NIS2: must I register my organisation, and how?
Adopted 2026-06-16 ยท ≈ 2 min read ยท 
edited by Dirk Baaijen
Often yes: Member States must set up a registration mechanism, and certain entities (such as DNS, cloud and data-centre providers) register directly. The how and with which authority is set by national law. Here is how to approach it.
Short answer: often yes, but the way differs by entity type and by Member State. NIS2 requires Member States to set up a mechanism to identify the entities in scope and include them in a list. In addition, certain digital providers must register directly with the competent authority. The exact way is set out in the national transposition law.
Two tracks: drawing up a list vs. registering yourself
NIS2 requires Member States to draw up a list of essential and important entities and to update it periodically (Directive (EU) 2022/2555). For most sectors โ including transport โ this leads to identification at national level, sometimes supplemented by a notification or registration duty for the entity itself.
For a specific group of digital service providers the directive imposes a direct registration duty. This covers, among others, providers of DNS services, TLD name registries, cloud, data-centre and content-delivery services, managed services and managed security services, and online marketplaces, search engines and social networks. They must notify the competent authority with details such as name, sector, contact information and the Member States where they provide services.
With whom and how you register
The exact point of contact and the procedure follow from national law, because NIS2 is a directive transposed by each Member State. In the Netherlands this is the Cyberbeveiligingswet, taking effect 1 July 2026; the directive's transposition deadline was 17 October 2024. Always consult the national law and the designated authority for the concrete registration portal, the data to be submitted and the deadlines.
How to determine your steps
- Are you in scope of NIS2? โ Check sector and size. Transport is an
essential sector; medium and large companies are generally in scope.
- Which track? โ Do you provide one of the digital services with a direct
registration duty, or are you identified via the national list?
- National law โ Find the competent authority, the registration portal
and the exact data and deadlines.
Whether a specific obligation already applies depends on the state of national transposition; verify this with the national authority.
Read more: Transport & Logistics. Take the scan.
Sources
- https://eur-lex.europa.eu/eli/dir/2022/2555/oj
Directive (EU) 2022/2555 (NIS2): registration of entities and the list of essential and important entities by Member States. - https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
European Commission โ NIS2: scope, entity categories and obligations for Member States and entities.
Read next
NIS2: the guide to cybersecurity and management duties
NIS2 makes cybersecurity a board-level responsibility for essential and important entities โ including transport and logistics. This guide brings together who is in scope, which measures and reporting duties apply, management liability, and supply-chain obligations.
Securing AI in critical infrastructure: where the AI Act, Cyber Resilience Act and NIS2 meet
A single AI system in a port often falls under three frameworks at once: the AI Act (Art. 15) secures the AI system itself, the Cyber Resilience Act the product, and NIS2 obliges the operator as an essential entity. This piece explains how they meet and who is responsible for what.
Cybersecurity in seaports: NIS2 and the Cyber Resilience Act
Seaports fall under NIS2 (Directive (EU) 2022/2555): risk-management measures, management accountability and incident reporting. The Cyber Resilience Act (Regulation (EU) 2024/2847) sets security requirements for digital products in port chains.