Article 33: Supervisory and enforcement measures in relation to important entities

Article 33 requires you, as an important entity under NIS 2, to be ready for ex post supervision and enforcement when a competent authority receives information suggesting noncompliance, especially with your security measures (Article 21) and incident reporting (Article 23). Operationalize it by building an “exam-ready” supervision response: clear ownership, rapid evidence production, and a remediation workflow that withstands regulator scrutiny. (Directive (EU) 2022/2555, Article 33)

Key takeaways:

• Build a supervisory-response playbook that treats regulator outreach as an incident with defined triage, ownership, and deadlines.
• Maintain audit-ready evidence for Article 21 controls and Article 23 reporting workflows because Article 33 actions often hinge on those areas. (Directive (EU) 2022/2555, Article 33)
• Prove you can execute corrective actions fast: tracking, decision logs, and closure evidence matter as much as policies.

A competent authority does not need to schedule a routine audit to trigger action under NIS 2 Article 33. If the authority receives “evidence, indication or information” that an important entity is not complying, the Directive expects Member States to ensure authorities can apply ex post supervisory measures that are effective, proportionate, and dissuasive. (Directive (EU) 2022/2555, Article 33)

For a Compliance Officer, CCO, or GRC lead, that translates into a simple operational goal: reduce the time and friction between (1) a regulator question and (2) a complete, credible response package with supporting artifacts, plus a remediation plan that is already underway. Article 33 is less about writing new cybersecurity requirements and more about being prepared to demonstrate compliance under pressure, in writing, with traceable evidence.

This page focuses on fast execution: how to stand up governance, evidence retention, and response mechanics that make Article 33 manageable. If you already have security controls, incident response, and third-party risk processes, the work here is to connect them into a regulator-facing operating model with clean accountability and repeatable outputs.

What the requirement is (plain-English)

Article 33 says: if a competent authority receives information suggesting an important entity is not complying with NIS 2 (especially security measures and incident reporting), the authority must be able to take action using ex post supervisory measures. Those measures must be effective, proportionate, and dissuasive based on the case’s circumstances. (Directive (EU) 2022/2555, Article 33)

Plain-English translation for operators: assume that any credible signal of noncompliance can trigger a supervisory interaction. Your job is to (1) respond promptly and consistently, (2) produce defensible evidence of implementation, and (3) remediate gaps with documented urgency.

Who it applies to

Entity scope

• Important entities in scope of NIS 2 (as categorized by the Directive and national transposition). Article 33 is explicitly “in relation to important entities.” (Directive (EU) 2022/2555, Article 33)

Operational context that triggers Article 33

Article 33 is triggered when authorities receive:

• Evidence (for example, artifacts, reports, breach details, or documentation)
• Indications (signals such as complaints, intelligence, patterns of incidents)
• Information (tips, media reporting, third-party notifications, cross-authority referrals)

You cannot control what information reaches regulators. You can control whether your internal records can withstand scrutiny once it does.

Regulatory text

Excerpt (binding concept): When provided with evidence, indication, or information that an important entity allegedly does not comply with the Directive, Member States must ensure competent authorities take action, where necessary, through ex post supervisory measures, and those measures must be effective, proportionate, and dissuasive. (Directive (EU) 2022/2555, Article 33)

What you must do as an operator

Even though Article 33 describes what Member States must enable authorities to do, it creates a clear operational expectation for important entities:

1. Be able to demonstrate compliance with NIS 2 obligations that commonly drive supervisory action, specifically security risk management measures and incident reporting readiness. (Directive (EU) 2022/2555, Article 33)
2. Be prepared for ex post scrutiny after a suspected noncompliance signal, not only during planned audits. (Directive (EU) 2022/2555, Article 33)
3. Be able to execute corrective actions with traceability, because supervisory measures aim to be “dissuasive” and will test whether you fix real issues, not whether you can explain them. (Directive (EU) 2022/2555, Article 33)

What you actually need to do (step-by-step)

Step 1: Build a NIS 2 obligation register that is supervision-ready

Create a single register that answers, fast:

• Which NIS 2 obligations apply to your entity and which business units are in scope
• Control owners (named individuals), not just teams
• Current implementation status and known gaps
• Local jurisdiction notes where national transposition affects expectations

Minimum fields that exam teams expect to see in some form:

• Obligation statement (map to NIS 2 Articles relevant to your program)
• Control / process name
• Owner and delegate
• Evidence location (system of record)
• Review cadence (your chosen cadence)
• Open issues and remediation ETA (your chosen ETA)

This aligns with the practical need to respond when authorities have an allegation of noncompliance. (Directive (EU) 2022/2555, Article 33)

Daydream fit: Daydream can function as the system of record for obligations, mappings, owners, and evidence pointers, so regulatory inquiries do not become a spreadsheet archaeology exercise.

Step 2: Stand up a “supervisory response” playbook (treat it like an incident)

Write a short playbook that starts the moment you receive an authority outreach (or anticipate one). Include:

• Intake channels (legal mailbox, security mailbox, regulator portal, etc.)
• Triage: classify request type (information request, on-site/remote inspection notice, follow-up after incident)
• Ownership: Legal + Compliance lead, Security lead, and an evidence coordinator
• Internal deadlines and approval gates (what must be reviewed by Legal, what can be produced by GRC)

Operational rule: every outbound response gets a decision log (what you provided, what you withheld, why, and who approved).

This is the control that makes “ex post supervisory measures” survivable in practice. (Directive (EU) 2022/2555, Article 33)

Step 3: Make Article 21 and Article 23 evidence “pull-ready”

Article 33 calls out likely focus areas “in particular Articles 21 and 23.” (Directive (EU) 2022/2555, Article 33) Prepare evidence packages that can be assembled quickly:

Security measures package (Article 21 related):

• Policies and standards (approved versions)
• Risk assessment methodology and latest risk register extracts
• Control operation evidence (tickets, system configs, meeting minutes, test results)
• Internal audit or assurance reports, plus management responses

Incident reporting readiness package (Article 23 related):

• Incident triage workflow with severity criteria
• Escalation matrix and on-call structure
• Reporting decision tree (what triggers reporting and who decides)
• Tabletop results and after-action reports
• Evidence retention guidance for incident timelines and communications

You do not need perfect paperwork. You need coherent, consistent proof that your processes run as described. Article 33 scrutiny punishes gaps between policy and reality. (Directive (EU) 2022/2555, Article 33)

Step 4: Integrate third-party dependencies into the same evidence model

Authorities often care about whether your security posture extends to critical third parties that could affect service continuity or incident impact. For Article 33 readiness, connect third-party risk to:

• Your enterprise risk register
• Material supplier list (critical dependencies)
• Remediation tracking (open findings, due dates, exceptions)

Minimum operational capability:

• Identify critical third parties tied to essential services
• Show due diligence artifacts (questionnaires, attestations, contract clauses, SOC/ISO reports where applicable)
• Track remediation and acceptance decisions

Step 5: Run a “regulator-ready” rehearsal

Perform an internal exercise with a realistic prompt:

• “Competent authority requests evidence that your incident reporting process meets NIS 2 expectations after a suspected late notification.”
• “Authority requests evidence that supply-chain risks are assessed and remediated.”

Measure:

• Time to assemble an evidence index
• Number of broken links / missing approvals
• Conflicting versions of policies or processes
• Gaps where process exists but no operational evidence exists

Document findings and remediation. If a real inquiry arrives, you can show you operate a continuous-improvement loop, which fits the “effective” and “dissuasaive” supervision premise. (Directive (EU) 2022/2555, Article 33)

Required evidence and artifacts to retain

Use this as your retention checklist for Article 33 response readiness:

Governance and accountability

• NIS 2 applicability assessment and scope statement
• Obligation register with owners and evidence pointers
• Board/management cybersecurity governance minutes (as applicable to your governance model)
• Training completion records for key roles (incident handlers, reporters, control owners)

Operational execution (prove controls operate)

• Risk assessments and treatment plans
• Control testing results, internal audit reports, and remediation tracking
• Security monitoring and incident management records (sanitized where necessary)
• Incident tabletop materials and after-action reports

Third-party risk

• Critical third-party inventory
• Due diligence records and contractual security requirements
• Exceptions, risk acceptances, and remediation correspondence

Supervisory interaction recordkeeping

• Regulator communications log (inbound/outbound)
• Evidence production index (what was provided, when, by whom)
• Decision log for judgments (scope decisions, confidentiality, legal privilege handling)

Common exam/audit questions and hangups

Expect questions like:

• “Show how you determined you are an important entity and which systems/services are in scope.”
• “Walk through your incident reporting workflow and show evidence it has been used in real events.”
• “Produce proof that risk management measures are implemented, not only documented.” (Directive (EU) 2022/2555, Article 33)
• “How do you govern critical third parties, and how do findings flow into remediation?”

Hangups that slow teams down:

• Evidence scattered across tools with no index
• Control owners unclear or outdated
• Incident timelines inconsistent across Security, Legal, and Comms
• Third-party “criticality” not defined, so inventory is subjective

Frequent implementation mistakes (and how to avoid them)

1. Mistake: treating Article 33 as “the regulator’s problem.”
   Fix: build your supervisory response playbook and evidence model as internal controls, because Article 33 actions begin with alleged noncompliance. (Directive (EU) 2022/2555, Article 33)

2. Mistake: policies without operational proof.
   Fix: for each key requirement area, store at least one operational artifact per period (tickets, logs, test results, approvals) that shows the process ran.

3. Mistake: incident reporting is documented but not rehearsed.
   Fix: run regular internal drills and retain artifacts (agenda, scenario, decisions, lessons learned). Then map improvements to tracked issues.

4. Mistake: third-party risk is a procurement checkbox.
   Fix: connect critical third-party findings to enterprise risk and remediation tracking, with explicit risk acceptance where you cannot remediate quickly.

Enforcement context and risk implications

Article 33 signals that supervision can be reactive. If an incident, complaint, intelligence report, or media story suggests your controls or reporting are weak, an authority may pursue ex post supervisory measures. (Directive (EU) 2022/2555, Article 33)

Risk implications for a CCO/GRC lead:

• Operational disruption: supervisory requests create urgent evidence production work that can pull security teams off response and remediation.
• Consistency risk: discrepancies across documents, tickets, and narratives reduce credibility quickly.
• Governance risk: lack of named ownership and tracked remediation turns a manageable inquiry into a wider control-failure story.

Practical execution plan (30/60/90)

First 30 days: Stabilize ownership and visibility

• Name an Article 33 response owner (primary) and a cross-functional backup.
• Draft the supervisory response playbook and approve it with Legal and Security.
• Create the NIS 2 obligation register and assign owners for each major obligation area.
• Build an evidence index for Article 21- and Article 23-adjacent materials referenced in Article 33. (Directive (EU) 2022/2555, Article 33)

Days 31–60: Make evidence pull-ready

• Standardize where evidence lives (single repository or governed links).
• Implement decision logging for incident reporting and regulator communications.
• Define “critical third party” criteria and publish the initial critical dependency list.
• Stand up remediation tracking for gaps found in evidence assembly.

Days 61–90: Prove it works under stress

• Run a supervisory-response rehearsal and document outcomes.
• Close the top gaps that would block a timely response (missing owners, missing artifacts, unclear workflows).
• Establish ongoing governance: periodic obligation register review, evidence refresh, and rehearsal schedule.

If you need a systemized way to keep obligations, owners, and evidence connected, Daydream is the natural place to manage the obligation register, evidence pointers, and remediation workflows without turning Article 33 readiness into a manual project.

Frequently Asked Questions

Does Article 33 create direct obligations on the entity, or only on Member States?

The text directs Member States to ensure competent authorities can take ex post supervisory action, but you should treat it as an operational requirement to be ready to demonstrate compliance under scrutiny. The trigger is an allegation of noncompliance, especially around Articles 21 and 23. (Directive (EU) 2022/2555, Article 33)

What should I prioritize to be “exam-ready” for Article 33?

Prioritize evidence you can produce quickly for security risk management measures and incident reporting workflows, because Article 33 highlights those areas. Then add a regulator response playbook with named owners and a decision log. (Directive (EU) 2022/2555, Article 33)

How do third parties fit into Article 33 readiness?

Article 33 doesn’t name third parties, but supervisory scrutiny often follows incidents or control failures where third-party dependencies matter. Keep a critical third-party inventory, due diligence artifacts, and remediation tracking tied to your broader NIS 2 evidence package.

What does “effective, proportionate and dissuasive” mean for my internal program?

You can’t control the authority’s choice of measures, but you can reduce escalation risk by responding promptly, producing consistent evidence, and showing active remediation. A documented remediation plan with owners and status reduces the appearance of unmanaged noncompliance. (Directive (EU) 2022/2555, Article 33)

What’s the fastest way to reduce response time to a regulator request?

Build an obligation register with direct links to evidence locations and control owners, then test evidence assembly with a rehearsal. Most delays come from unclear ownership and scattered artifacts, not from missing policies.

We have strong security controls. Why would Article 33 still be a problem?

Article 33 situations often test proof and governance under time pressure. If your controls operate but you can’t show consistent artifacts, incident decisions, and remediation tracking, the authority may still treat the case as noncompliance. (Directive (EU) 2022/2555, Article 33)