Awareness Training - Save 60% on Yearly Plan.
Start Training

Article 31

General aspects concerning supervision and enforcement

1.   Member States shall ensure that their competent authorities effectively supervise and take the measures necessary to ensure compliance with this Directive.

2.   Member States may allow their competent authorities to prioritise supervisory tasks. Such prioritisation shall be based on a risk-based approach. To that end, when exercising their supervisory tasks provided for in Articles 32 and 33, the competent authorities may establish supervisory methodologies allowing for a prioritisation of such tasks following a risk-based approach.

3.   The competent authorities shall work in close cooperation with supervisory authorities under Regulation (EU) 2016/679 when addressing incidents resulting in personal data breaches, without prejudice to the competence and tasks of the supervisory authorities under that Regulation.

4.   Without prejudice to national legislative and institutional frameworks, Member States shall ensure that, in the supervision of compliance of public administration entities with this Directive and the imposition of enforcement measures with regard to infringements of this Directive, the competent authorities have appropriate powers to carry out such tasks with operational independence vis-à-vis the public administration entities supervised. Member States may decide on the imposition of appropriate, proportionate and effective supervisory and enforcement measures in relation to those entities in accordance with the national legislative and institutional frameworks.

Frequently Asked Questions

Member States are required to have specific authorities responsible for regularly supervising organizations’ compliance with NIS2 rules and taking appropriate actions if needed; these authorities monitor closely and can apply measures such as fines or sanctions to correct any non-compliance, ensuring that organizations take cybersecurity seriously and protect critical systems effectively.
Yes, authorities in each Member State can prioritize their supervisory duties based on potential risks they identify; they can use customized methods to focus closer attention on organizations or sectors that have a higher chance of experiencing cyber threats or causing greater damage if an incident happens due to their crucial role or sensitive data involved.
When an incident involves a breach of personal information, NIS2 authorities must collaborate closely with data protection authorities defined by EU data protection rules (GDPR); this teamwork helps them effectively manage incidents, share valuable information, avoid overlaps or conflicts, and ensure quick, coordinated responses to protect individuals’ data from further harm.
Yes, public administration entities also fall under NIS2 rules; authorities supervising these entities must have sufficient independence and proper legal power to effectively enforce compliance, and individual countries decide what specific measures or actions they may apply, ensuring the adherence by public sector organizations within their national legal and institutional frameworks.

NIS2 Training

Start Training

Get Started within 24 hours.

Once you have submitted your details, you’ll be our top priority!