Article 13: Cooperation at national level

Article 13 requires national authorities inside each EU Member State (competent authority, single point of contact, and CSIRT) to cooperate to carry out NIS 2 obligations. To operationalize it as a regulated entity, you must be “easy to supervise”: keep jurisdiction-specific obligation mapping, clear points of contact, and exam-ready incident and third-party evidence that supports coordinated oversight. (Directive (EU) 2022/2555, Article 13)

Key takeaways:

• Treat Article 13 as a supervision-readiness requirement: your artifacts must work across multiple national touchpoints. (Directive (EU) 2022/2555, Article 13)
• Build a single, controlled “NIS 2 obligation register” per Member State, tied to owners, systems, and reporting workflows. (Directive (EU) 2022/2555)
• Make incident handling and third-party dependency evidence portable: same facts, consistent timestamps, consistent narrative. (Directive (EU) 2022/2555)

“Article 13: cooperation at national level requirement” is addressed to Member States, not directly to companies. That distinction matters operationally: your regulators may be coordinated across multiple national functions, and your organization will feel that coordination through how you register, report incidents, answer inquiries, and provide evidence.

In practice, Article 13 shows up as joined-up supervision. One authority may ask risk-management questions, the CSIRT may ask for technical indicators and handling details, and the single point of contact may coordinate formal communications. If your internal recordkeeping is fragmented (different incident timelines in legal vs. SOC vs. IT, or conflicting third-party dependency lists), you create delays, inconsistencies, and credibility problems during supervisory engagement.

Your goal is simple: make it easy for national authorities to interact with you consistently. You do that with (1) a jurisdiction-aware obligation register, (2) a tested incident triage/escalation/reporting workflow that produces consistent outputs, and (3) a current view of critical third parties tied to risk assessment and remediation. This page gives requirement-level guidance you can implement quickly, without guessing what “cooperation” means in the real world. (Directive (EU) 2022/2555, Article 13)

Regulatory text

Text (excerpt): “Where they are separate, the competent authorities, the single point of contact and the CSIRTs of the same Member State shall cooperate with each other with regard to the fulfilment of the obligations laid down in this Directive.” (Directive (EU) 2022/2555, Article 13)

What the operator must do with this

Article 13 does not tell you to “cooperate with authorities.” It tells you that authorities will cooperate with each other. Your operational obligation is to be prepared for coordinated supervision: consistent points of contact, consistent reporting outputs, and consistent evidence packages that can be consumed by different national functions without rework or contradiction. (Directive (EU) 2022/2555, Article 13)

Plain-English interpretation

National competent authorities, the national single point of contact, and national CSIRTs may be separate organizations. NIS 2 requires them to coordinate. For you, that means:

• Expect multi-channel oversight. The question you receive from one body may reflect coordination with another.
• Assume information will be shared. Contradictory answers across teams become a risk.
• Optimize for repeatable, auditable outputs. You should be able to produce the same incident timeline, impact statement, and third-party dependency facts regardless of who asks. (Directive (EU) 2022/2555, Article 13)

Who it applies to (entity and operational context)

Direct legal addressee

• Member States / national bodies: competent authorities, single point of contact, and CSIRTs. (Directive (EU) 2022/2555, Article 13)

Practical applicability to your organization

You should treat this as operationally applicable if:

• You are an entity in NIS 2 scope (essential or important) operating in one or more Member States under national transposition of NIS 2. (Directive (EU) 2022/2555)
• You have a realistic chance of interacting with multiple national functions during: registration/onboarding, supervisory inquiries, incident notification and follow-up, or sector-specific examinations. (Directive (EU) 2022/2555)

Operational contexts where this requirement “bites”

• Incidents: CSIRT wants technical details; competent authority wants governance and impacts; single point of contact wants formal message control.
• Third-party exposure: Authorities often probe dependencies and cascading risk; you need a stable inventory and traceable assurance.
• Multi-country operations: Same group incident, different national touchpoints, different submission mechanics. Article 13 increases the odds of coordinated questions. (Directive (EU) 2022/2555, Article 13)

What you actually need to do (step-by-step)

Step 1: Create a Member State–specific NIS 2 obligation register

Build one controlled register per Member State where you operate in-scope. Minimum fields:

• In-scope entity/BU and services
• Applicable national transposition reference (once known)
• Obligations mapped to internal controls/processes (incident management, risk management, third-party, governance)
• Control owner (name/role), system owner, and accountable executive
• Evidence source of truth (where artifacts live)
• Status and known gaps with remediation tickets

Why: Article 13 implies joined-up oversight. A register is how you prevent “we told one authority A and another authority B.” (Directive (EU) 2022/2555, Article 13)

Step 2: Assign a single “regulatory front door” with backups

Define and document:

• Primary regulatory contact (often compliance/GRC) and technical incident contact (SOC/IR lead)
• Backup contacts for leave/after-hours
• A routing rule: who receives what, and who approves outbound responses

Keep this current and easy to retrieve. In coordinated supervision, delayed routing reads as poor control operation. (Directive (EU) 2022/2555)

Step 3: Codify incident triage, escalation, and reporting workflows

Write a workflow that produces consistent outputs every time:

• Triage criteria: what triggers escalation, what triggers “potentially reportable”
• Timeline discipline: define how you record detection time, containment time, recovery time, and decision points
• Single narrative: one internal incident summary that feeds any external message
• Evidence capture: what logs, alerts, tickets, screenshots, forensics notes, and comms you preserve

Test it with a tabletop that includes: compliance, legal, SOC/IR, IT ops, and third-party management. The goal is repeatability and consistency across internal stakeholders, because coordinated authorities compare notes. (Directive (EU) 2022/2555, Article 13)

Step 4: Integrate critical third-party dependencies into risk and incident handling

Operationalize three linkages:

1. Inventory → criticality: identify third parties that support essential services, core IT, identity, monitoring, hosting, and OT where relevant.
2. Risk assessment → remediation tracking: record findings, mitigation owners, and dates; keep a clear audit trail for exceptions.
3. Incident workflow → third-party branch: if the incident involves a third party, require collection of contract terms, notification SLAs, third-party incident reports, and your verification steps.

Coordinated authorities often split questions: one asks “who is the provider,” another asks “how did you assure them,” and another asks “what did you do when they failed.” Your process must connect those answers. (Directive (EU) 2022/2555)

Step 5: Build an “authority-ready” evidence pack template

Prepare a repeatable pack you can generate without improvisation:

• NIS 2 obligation register excerpt for the relevant Member State
• Current incident runbook and reporting workflow
• Incident post-incident report template (timeline, scope, impact, actions, lessons learned)
• Third-party dependency list for affected service(s)
• Change records and approvals related to containment/remediation
• Communications log (internal and external) with approvals

Store it in a controlled repository with versioning. The point is to answer consistent questions quickly and consistently across multiple national touchpoints. (Directive (EU) 2022/2555, Article 13)

Required evidence and artifacts to retain

Use this as your exam-ready checklist:

• NIS 2 obligation register per Member State, with owners and evidence pointers (Directive (EU) 2022/2555)
• Contact and escalation matrix (regulatory front door, technical contacts, backups)
• Incident management SOPs: triage criteria, escalation path, decision log requirements
• Incident records: ticketing trail, timeline, approvals, forensics outputs, containment and recovery evidence
• Third-party critical dependency inventory tied to services and systems
• Third-party risk assessments and remediation tickets, including exception rationale where accepted
• Tabletop or test outputs: scenarios run, gaps found, actions assigned

Retention periods and exact formats can be set by your internal policy and national transposition, but consistency and traceability are the non-negotiables for Article 13 readiness. (Directive (EU) 2022/2555, Article 13)

Common exam/audit questions and hangups

Expect questions that reveal whether you can support coordinated supervision:

• “Who is your official point of contact for NIS 2 matters in this Member State?”
• “Show how you determine whether an event is reportable and who decides.”
• “Provide the incident timeline with supporting evidence. Why does it differ from the SOC timeline?”
• “Which third parties are critical to the affected service? Show your assurance and monitoring.”
• “Show mapping from NIS 2 obligations to controls and owners. Where is it maintained?”
• “How do you ensure consistent external communications across teams and countries?” (Directive (EU) 2022/2555, Article 13)

Hangups that slow teams down:

• Multiple “sources of truth” for incidents (SOC tool vs. ITSM vs. legal tracker)
• Unclear accountability for outbound regulatory communications
• Third-party lists that exist but are not tied to services, impact, or remediation (Directive (EU) 2022/2555)

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails under coordinated oversight	Fix
Treating Article 13 as “not applicable to us”	Authorities still coordinate; you still face multi-touchpoint supervision	Implement supervision-readiness controls as part of NIS 2 program governance (Directive (EU) 2022/2555, Article 13)
Building one global NIS 2 register only	National obligations can differ after transposition; questions arrive per Member State	Maintain a per–Member State view with common underlying control library (Directive (EU) 2022/2555)
Incident timelines that change by audience	Authorities compare narratives; inconsistency signals weak process	Standardize timeline definitions and require a decision log
Third-party risk is separated from incident response	You cannot answer “who failed, what did you require, what did you verify”	Add a third-party branch in the IR workflow and pre-identify critical dependencies
Evidence stored in personal drives or chat threads	You cannot prove control operation	Use a controlled repository and link evidence in the obligation register

Enforcement context and risk implications

No public enforcement cases were provided in the available source catalog, so you should not assume specific penalty patterns from Article 13 alone.

Your practical risk is supervisory friction: inconsistent facts, slow responses, and incomplete evidence can widen the scope of inquiries and increase the chance of formal findings under the broader NIS 2 obligations that authorities are coordinating to supervise. Treat Article 13 as a signal about how supervision will function, then harden your program artifacts accordingly. (Directive (EU) 2022/2555, Article 13)

A practical 30/60/90-day execution plan

Time-boxing helps, but specific calendar durations are planning guidance, not a legal requirement.

First 30 days (Immediate)

• Stand up the Member State–specific NIS 2 obligation register structure and name owners.
• Define the regulatory front door, backups, and routing rules.
• Identify where incident truth lives today (SOC, ITSM, legal) and pick the authoritative record. (Directive (EU) 2022/2555, Article 13)

Days 31–60 (Near-term)

• Publish the incident triage/escalation/reporting workflow with decision logs and evidence capture requirements.
• Build the authority-ready evidence pack template and repository structure.
• Create the initial list of critical third-party dependencies tied to core services and systems. (Directive (EU) 2022/2555)

Days 61–90 (Operationalize)

• Run a cross-functional tabletop that tests coordinated authority questions (governance, technical, comms, third-party).
• Close gaps with tracked remediation items and due dates.
• Review the obligation register for completeness and confirm each obligation has an evidence pointer and a test method. (Directive (EU) 2022/2555, Article 13)

Ongoing operating rhythm

• Keep contacts current.
• Rehearse incident reporting outputs.
• Refresh third-party dependency mapping when services, providers, or architectures change. (Directive (EU) 2022/2555)

Where Daydream fits (naturally)

If you struggle with keeping jurisdiction-specific obligations, owners, and evidence pointers consistent across countries and teams, Daydream can act as the system of record for the obligation register and evidence mapping. It reduces the “multiple spreadsheets” failure mode that Article 13 exposes during coordinated supervision. (Directive (EU) 2022/2555, Article 13)

Frequently Asked Questions

Does Article 13 create a direct obligation for my company to cooperate with the CSIRT?

Article 13 states that national bodies cooperate with each other. Your operational exposure is indirect: expect coordinated outreach and make sure your contacts, incident artifacts, and third-party records are consistent for any national touchpoint. (Directive (EU) 2022/2555, Article 13)

We operate in several Member States. Do we need separate processes per country?

You can run one core process, but keep a per–Member State obligation view and contact model so you can respond accurately under national transposition and supervisory routing. Centralize the “truth,” localize the applicability notes. (Directive (EU) 2022/2555)

What is the minimum evidence to prove we are ready for coordinated supervision?

Keep an obligation register with owners and evidence pointers, a documented incident workflow that generates a stable timeline and narrative, and a critical third-party dependency inventory tied to risk and remediation. These artifacts let you answer consistent questions quickly. (Directive (EU) 2022/2555, Article 13)

How do we prevent inconsistent incident timelines between the SOC and compliance?

Define timeline terms (detection, containment, recovery, decision points) and require a single incident decision log that references the underlying SOC alerts and ITSM tickets. Make that log the authoritative record used for any external messaging. (Directive (EU) 2022/2555)

Our third-party inventory exists, but it is not mapped to services. Is that a real problem?

Yes. Coordinated authorities will ask “which services depend on whom” and “what failed,” not just “who are your vendors.” Map third parties to business services and systems, then connect them to risk assessments and incident playbooks. (Directive (EU) 2022/2555)

Can we satisfy this by publishing a policy that says “we will cooperate with regulators”?

A policy helps, but Article 13 readiness is proven through operation: contacts, workflows, and consistent evidence packs. If you cannot produce those under time pressure, coordinated supervision will surface gaps quickly. (Directive (EU) 2022/2555, Article 13)