Article 8: Competent authorities and single points of contact

To operationalize the article 8: competent authorities and single points of contact requirement, you need a jurisdiction-by-jurisdiction map of which national authority supervises your NIS 2 obligations, then hardwire those contacts into your incident reporting, supervisory response, and evidence-retention workflows. Your goal is simple: you can prove, on demand, who you report to, how, and who owns the relationship. (Directive (EU) 2022/2555, Article 8)

Key takeaways:

• Build and maintain an “authority register” that links each EU Member State you operate in to the competent authority and your internal owner. (Directive (EU) 2022/2555, Article 8)
• Embed those authority details into incident triage and escalation so reporting triggers route to the right regulator without debate. (Directive (EU) 2022/2555)
• Treat this as audit-readiness work: retain evidence that the mapping exists, is approved, and is used in real processes. (Directive (EU) 2022/2555)

Article 8 is directed at EU Member States, but it still creates immediate operational work for you if your organization is an essential or important entity under NIS 2. Authorities supervise and enforce NIS 2 through national structures, and Article 8 is the foundation for that supervisory model: each Member State designates or establishes one or more competent authorities responsible for cybersecurity supervision. (Directive (EU) 2022/2555, Article 8)

In practice, exams, incident follow-ups, and routine supervisory requests will come from the competent authority (or authorities) in the Member State that has jurisdiction over your entity, establishment, or operations. If you cannot quickly identify the right authority, the right channel, and the accountable internal owner, you will lose time during an incident and look unprepared during supervision.

This page translates Article 8 into a fast, operator-ready implementation: a clear mapping of authorities to your footprint, a single internal “point of contact” model, and workflow integration so your reporting and supervisory responses are consistent, timely, and evidence-backed across jurisdictions. (Directive (EU) 2022/2555)

Regulatory text

Regulatory excerpt (verbatim): “Each Member State shall designate or establish one or more competent authorities responsible for cybersecurity and for the supervisory tasks referred to in Chapter VII (competent authorities).” (Directive (EU) 2022/2555, Article 8)

What this means for an operator

Even though Article 8 obligates Member States (not private entities) to appoint regulators, you still need to operate as if supervision will be local and authority-specific. Concretely, you must be able to:

• Identify which competent authority supervises you in each relevant Member State.
• Demonstrate an internal governance model for interacting with those authorities (who owns the relationship, who can speak for the company, and who can submit required notifications).
• Show that your incident and regulatory communications processes route to the correct authority without relying on individual tribal knowledge. (Directive (EU) 2022/2555)

Think of Article 8 as the “routing table” for NIS 2 oversight. If the routing is wrong, everything downstream fails: reporting, responding, and handling supervisory inquiries.

Plain-English interpretation (requirement-level)

Requirement you should implement: Maintain a current, approved mapping of competent authorities and single points of contact (internal and external) for every EU Member State where your NIS 2 obligations apply, and integrate that mapping into incident response, regulatory correspondence, and evidence retention. (Directive (EU) 2022/2555, Article 8)

This is not a one-time spreadsheet. Authorities and reporting endpoints can change based on national transposition, sector assignment, and corporate structure changes. Your control has to survive reorganizations, acquisitions, and operational expansion.

Who this applies to

Entity scope

• Organizations that are in scope for NIS 2 (commonly categorized as essential entities or important entities) and have operations, establishments, or regulated services connected to one or more EU Member States. (Directive (EU) 2022/2555)

Operational contexts where this shows up

• Incident response and reporting: Who receives notifications and follow-up information depends on the competent authority with jurisdiction. (Directive (EU) 2022/2555)
• Supervisory exams and inquiries: Requests for evidence, audits, and remediation tracking will come through designated authorities. (Directive (EU) 2022/2555)
• Third-party dependency management: Supply chain incidents and outsourced operations often drive cross-border questions. Your authority mapping must cover where services are delivered and where regulated entities sit, not only HQ location. (Directive (EU) 2022/2555)

What you actually need to do (step-by-step)

Step 1: Define your NIS 2 jurisdiction footprint

1. List EU Member States where you have an establishment, provide in-scope services, or otherwise expect NIS 2 obligations to apply.
2. For each Member State, record the legal entity, business line, and operational owner.
3. Put the result into your NIS 2 obligation register with jurisdiction notes and accountable owners. This becomes your “system of record.” (Directive (EU) 2022/2555)

Operator tip: If you cannot clearly state “which country supervises which part of our service,” your authority mapping will stay theoretical. Start from services and establishments, then map to countries.

Step 2: Build an “Authority & Contact Register” (your exam-ready artifact)

For each relevant Member State, capture:

• Competent authority name (as designated nationally).
• Official reporting channels (web portal, email, phone) and any required identifiers.
• Any sector-specific routing (if multiple authorities exist).
• Your internal Single Point of Contact (SPOC) for that Member State (role-based, not person-based).
• Backup SPOC and legal sign-off path (who approves notifications).
• Last verification date and verification method (e.g., checked authority site, confirmed through counsel).

Keep it simple: one table, consistent fields, strict ownership.

Step 3: Assign internal ownership and RACI

Create a short RACI aligned to how supervision works in your organization:

• Accountable: CCO/GRC lead (or Head of Security Compliance) for the accuracy of the register.
• Responsible: Regulatory operations or security governance team for maintenance.
• Consulted: Legal, incident response lead, privacy (where overlaps exist).
• Informed: CIO/CISO, relevant business owners.

Document decision rights: who can submit regulator communications, who can commit remediation dates, and who can accept meeting requests.

Step 4: Integrate into incident triage and escalation

Update your incident response playbooks so that, upon classification of a potentially reportable incident:

1. Triage identifies impacted Member States (based on service footprint and affected entities).
2. Workflow auto-pulls the competent authority entry for those states.
3. Escalation assigns the right internal SPOC and backup.
4. Regulatory communications are logged, version-controlled, and retained with the incident record. (Directive (EU) 2022/2555)

This step is where most programs fail: they have the mapping, but responders do not use it under pressure. Make the authority register a required input to your incident ticket template.

Step 5: Operationalize supervisory engagement (non-incident)

Set a standard operating procedure for inbound authority contact:

• Intake channel (central mailbox or case management queue).
• Authentication steps (how you verify the request is legitimate).
• Response workflow (who drafts, who reviews, who sends).
• Evidence packaging standard (what “complete” looks like).
• Time-based service targets you set internally (do not invent regulatory timelines here; focus on responsiveness and control). (Directive (EU) 2022/2555)

Step 6: Test the control

Run a tabletop exercise focused on a cross-border scenario:

• Simulate an incident impacting systems serving multiple Member States.
• Validate the authority routing, SPOC assignment, and evidence capture.
• Record findings and remediation actions in your tracking system. (Directive (EU) 2022/2555)

Where Daydream fits naturally: Daydream can act as the system-of-record for your NIS 2 obligation register and authority mapping, link each jurisdiction entry to control owners, and keep incident workflow evidence attached to the requirement so it stays audit-ready without spreadsheet sprawl.

Required evidence and artifacts to retain

Auditors and supervisors typically want proof of both design and operation. Keep:

• Authority & Contact Register (current version + change history).
• NIS 2 obligation register showing jurisdiction applicability, owners, and milestones. (Directive (EU) 2022/2555)
• Incident response playbooks that reference the register as a mandatory step. (Directive (EU) 2022/2555)
• Tabletop/test records: scenario, participants, outputs, defects, and remediation tracking. (Directive (EU) 2022/2555)
• Training/enablement records for IR, Legal, and GRC staff on how to use the mapping.
• Communications log template for regulator interactions (inbound and outbound) with approvals attached.

Common exam/audit questions and hangups

Expect questions like:

• “Which competent authority supervises your entity in Member State X, and how do you know?”
• “Show how incident response routes notifications to the correct authority.”
• “Who is authorized to communicate with the authority, and what approvals are required?”
• “How do you keep contact details current across Member States?”
• “Demonstrate evidence that this process has been tested.” (Directive (EU) 2022/2555)

Hangups:

• Multiple authorities per country and unclear sector routing.
• Corporate structure changes not reflected in the mapping.
• Incident tickets missing jurisdiction analysis and authority-routing evidence.

Frequent implementation mistakes (and how to avoid them)

1. Person-based SPOCs instead of role-based ownership. People leave. Use a role mailbox and documented delegation.
2. A mapping that lives in Legal but not in IR operations. Make it a required field in incident tooling and playbooks.
3. No change control. Add a lightweight review trigger tied to corporate events (new country launch, acquisition, major outsourcing change) and periodic verification.
4. Assuming one EU-wide regulator. Article 8’s model is explicitly Member State-based. Build for plurality. (Directive (EU) 2022/2555, Article 8)
5. Forgetting third parties. If key operations are outsourced, your jurisdiction and authority routing can still depend on where regulated services are delivered and where your entity is established. Track critical third-party dependencies alongside the obligation register. (Directive (EU) 2022/2555)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so do not anchor your program to specific penalties or case outcomes here.

Operational risk is still concrete:

• Wrong authority routing can delay notifications and degrade credibility during supervisory follow-up.
• Incomplete evidence trails create avoidable findings even when underlying security controls are sound.
• Cross-border incidents create confusion fast; the authority register is a stabilizer during executive escalation. (Directive (EU) 2022/2555)

Practical execution plan (30/60/90-day)

Use phases rather than calendar promises. The outcome is what matters: an accurate mapping that responders use.

Days 0–30: Establish the foundation

• Confirm in-scope Member States and entities for your NIS 2 obligation register. (Directive (EU) 2022/2555)
• Draft the Authority & Contact Register schema and assign ownership/RACI.
• Populate the initial mapping for your highest-risk jurisdictions first (based on operational criticality).
• Define internal SPOC roles, backups, and approval flow for regulator communications.

Days 31–60: Integrate with operations

• Update incident triage and escalation playbooks to require jurisdiction analysis and authority routing. (Directive (EU) 2022/2555)
• Add templates: regulator inquiry intake, outbound notification package checklist, communications log.
• Train incident commanders, Legal, and GRC on the workflow, with a short “who contacts whom” runbook.

Days 61–90: Prove it works and make it sustainable

• Run a tabletop that exercises cross-border authority routing and evidence capture. (Directive (EU) 2022/2555)
• Close gaps: missing authority data, unclear internal decision rights, tooling friction.
• Implement change control: review triggers and a recurring verification cadence owned by GRC.

Frequently Asked Questions

Does Article 8 impose a direct obligation on my company?

Article 8 is written as an obligation on each Member State to designate competent authorities. (Directive (EU) 2022/2555, Article 8) Your operational obligation is indirect but real: you must know and be ready to engage the competent authority that supervises you.

We operate in multiple EU countries. Do we need multiple regulator contacts?

Yes, you should plan for a Member State-by-Member State mapping because Article 8 is implemented nationally and supervision is routed through designated competent authorities. (Directive (EU) 2022/2555, Article 8)

What should our “single point of contact” look like internally?

Use a role-based model: a named function, shared mailbox, and delegated authority with documented backups. Tie it to your incident response and regulatory correspondence processes so it is used under pressure.

How do we keep the authority mapping current without turning it into busywork?

Put one team in charge (GRC or security governance) and add change triggers tied to expansions, M&A, and major outsourcing changes. Keep a simple verification log so you can prove the mapping was maintained.

What evidence is most persuasive in an exam?

A current authority register plus proof that incident workflows reference it and that you have tested the routing in an exercise. (Directive (EU) 2022/2555) Supervisors tend to value operational proof over standalone policy statements.

Can Daydream replace our spreadsheet-based mapping?

Yes, if you treat Daydream as the system-of-record for the obligation register and authority mapping, with owner assignments, change tracking, and linked incident evidence. That setup reduces “orphaned” compliance artifacts that teams cannot produce quickly during supervisory requests.