2026-04-20·14 min read·

NIS2 Art.33 Reactive Supervision: Important Entity Enforcement, Sanctions, and Developer Compliance Guide 2026

The NIS2 Directive's supervisory architecture rests on a two-tier framework: Essential Entities under the proactive, ex-ante regime of Article 32, and Important Entities under the reactive, ex-post regime of Article 33. The distinction is not cosmetic. If your SaaS platform, cloud service, or digital infrastructure falls in the Important Entity category — and many do — the compliance posture is materially different from the Essential Entity playbook.

Under Art.33, National Competent Authorities cannot simply audit you at any time. They need a trigger. But when that trigger fires, the supervisory tools available to the NCA are nearly identical to the Art.32 toolkit. The sanctions under Art.36 differ in ceiling — €7M or 1.4% of global annual turnover for Important Entities, versus €10M or 2% for Essential Entities — but that is still a significant enforcement exposure.

This guide unpacks the Art.33 regime: who is in scope, what triggers NCA action, what supervisory measures NCAs can deploy, how Art.34's general supervision provisions bridge the two regimes, the Art.36 penalty structure, and what developers building platforms in the Important Entity supply chain need to prepare for 2026 enforcement activity.

1. The Two-Tier Entity Classification Under NIS2

Before examining Art.33, it is worth restating the classification framework that makes the Essential/Important distinction so consequential for compliance planning.

Essential Entities (Art.3(1)) include:

Operators in the 7 highly critical sectors of Annex I: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, space.
Organisations with >250 employees OR >€50M turnover AND >€43M balance sheet in those sectors.
Qualified trust service providers (regardless of size).
TLD name registries and DNS service providers (regardless of size).
Any entity designated by a Member State as essential.

Important Entities (Art.3(2)) are the wider circle:

Medium-sized organisations (≥50 employees OR ≥€10M turnover AND ≥€2M balance sheet) in Annex I or Annex II sectors.
Annex II sectors add the "other critical sectors": postal and courier services, waste management, manufacture/production and distribution of chemicals, food production, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers (online marketplaces, online search engines, social networking platforms).
Any entity a Member State designates as important.

For most SaaS platforms and developer-facing cloud services, the Important Entity classification is the realistic one. Online marketplaces and digital service providers are explicitly named in Annex II. The €10M turnover threshold is well within reach of any successful B2B SaaS. The 50-employee threshold catches even bootstrapped companies that have scaled.

The critical implication: If you are an Important Entity, you face the same Art.21 risk management obligations, the same Art.23 reporting requirements, and the same Art.24 registration duties as Essential Entities. What changes under Art.33 is only the supervisory mechanism — not the substantive compliance obligations.

2. Art.33 Supervisory Framework: Reactive, Not Proactive

Article 33(1) establishes the foundational rule: NCAs exercise their supervisory powers over Important Entities ex-post — they act in reaction to information rather than conducting routine proactive audits.

This is the key structural difference from Art.32:

Dimension	Art.32 (Essential)	Art.33 (Important)
Audit initiation	NCA can act at any time (ex-ante)	Only when triggered (ex-post)
Routine inspections	Yes — without prior incident	No — requires trigger event
Management liability	Yes — Art.32(6) individual sanctions	No — Art.33(6) explicitly excluded
Penalty ceiling	€10M or 2% global turnover	€7M or 1.4% global turnover
On-site inspection frequency	Can be routine programme	Triggered by specific information

The ex-post constraint is real but should not be misread as "no enforcement risk." NCAs can and do receive information through multiple channels: incident reports (Art.23), complaints from affected parties, intelligence sharing through the CSIRTs network (Art.11), and reports from other Member State NCAs. Each of these is a valid trigger for Art.33 supervisory action.

3. Triggers for Art.33 Supervisory Action

Article 33(2) specifies three classes of trigger that authorise an NCA to initiate supervision of an Important Entity:

Trigger 1: Evidence or Information of Non-Compliance

If the NCA receives credible information suggesting an Important Entity is not complying with NIS2 obligations, it may initiate supervisory measures. Sources of such information include:

Art.23 incident reports: An entity's own significant incident notification can expose gaps in risk management documentation, CSIRT coordination procedures, or the classification methodology.
Whistleblower complaints: NIS2 does not prescribe a formal complaint mechanism, but Member State implementations typically allow employees, customers, or security researchers to flag non-compliance.
CSIRTs network intelligence: CSIRTs operating under Art.11 share threat intelligence and may flag entities appearing in attacker telemetry without having filed required notifications.
Third-party security research: Publicly disclosed vulnerabilities in an entity's systems, combined with absence of the coordinated disclosure policy required under Art.26, constitute evidence of non-compliance.
Cross-border NCA reports: If an entity operates across Member States and one NCA identifies a compliance gap, it can share that finding with the NCA in the entity's home jurisdiction.

Trigger 2: Request by Another NCA

Article 33(2)(b) authorises a Member State NCA to supervise an Important Entity operating in its territory based on a request from another competent authority. This matters for cross-border SaaS platforms: you do not need to be subject to multiple NCAs simultaneously, but NCAs cooperate, and a finding in one jurisdiction propagates to others.

Trigger 3: NCA's Own Initiative

Article 33(2)(c) gives NCAs the power to act on their own initiative when they hold specific information justifying action. "Specific information" is a meaningful constraint — general sector risk assessments are not enough. But NCA-led threat intelligence activities, coordination with ENISA, or output from the EU-CyCLONe process (Art.16) can generate entity-specific information that qualifies.

Practical implication: The reactive trigger is not a safe harbour. Important Entities that have never received an Art.23 request, never been audited, and never appeared in NCA threat data still face the risk of a triggered investigation as NCA supervisory capacity scales up in 2026-2027 across all 27 Member States.

4. The Art.33 Supervisory Toolkit

When a trigger event authorises NCA action under Art.33, the available supervisory measures are defined in Article 33(2) with reference to the Art.32 framework. The toolkit is nearly identical to the Essential Entity regime:

On-Site Inspections (Art.33(2)(a))

NCAs can conduct on-site inspections of an Important Entity's premises, systems, and processes. The Art.33 on-site inspection is not routine — it requires the trigger — but once triggered, the NCA can access the same evidence as in an Art.32 audit: network diagrams, incident response runbooks, access control records, backup and recovery test results.

What auditors look for in on-site inspections:

Evidence that Art.21(2)(a) risk analysis has been completed and documented
Art.21(2)(b) incident handling procedure with tested runbooks
Art.21(2)(c) business continuity plans with recovery time objectives tested against reality
Art.21(2)(f) effectiveness assessment methodology (not just policies, but evidence of testing)
Art.21(2)(h) cryptographic implementation (TLS 1.3, key management procedures)
Art.21(2)(j) MFA deployment for privileged access, administrative interfaces, remote access

Targeted Security Scans (Art.33(2)(b))

NCAs can conduct or commission targeted security scans of an Important Entity's systems. Unlike the broad network-level scanning an Essential Entity might face, targeted scans in the Important Entity context are typically scoped to specific systems or specific risk categories that triggered the investigation.

Targeted scans may include:

Vulnerability scanning of externally accessible infrastructure
Configuration assessment against baseline security standards
Assessment of specific controls named in the trigger evidence

Security Audits (Art.33(2)(c))

NCAs can require a security audit of an Important Entity, conducted either by the NCA itself or by an approved third party. The audit scope follows the trigger: if the NCA was alerted by a significant incident involving backup failure, the audit will focus on Art.21(2)(c) (business continuity and backup). If the trigger was an Art.23 late notification, the audit will examine incident detection and classification procedures.

Requests for Information and Documentary Evidence (Art.33(2)(d))

NCAs can require Important Entities to provide:

Technical documentation of security measures
Policies and procedures
Incident response records
Evidence of security training (Art.21(2)(g))
Documentation of MFA deployment (Art.21(2)(j))
Vendor contracts with ICT third-party providers (for Art.21(2)(d) supply chain security)

This is often the first supervisory measure deployed — it is lower cost for the NCA and generates the evidence trail that then justifies on-site inspection or formal audit.

Interview Rights (Art.33(2)(e))

NCAs can interview management, technical staff, and contractors with access to relevant information. In the Important Entity context, interviews are typically initiated after documentary review, when the NCA needs to resolve contradictions or establish whether a written policy is actually implemented.

5. Art.34: General Supervision Provisions Applicable to Both Regimes

Article 34 establishes supervision provisions that apply to both Essential Entities (Art.32) and Important Entities (Art.33). Understanding Art.34 is important because it defines the limits of NCA supervisory power — procedural safeguards that entities can invoke.

Art.34(1): Notice Before On-Site Inspection

NCAs must provide advance notice before conducting on-site inspections, except where:

Immediate action is required (e.g., active incident response)
Prior notice would compromise the inspection's effectiveness

"Prior notice" is not precisely defined in the Directive and varies in Member State implementation. In practice, German (BSI) and French (ANSSI) supervision guidance suggests 5-10 business days for routine triggered inspections, less for incident-related inspections.

Art.34(3): Proportionality Obligation

Supervisory measures must be proportionate to the entity's size, its risk exposure, and the nature of the non-compliance concern. An NCA triggering a full on-site inspection of a 50-person SaaS company because of a single late incident notification faces a proportionality challenge. Entities should document their size, the materiality of any identified gap, and the remediation steps already taken when responding to NCA requests.

Art.34(4): Supervisory Measures Must Be Based on Sufficient Grounds

For Important Entities specifically, Art.34(4) reinforces the ex-post requirement: the NCA must have sufficient grounds before initiating supervisory measures. If an NCA attempts to conduct a routine audit of an Important Entity citing general sector risk rather than entity-specific information, the entity can challenge the legal basis.

Art.34(5): The Binding Instruction Power

Regardless of whether an entity is Essential or Important, Art.34(5) gives NCAs the power to issue binding instructions requiring the entity to take specific remediation actions within a defined deadline. Failure to comply with a binding instruction is itself a separate ground for sanctions under Art.35/36.

Binding instructions can require:

Implementation of specific security controls by a deadline
Completion of a security audit by a named third party
Notification of affected customers or downstream users
Appointment of a security monitoring representative

6. Art.36 Sanctions: Important Entity Penalty Structure

Article 36 defines the enforcement penalties available for Important Entities found in breach of NIS2 obligations. The penalty ceiling is lower than the Essential Entity Art.35 regime but still substantial:

Breach Type	Maximum Penalty (Important Entities)
Non-compliance with risk management obligations (Art.21)	€7M or 1.4% global annual turnover, whichever is higher
Non-compliance with reporting obligations (Art.23)	€7M or 1.4% global annual turnover, whichever is higher
Non-compliance with binding NCA instructions (Art.34(5))	€7M or 1.4% global annual turnover, whichever is higher
Non-compliance with registration obligations (Art.24)	Varies by Member State — NIS2 does not harmonise this

Compare with the Essential Entity Art.35 ceiling: €10M or 2% global annual turnover. The Important Entity ceiling is 70% of the Essential Entity ceiling in absolute terms. For a €50M-turnover SaaS, the difference between regimes is €700,000 in maximum penalty exposure.

Art.36 enforcement factors: Member State NCAs must consider the following when calibrating penalties:

Duration and gravity of the breach
Whether the breach caused damage to others
Whether the breach was intentional or negligent
Remediation steps taken voluntarily before enforcement
Previous enforcement history
Entity's cooperation with the NCA during the investigation

A SaaS company that identifies a compliance gap, self-reports to the NCA, and implements remediation before formal enforcement action is initiated will typically face significantly lower penalties than one that is reactive or obstructive. The cooperation incentive is structural in how Art.36(2) is drafted.

No Individual Management Liability Under Art.33

Article 33(6) explicitly provides that the individual management liability introduced in Art.32(6) for Essential Entities does not apply to Important Entities. There is no personal sanction exposure for the CEO or CISO of an Important Entity under NIS2, even in cases of serious non-compliance.

This distinguishes the Important Entity regime from:

The Essential Entity regime (Art.32(6) management accountability)
DORA's management body accountability provisions
GDPR's data protection officer obligations

This does not mean management is off the hook entirely. Member States may implement stricter national rules imposing management accountability for Important Entity non-compliance. Germany, the Netherlands, and Austria have historically favoured personal accountability in cybersecurity and data protection enforcement. Developers and CTOs at Important Entity SaaS companies in those jurisdictions should monitor their national NIS2 transposition law carefully.

7. Practical Developer Implications: What to Prepare in 2026

Understanding Art.33's reactive trigger structure, the Almost-Art.32 supervisory toolkit, and the Art.36 penalty ceiling translates into a specific set of preparation activities for SaaS developers at Important Entities or in their supply chains.

Trigger Minimisation: Prevent the Trigger Before It Fires

The best Art.33 defence is ensuring your entity does not generate the triggers that authorise NCA action:

Art.23 reporting compliance: The single largest source of NCA triggers is incident reports. File Art.23 notifications on time. An early warning within 24h, an incident notification within 72h, and a final report within one month is the statutory requirement. Late filings generate the "evidence of non-compliance" that Art.33(2)(a) requires for NCA action.

Art.26 CVD policy: Publicly accessible coordinated vulnerability disclosure policies are increasingly the first thing NCAs check. A missing security.txt, absent CVD contact point, or unanswered researcher disclosures are low-cost compliance failures with outsized enforcement risk.

Art.24 registration: Many Important Entities in Annex II sectors have not yet registered with their NCA by the Member State deadline. Unregistered entities appear as gaps in NCA supervisory databases, and NCAs are specifically tasked with filling those gaps.

Documentation Readiness: Prepare for a Reactive Audit

Under Art.33, you will not receive a routine audit request. But if a trigger fires, you may receive an Art.33(2)(d) information request within 48-72h of the NCA identifying the trigger event. The documentation package they will request typically includes:

Current risk analysis documentation (Art.21(2)(a))
Incident response runbook with evidence of testing (Art.21(2)(b))
Business continuity plan with tested RTO/RPO (Art.21(2)(c))
Supply chain ICT security controls documentation (Art.21(2)(d))
Security effectiveness assessment methodology and last assessment results (Art.21(2)(f))
Security training records for the past 24 months (Art.21(2)(g))
Cryptographic policy and implementation evidence (Art.21(2)(h))
MFA deployment scope and coverage documentation (Art.21(2)(j))
NCA registration records and contact point details (Art.24)
CVD policy publication evidence, security.txt, disclosure log (Art.26)

Having this documentation ready before a trigger fires is the difference between a supervisory inquiry that closes in 30 days and one that escalates to a formal audit.

Supply Chain Position: Are You the Entity or the Provider?

For developers building infrastructure that is used by Important Entities rather than operating as an Important Entity themselves, Art.33 has indirect implications through Art.21(2)(d):

Important Entities must implement "security in supply chain" controls that require them to assess the security posture of their ICT providers. When an NCA audits an Important Entity's supply chain controls, your platform's security posture is under scrutiny. This means:

Providing customers with structured security documentation (SOC 2 Type II, ISO 27001, or equivalent)
Maintaining a machine-readable SBOM if you supply software components
Having a published CVD policy that customers can reference in their Art.21(2)(d) documentation
Offering contractual SLAs for security incident notification to downstream Important Entities

EU-infrastructure advantage: For SaaS providers operating on EU-native infrastructure without US parent entities, the supply chain documentation story is structurally simpler. No CLOUD Act risk assessment, no third-country transfer documentation, no conflicting jurisdiction analysis for Important Entity customers. This is directly relevant to what customers need in their Art.21(2)(d) ICT provider due diligence package.

8. Python Implementation: NIS2ImportantEntityAuditReadinessAssessor

The following tool provides a structured assessment of Important Entity readiness for Art.33 supervision, focusing on the documentation and control evidence that NCAs typically request first:

from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
import json


class ReadinessLevel(Enum):
    READY = "ready"
    PARTIAL = "partial"
    GAP = "gap"
    UNKNOWN = "unknown"


@dataclass
class Art33Requirement:
    article: str
    description: str
    evidence_needed: list[str]
    status: ReadinessLevel = ReadinessLevel.UNKNOWN
    gap_detail: Optional[str] = None
    remediation_priority: str = "medium"


@dataclass
class NIS2ImportantEntityAssessment:
    entity_name: str
    sector: str
    employee_count: int
    annual_turnover_eur: float
    requirements: list[Art33Requirement] = field(default_factory=list)

    def is_important_entity(self) -> bool:
        return (
            self.employee_count >= 50
            or self.annual_turnover_eur >= 10_000_000
        )

    def add_requirement(self, req: Art33Requirement):
        self.requirements.append(req)

    def score(self) -> dict:
        ready = sum(1 for r in self.requirements if r.status == ReadinessLevel.READY)
        partial = sum(1 for r in self.requirements if r.status == ReadinessLevel.PARTIAL)
        gaps = sum(1 for r in self.requirements if r.status == ReadinessLevel.GAP)
        total = len(self.requirements)
        return {
            "total": total,
            "ready": ready,
            "partial": partial,
            "gaps": gaps,
            "readiness_pct": round((ready + 0.5 * partial) / total * 100, 1) if total > 0 else 0,
        }

    def max_penalty_eur(self) -> float:
        return max(7_000_000, self.annual_turnover_eur * 0.014)

    def report(self) -> str:
        sc = self.score()
        lines = [
            f"NIS2 Art.33 Readiness Report — {self.entity_name}",
            f"Sector: {self.sector}",
            f"Important Entity: {'YES' if self.is_important_entity() else 'NO — not in scope'}",
            f"Max Penalty Exposure: €{self.max_penalty_eur():,.0f}",
            f"Readiness Score: {sc['readiness_pct']}% ({sc['ready']}/{sc['total']} ready)",
            "",
            "=== GAPS (immediate action required) ===",
        ]
        for r in self.requirements:
            if r.status == ReadinessLevel.GAP:
                lines.append(f"  [{r.article}] {r.description}")
                if r.gap_detail:
                    lines.append(f"    → {r.gap_detail}")
        lines.append("")
        lines.append("=== PARTIAL (remediation needed) ===")
        for r in self.requirements:
            if r.status == ReadinessLevel.PARTIAL:
                lines.append(f"  [{r.article}] {r.description}")
        return "\n".join(lines)


def build_standard_assessment(entity_name: str, sector: str,
                               employees: int, turnover: float) -> NIS2ImportantEntityAssessment:
    assessment = NIS2ImportantEntityAssessment(
        entity_name=entity_name,
        sector=sector,
        employee_count=employees,
        annual_turnover_eur=turnover,
    )

    requirements = [
        Art33Requirement(
            article="Art.21(2)(a)",
            description="Risk analysis and information security policy",
            evidence_needed=["Written risk assessment", "Security policy document", "Review date within 12 months"],
            remediation_priority="critical",
        ),
        Art33Requirement(
            article="Art.21(2)(b)",
            description="Incident handling procedure",
            evidence_needed=["Incident response runbook", "CSIRT contact list", "Tabletop exercise record within 12 months"],
            remediation_priority="critical",
        ),
        Art33Requirement(
            article="Art.21(2)(c)",
            description="Business continuity and backup",
            evidence_needed=["BCP document", "RTO/RPO defined and tested", "Backup test results within 6 months"],
            remediation_priority="critical",
        ),
        Art33Requirement(
            article="Art.21(2)(d)",
            description="Supply chain ICT security",
            evidence_needed=["Key ICT provider inventory", "Provider security assessments", "Contract security clauses"],
            remediation_priority="high",
        ),
        Art33Requirement(
            article="Art.21(2)(f)",
            description="Cybersecurity effectiveness assessment",
            evidence_needed=["Assessment methodology", "Last assessment report", "Remediation tracking"],
            remediation_priority="high",
        ),
        Art33Requirement(
            article="Art.21(2)(g)",
            description="Security training and cyber hygiene",
            evidence_needed=["Training programme", "Completion records 24 months", "Management training evidence"],
            remediation_priority="medium",
        ),
        Art33Requirement(
            article="Art.21(2)(h)",
            description="Cryptographic policy",
            evidence_needed=["Cryptographic policy document", "TLS 1.3 deployment evidence", "Key management procedure"],
            remediation_priority="high",
        ),
        Art33Requirement(
            article="Art.21(2)(j)",
            description="Multi-factor authentication",
            evidence_needed=["MFA scope definition", "Deployment coverage report", "Admin/remote access MFA enforcement"],
            remediation_priority="critical",
        ),
        Art33Requirement(
            article="Art.23",
            description="Incident reporting procedure",
            evidence_needed=["24h early warning SLA documented", "72h notification process", "CSIRT endpoint configured"],
            remediation_priority="critical",
        ),
        Art33Requirement(
            article="Art.24",
            description="NCA registration",
            evidence_needed=["Registration confirmation", "Contact point designated", "Entity status reviewed"],
            remediation_priority="critical",
        ),
        Art33Requirement(
            article="Art.26",
            description="Coordinated vulnerability disclosure policy",
            evidence_needed=["security.txt at /.well-known/security.txt", "CVD policy published", "Disclosure log maintained"],
            remediation_priority="high",
        ),
    ]

    for req in requirements:
        assessment.add_requirement(req)

    return assessment


if __name__ == "__main__":
    assessment = build_standard_assessment(
        entity_name="Example SaaS GmbH",
        sector="Digital service provider (Annex II)",
        employees=85,
        turnover=15_000_000,
    )

    # Simulate assessment results
    assessment.requirements[0].status = ReadinessLevel.READY
    assessment.requirements[1].status = ReadinessLevel.PARTIAL
    assessment.requirements[1].gap_detail = "Runbook exists but no tabletop exercise in past 12 months"
    assessment.requirements[2].status = ReadinessLevel.READY
    assessment.requirements[3].status = ReadinessLevel.GAP
    assessment.requirements[3].gap_detail = "No formal ICT provider inventory or security assessment documented"
    assessment.requirements[4].status = ReadinessLevel.GAP
    assessment.requirements[4].gap_detail = "No formal effectiveness assessment methodology"
    assessment.requirements[5].status = ReadinessLevel.PARTIAL
    assessment.requirements[6].status = ReadinessLevel.READY
    assessment.requirements[7].status = ReadinessLevel.PARTIAL
    assessment.requirements[7].gap_detail = "MFA enforced for admin but not for all remote access"
    assessment.requirements[8].status = ReadinessLevel.READY
    assessment.requirements[9].status = ReadinessLevel.READY
    assessment.requirements[10].status = ReadinessLevel.GAP
    assessment.requirements[10].gap_detail = "No security.txt, no published CVD policy"

    print(assessment.report())
    print(f"\nMax penalty exposure: €{assessment.max_penalty_eur():,.0f}")

Running this against a typical 85-person SaaS platform reveals the three most common Art.33 readiness gaps:

Missing CVD policy and security.txt — the most common gap NCAs can verify from outside without triggering a formal investigation
No ICT provider security assessment — required for Art.21(2)(d) supply chain security but rarely documented at Important Entity scale
No formal effectiveness assessment methodology — Art.21(2)(f) is frequently omitted in compliance programmes focused on Art.21(2)(a-c)

9. NIS2 Art.33 Developer Compliance Checklist

Use this 25-item checklist to assess Important Entity readiness for Art.33 supervision and Art.36 penalty risk:

Entity Classification

Confirmed entity qualifies as Important Entity (≥50 employees OR ≥€10M turnover, Annex I/II sector)
Registered with national NCA under Art.24 by Member State deadline
Designated contact point for NCA communication documented

Art.21 Risk Management Documentation

Art.21(2)(a) risk analysis completed, documented, reviewed within 12 months
Art.21(2)(b) incident response runbook with tested procedures (tabletop or live)
Art.21(2)(c) BCP with defined RTO/RPO, tested backup restoration within 6 months
Art.21(2)(d) key ICT provider inventory with security assessments and contract clauses
Art.21(2)(e) secure development lifecycle policy applicable to software products
Art.21(2)(f) effectiveness assessment methodology documented, last assessment on file
Art.21(2)(g) security training programme with completion records for past 24 months
Art.21(2)(h) cryptographic policy, TLS 1.3 enforced, key management procedure
Art.21(2)(i) access control and asset management policy with enforcement evidence
Art.21(2)(j) MFA deployed for admin access, remote access, and privileged accounts

Art.23 Incident Reporting

24h early warning SLA defined and trigger conditions documented
72h incident notification process with CSIRT endpoint and template ready
One-month final report template and owner assigned
Past 24 months incident log (or nil record) available for NCA review

Art.26 CVD and Disclosure

security.txt deployed at /.well-known/security.txt with valid Expires header
Coordinated vulnerability disclosure policy published and linked from security.txt
Disclosure log maintained with received/resolved/published entries

Supply Chain Documentation (for providers to Important Entities)

SOC 2 Type II or ISO 27001 certificate available to customers on request
SBOM published or available under NDA for software components
Security incident notification SLA in customer contracts (aligned to Art.23 timelines)
No CLOUD Act or extraterritorial jurisdiction risk documentation prepared for EU customers

Remediation Posture

Gap register maintained with owner and target date for each identified gap
Evidence that remediation steps were completed before NCA engagement (for penalty mitigation)

10. Key Differences Between Art.32 and Art.33: A Summary Table

Criterion	Art.32 (Essential)	Art.33 (Important)
Supervision trigger	Any time — proactive	Specific evidence, complaint, or NCA initiative
Routine audits	Yes	No
On-site inspections	Yes — without specific trigger	Yes — after trigger event
Security scans	Yes	Yes — targeted
Third-party security audits	Yes	Yes — triggered
Binding NCA instructions	Yes (Art.34)	Yes (Art.34)
Management personal liability	Yes — Art.32(6)	No — Art.33(6) exclusion
Max penalty (Art.35/36)	€10M or 2% turnover	€7M or 1.4% turnover
NCA cooperation duty	High	Medium
Member State discretion on stricter rules	Limited	Higher

The Art.33 ex-post regime provides a meaningful reduction in audit exposure compared to Art.32, but the substantive compliance obligations (Art.21, Art.23, Art.24, Art.26) are identical. Developers and CTOs at Important Entities should not interpret "reactive supervision" as a lower compliance bar — it is a lower audit initiation bar, not a lower obligation bar.

The practical risk management strategy for 2026 is to invest in documentation and control evidence that prevents triggers from firing in the first place: timely Art.23 notifications, published CVD policies, completed NCA registration, and a defensible Art.21 compliance documentation package ready for the day a triggered Art.33 investigation requests it.

For SaaS platforms operating entirely on EU-native infrastructure, the supply chain compliance position — no US-parent extraterritorial risk, no CLOUD Act analysis required — is a genuine structural advantage in helping Important Entity customers satisfy their Art.21(2)(d) ICT provider due diligence obligations.