, RegistrationRecord] = {}
        self._initialize_registrations()

    def _initialize_registrations(self):
        for ms in self.entity.member_states:
            nca = self.NCA_REGISTRY.get(ms, {"name": f"NCA-{ms}", "portal": "TBD"})
            self.registrations[ms] = RegistrationRecord(
                member_state=ms,
                nca_name=nca["name"],
                portal_url=nca["portal"],
            )

    def check_compliance_status(self) -> dict:
        today = date.today()
        status = {}
        for ms, reg in self.registrations.items():
            if reg.status == "pending":
                overdue_days = (today - self.DEADLINE).days
                status[ms] = {
                    "status": "NON_COMPLIANT",
                    "issue": f"Not registered. Deadline was {self.DEADLINE}.",
                    "overdue_days": max(0, overdue_days),
                }
            elif reg.status == "update_required":
                deadline = reg.last_updated + timedelta(days=self.CHANGE_DEADLINE_DAYS)
                status[ms] = {
                    "status": "UPDATE_OVERDUE" if today > deadline else "UPDATE_PENDING",
                    "issue": "Registration data changed, update required.",
                    "update_deadline": str(deadline),
                }
            else:
                status[ms] = {"status": "COMPLIANT", "registered_on": str(reg.registered_on)}
        return status

    def notify_change(self, changed_fields: list[str], change_date: date = None):
        """Call this when any registration-relevant data changes."""
        change_date = change_date or date.today()
        update_deadline = change_date + timedelta(days=self.CHANGE_DEADLINE_DAYS)
        notifications = []
        for ms, reg in self.registrations.items():
            if reg.status == "registered":
                reg.status = "update_required"
                reg.last_updated = change_date
                notifications.append({
                    "member_state": ms,
                    "nca": reg.nca_name,
                    "portal": reg.portal_url,
                    "changed_fields": changed_fields,
                    "update_deadline": str(update_deadline),
                    "days_remaining": (update_deadline - date.today()).days,
                })
        return notifications

    def mark_registered(self, member_state: str, registration_id: str,
                        registered_on: date = None):
        if member_state in self.registrations:
            reg = self.registrations[member_state]
            reg.registration_id = registration_id
            reg.registered_on = registered_on or date.today()
            reg.status = "registered"

    def get_ip_change_alert(self, old_ranges: list[str], new_ranges: list[str]) -> dict:
        """Compare IP ranges and flag if registration update needed."""
        added = set(new_ranges) - set(old_ranges)
        removed = set(old_ranges) - set(new_ranges)
        if added or removed:
            return {
                "change_detected": True,
                "added": list(added),
                "removed": list(removed),
                "action": "Submit NCA registration update within 2 weeks",
                "notifications": self.notify_change(["ip_ranges"]),
            }
        return {"change_detected": False}

    def registration_report(self) -> str:
        status = self.check_compliance_status()
        lines = [f"NIS2 Registration Status — {self.entity.legal_name}",
                 f"Entity: {self.entity.annex} / {self.entity.sector}",
                 f"Member States: {', '.join(self.entity.member_states)}", ""]
        for ms, s in status.items():
            reg = self.registrations[ms]
            lines.append(f"  [{ms}] {reg.nca_name}: {s['status']}")
            if s['status'] != 'COMPLIANT':
                lines.append(f"       Issue: {s.get('issue', '')}")
        return "\n".join(lines)


# Usage example
if __name__ == "__main__":
    entity = EntityProfile(
        legal_name="Acme Cloud GmbH",
        address="Musterstraße 1, 10115 Berlin, Germany",
        contact_email="nis2@acmecloud.de",
        contact_phone="+49-30-1234567",
        ip_ranges=["185.220.100.0/24", "2a04:4e42::/32"],
        member_states=["DE", "NL", "AT", "FR", "BE"],
        annex="I",
        sector="Digital infrastructure",
        subsector="Cloud computing service providers",
        nis2_contact_person="Max Muster, CISO",
    )

    mgr = NIS2RegistrationManager(entity)
    print(mgr.registration_report())

    # Simulate an IP range change after migration
    alerts = mgr.get_ip_change_alert(
        old_ranges=["185.220.100.0/24"],
        new_ranges=["185.220.100.0/24", "195.148.127.0/24"],
    )
    if alerts["change_detected"]:
        print(f"\nIP change detected! Update required in 2 weeks.")
        for notif in alerts["notifications"]:
            print(f"  → Notify {notif['nca']} ({notif['member_state']}) by {notif['update_deadline']}")

The Art.24 registration data itself is personal data under GDPR — specifically for the named contact persons. This creates a double compliance requirement:

NIS2 Art.24 Field	GDPR Implication	Action
Contact person name + email	PII — requires legal basis	Use Art.6(1)(c) (legal obligation) as basis
Contact person phone	PII — minimize	Role-based number preferred over personal mobile
IP ranges	May be company personal data in some interpretations	Document in ROPA as "NIS2 regulatory disclosure"
NCA receipt/registration ID	Process data — internal	Store in compliance management system

ROPA Entry for NIS2 Registration

Add to your Record of Processing Activities:

Processing purpose: Compliance with NIS2 Art.24 registration obligation
Legal basis: GDPR Art.6(1)(c) — compliance with legal obligation
Data subjects: Designated NIS2 contact persons
Recipients: National competent authority (NCA) in each Member State
Retention: Duration of entity's NIS2-scope status + 5 years (for audit purposes)
Transfer: No transfer outside EU (NCA is EU authority)

Art.24 × Art.23 Interaction: How Registration Enables Incident Reporting

Art.24 registration is functionally prerequisite to Art.23 incident reporting. When an incident occurs:

Art.23(1) — You must notify "the competent authority or the CSIRT" within 24 hours
The NCA uses your Art.24 registration to identify the correct contact
Your Art.24 registration record includes the CSIRT assigned to you
Outdated contact details in your Art.24 record = missed incident notification = separate violation

The implication: Art.24 is not just a one-time administrative exercise. It is the live directory that NIS2 enforcement runs on. If your CISO leaves and you don't update Art.24, the next incident notification may go to the wrong person — or nowhere.

Common Art.24 Mistakes SaaS Teams Make

1. Registering at Group Level Instead of Entity Level

Art.24 requires registration of the entity that actually provides the service — not the parent holding company. If you have a German GmbH, a Dutch BV, and a French SAS all providing services independently, each needs its own registration.

2. Using Personal Email Addresses

Contact details in the NCA registry are semi-permanent and may be shared with CSIRTs and law enforcement. Use security@ or nis2@ role-based addresses that survive personnel changes.

3. Incomplete IP Range Declarations

The BSI and other NCAs use IP range data for network monitoring and to correlate incidents. "We use AWS, here's the whole 54.0.0.0/8" is not acceptable. Provide your specific allocated ranges.

4. Ignoring the Multi-Country Obligation

Art.24(7) is explicit: register in every Member State where you provide services. Many SaaS teams register only in their home country and assume it covers the EU. It does not.

5. Not Tracking Infrastructure Changes for Re-notification

IP ranges change during cloud migrations, CDN switches, and scaling events. Without a change-tracking process (like the NIS2RegistrationManager above), you will miss the 2-week notification window.

These are different obligations with different data flows. Art.24 sends data to the NCA; Art.30 is internal documentation. Both are required; neither substitutes for the other.

Art.24 in the Full NIS2 Compliance Timeline

Date	Obligation
17 October 2024	NIS2 transposition deadline (Member States)
17 January 2025	Entity registration deadline (Art.24)
Within 3 months of change	Update registration (2 weeks in most national laws)
Ongoing	Respond to NCA information requests within specified deadlines
From 2026	Proactive supervisory audits of essential entities (Art.32)

If your entity became in scope after 17 January 2025 (e.g., you crossed the size threshold or entered a new critical sector), your registration deadline is "without undue delay" from the moment you became in scope.

20-Item Art.24 Compliance Checklist

Entity Scoping

Confirmed entity size relative to Art.3 thresholds (250/50 employees, €50M/€10M turnover)
Identified correct Annex I or II sector(s)
Confirmed entity type: essential or important (or both for different sectors)
Listed all EU/EEA Member States where services are actively provided

Registration Data Preparation

Compiled legal entity name(s) for all operating entities
Created role-based NIS2 contact email (nis2@ or security@)
Documented 24/7 reachable phone number
Exported current production IP ranges (cloud console + CDN allocations)
Named NIS2 Contact Person (CISO or designated equivalent)
Confirmed sector/subsector classification per Annex I/II

Submission

Registered with NCA in HQ Member State before 17 January 2025
Registered in all other Member States where services are provided
Obtained and stored NCA acknowledgement with unique registration ID
Noted supervisory authority assigned per acknowledgement

Ongoing Obligations

Implemented infrastructure change tracking for IP range changes
Defined internal process: who is responsible for notifying NCA of changes
Set calendar alerts for 2-week notification deadline after infrastructure changes
Added NIS2 registration update to offboarding checklist for CISO/contact person changes
Added ROPA entry for NIS2 Art.24 processing activity (GDPR Art.6(1)(c))
Scheduled annual review of registration data accuracy

Conclusion

NIS2 Art.24 is the organizational prerequisite for everything else in NIS2 compliance. Before NCAs can supervise you, before CSIRTs can contact you during incidents, before Art.32 audits can begin — you must be registered. The information requirements are specific: not just a company name, but IP ranges, sector classifications, per-country registration in every Member State where you operate, and contact details that stay current.

The deadline was 17 January 2025. If you are reading this as an essential or important entity that has not yet registered, the practical first step is to register with your home country NCA today, then expand to other Member States. The penalties for non-compliance (up to 2% global turnover for essential entities) are real, and Art.32/33 proactive audits are beginning in 2026.

The NIS2RegistrationManager above gives you a foundation for tracking multi-country registrations and automating change notifications — integrate it with your infrastructure provisioning pipeline to catch IP range changes before the 2-week window closes.

Next in the NIS2 series: Art.27 (duties of essential entities to notify NCAs of changes in their status as essential entities — the "out-of-scope notification" obligation).

Part of the sota.io EU Cyber Compliance Series. Deploy on EU infrastructure →