Article 46: Addressees

Article 46: Addressees requirement means NIS 2 is legally addressed to EU Member States, so your company complies through each country’s national transposition law, not Article 46 itself. Operationalize it by mapping where you operate, tracking each jurisdiction’s implementing rules, and assigning owners and evidence for the NIS 2 obligations those laws impose. (Directive (EU) 2022/2555, Article 46)

Key takeaways:

• Article 46 does not create direct operational duties for companies; it tells you to follow Member State implementing laws. (Directive (EU) 2022/2555, Article 46)
• Your first control is governance: a jurisdiction-by-jurisdiction obligation register with owners, milestones, and proof. (Directive (EU) 2022/2555)
• Readiness risk comes from inconsistent translation of NIS 2 duties across countries, especially incident reporting and third-party dependency management. (Directive (EU) 2022/2555)

“Article 46: Addressees requirement” looks trivial because it is one sentence. For operators, it is a scope and governance trigger that determines how you build your NIS 2 compliance program. Article 46 states the directive is addressed to Member States, which means obligations become enforceable against organizations through national laws that transpose NIS 2 into each country’s legal system. (Directive (EU) 2022/2555, Article 46)

If you are a CCO, Compliance Officer, or GRC lead, this shifts your work from “comply with the directive text” to “maintain an always-current map from the directive to each jurisdiction’s implementing requirements, then prove you meet them in practice.” That mapping is also how you avoid two common failure modes: (1) over-building controls that do not match local requirements and business footprint, and (2) under-building because teams assume one EU-wide approach is automatically sufficient.

This page gives requirement-level implementation guidance you can execute quickly: what to decide, who owns what, what evidence to retain, and what auditors or regulators typically probe when national NIS 2 supervision starts. (Directive (EU) 2022/2555)

Regulatory text

Text (verbatim): “This Directive is addressed to the Member States.” (Directive (EU) 2022/2555, Article 46)

Operational meaning for you: Article 46 itself does not tell you to implement a technical or procedural control. Your operational requirement is to treat NIS 2 as a transposition-driven regime: identify which Member State laws apply to your entity and services, then implement and evidence the obligations those laws impose (for example, governance, risk management measures, incident handling, and third-party dependency management). (Directive (EU) 2022/2555, Article 46)

Plain-English interpretation

• NIS 2 is an EU directive, not a regulation. Directives bind Member States to achieve results through national law. (Directive (EU) 2022/2555)
• Your compliance target in each EU country is the national NIS 2 implementing law and local supervisory practice, informed by the directive’s requirements. (Directive (EU) 2022/2555)
• Practically, Article 46 is a program design requirement: you need a repeatable way to translate EU directive obligations into local operational requirements and prove you did it. (Directive (EU) 2022/2555, Article 46)

Who it applies to (entity and operational context)

Article 46 applies formally to Member States, but it affects how regulated entities should structure compliance and assurance work because enforcement will occur via national transposition. (Directive (EU) 2022/2555, Article 46)

You should treat this as in-scope if you are any of the following:

• A company that believes it is in scope of NIS 2 as an essential entity or important entity (classification is determined by the directive and then applied in national law). (Directive (EU) 2022/2555)
• A multinational with establishments, services, infrastructure, or customers across multiple EU Member States, where inconsistent local implementation can create compliance gaps. (Directive (EU) 2022/2555)
• A group with material third-party dependencies (cloud, managed services, telecom, critical suppliers) that must be consistently captured in risk assessment and assurance artifacts across jurisdictions. (Directive (EU) 2022/2555)

Operational contexts where this requirement matters most:

• Cross-border operating models (shared SOC, centralized incident response, shared procurement).
• M&A / new market entry where footprint changes faster than your control mapping.
• Federated IT where different business units implement “NIS 2” differently and cannot produce consistent evidence.

What you actually need to do (step-by-step)

Your goal is simple: prove that you know which national NIS 2 rules apply to you, that you assigned accountability, and that operational processes meet those requirements with exam-ready evidence. Article 46 is the legal basis for why you must do this per Member State. (Directive (EU) 2022/2555, Article 46)

Step 1 — Establish your “NIS 2 applicability map”

Create a maintained inventory of:

• EU Member States where you have an establishment, provide in-scope services, or operate relevant infrastructure.
• Legal entities, business services, and supporting systems tied to each country.
• Known or likely supervisory touchpoints (competent authority) to the extent identified through counsel or local compliance (do not guess; record “TBD” explicitly).

Output: A one-page “where NIS 2 applies” map that can be shown to leadership and auditors. (Directive (EU) 2022/2555)

Step 2 — Build a NIS 2 obligation register (jurisdictional)

This is the core control to operationalize Article 46.

Create a register with these minimum fields:

• Directive obligation (high-level topic, traced to NIS 2)
• Jurisdiction (Member State)
• Local transposition reference (link/name maintained by legal team; if not available yet, record status)
• Your internal control(s) mapped to the obligation
• Control owner (named function/person)
• Evidence artifacts (specific documents/logs/screenshots)
• Testing method and cadence (internal audit, control self-assessment, SOC metrics review)
• Open issues and remediation tracking

This register is how you prevent the biggest risk factor: NIS 2 obligations translated inconsistently into local operational requirements across jurisdictions. (Directive (EU) 2022/2555)

Practical tip: Keep the register readable for non-lawyers. Your auditors will accept a legally grounded mapping if it is operational, owned, and testable.

Step 3 — Standardize “global baseline + local delta”

Define:

• A global baseline of controls you run everywhere (incident triage, escalation, reporting workflow, third-party risk intake).
• A local delta section per Member State (timing triggers, reporting formats, language requirements, authority-specific portal steps, local record retention rules).

This prevents a common anti-pattern: each country builds a separate “NIS 2 program” that cannot be governed centrally or evidenced consistently. (Directive (EU) 2022/2555)

Step 4 — Codify incident handling and reporting as an evidence-producing workflow

Even though Article 46 is not an incident article, it drives the need to follow national incident reporting requirements derived from NIS 2.

Minimum operational components:

• Triage criteria and severity model that link to notification triggers.
• Escalation matrix (who approves notifications and when).
• Drafting workflow for notifications (legal + IR + comms).
• Evidence retention list (timestamps, decision logs, copies of filings).

This directly addresses the readiness risk: governance controls exist, but incident handling evidence is not exam-ready. (Directive (EU) 2022/2555)

Step 5 — Integrate third-party dependencies into the same jurisdictional governance

NIS 2’s supply chain emphasis becomes enforceable via national laws. Your job is to show:

• You know which third parties are critical to in-scope services.
• You assessed their risk and tracked remediation.
• You can produce assurance evidence fast.

Minimum actions:

• Tag third parties to the services/countries they support.
• Require contract and security addenda where needed to support incident response cooperation and security expectations.
• Tie third-party issues into the same remediation and governance reporting as internal findings. (Directive (EU) 2022/2555)

Step 6 — Set management oversight and reporting

Article 46 implies Member States are responsible for implementation, but your oversight must survive national supervisory review.

Do:

• Quarterly steering review of the obligation register (status, deltas, open items).
• A single accountable executive for NIS 2 execution across jurisdictions.
• A documented decision record when you interpret applicability boundaries. (Directive (EU) 2022/2555)

Required evidence and artifacts to retain

Keep artifacts that prove you translated the directive into local requirements and operationalized them:

Governance & scope

• NIS 2 applicability map (countries, entities, services)
• NIS 2 obligation register with jurisdictional notes, owners, milestones (Directive (EU) 2022/2555)
• Role assignments (RACI) for incident handling, reporting, third-party risk

Operational readiness

• Incident triage and escalation procedure, with reporting triggers and decision logs (Directive (EU) 2022/2555)
• Tabletop or simulation outputs (agenda, attendance, scenarios, actions tracked)
• Evidence retention standard for incidents (what is stored, where, who can access)

Third-party dependency management

• Critical third-party inventory mapped to in-scope services
• Third-party risk assessments and remediation tracking
• Contract clauses or addenda relevant to security cooperation and incident notification coordination (Directive (EU) 2022/2555)

Common exam/audit questions and hangups

Expect these lines of questioning because Article 46 makes national implementation the enforcement entry point:

1. “Which national laws apply to you, and how do you know?”
   Hangup: teams cite the directive only and cannot show a country-by-country mapping. (Directive (EU) 2022/2555, Article 46)

2. “Show your control mapping and the owner for each obligation.”
   Hangup: a policy exists, but no named owner, no testing evidence, no remediation records. (Directive (EU) 2022/2555)

3. “Walk us through an incident notification end-to-end.”
   Hangup: playbooks exist, but teams cannot produce timestamps, approvals, or copies of drafts and submissions. (Directive (EU) 2022/2555)

4. “How do third parties fit into your in-scope service risk posture?”
   Hangup: procurement has vendor files, security has assessments, and neither ties to the services and jurisdictions in scope. (Directive (EU) 2022/2555)

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails under Article 46	Fix
Treating NIS 2 as a single EU-wide checklist	Article 46 points you to Member State law as the binding instrument. (Directive (EU) 2022/2555, Article 46)	Maintain a jurisdictional obligation register with local deltas.
Building controls without evidence design	Supervisors test whether you can prove operation, not whether a policy exists. (Directive (EU) 2022/2555)	Define evidence artifacts per control upfront; test retrieval speed.
Ignoring third-party dependencies until procurement renewal	Supply-chain exposure can drive findings and operational disruption. (Directive (EU) 2022/2555)	Map critical third parties to in-scope services and track remediation like internal findings.
Letting each country interpret scope independently	Creates gaps and conflicting reporting behavior.	Run a global baseline with controlled local deltas and documented decisions.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not list cases.

Risk you should manage anyway:

• Regulatory misalignment risk: if local transposition differs, “we follow the directive” will not answer a national supervisor’s request. (Directive (EU) 2022/2555, Article 46)
• Operational readiness risk: if incident workflows and third-party dependency evidence are not exam-ready, you may face supervisory scrutiny and remediation orders under national regimes. (Directive (EU) 2022/2555)

Practical 30/60/90-day execution plan

Use phases rather than fixed-day promises. The deliverables below are what matters for Article 46 operationalization.

First 30 days (Immediate)

• Stand up the NIS 2 applicability map (countries, entities, services).
• Create the first version of the NIS 2 obligation register with owners and status.
• Identify top-risk gaps: incident reporting workflow evidence, third-party criticality mapping. (Directive (EU) 2022/2555)

Days 31–60 (Near-term)

• Define the global baseline + local delta structure; pilot it in one jurisdiction.
• Run a lightweight incident notification simulation focused on timestamps, approvals, and evidence capture.
• Tag critical third parties to in-scope services; start remediation tracking for the highest-risk dependencies. (Directive (EU) 2022/2555)

Days 61–90 (Stabilize and prove)

• Expand the obligation register coverage across all applicable jurisdictions and lock governance cadence.
• Produce an “exam pack” for one jurisdiction: scope, mapping, controls, evidence samples, open issues, remediation plan.
• Add internal assurance: control self-assessments or internal audit scoping tied to the obligation register. (Directive (EU) 2022/2555)

Where Daydream fits (earned mention): If you are struggling to keep the obligation register, evidence, and third-party dependency mapping coherent across jurisdictions, Daydream can function as the system of record for obligations, control ownership, and exam-ready artifacts without turning your compliance program into a spreadsheet fleet. (Directive (EU) 2022/2555)

Frequently Asked Questions

Does Article 46 create any direct obligations for my company?

Article 46 states the directive is addressed to Member States, so it does not itself impose a standalone operational duty on organizations. Your obligations come from national laws that implement NIS 2 in each Member State. (Directive (EU) 2022/2555, Article 46)

What is the fastest way to operationalize the article 46: addressees requirement?

Build and maintain a jurisdictional obligation register that maps directive obligations to each country’s transposed requirements, with control owners and evidence artifacts. This is the most defensible way to show you tracked national implementation. (Directive (EU) 2022/2555, Article 46)

We operate in several EU countries. Can we run one centralized NIS 2 program?

Yes, if you define a global baseline and document local deltas driven by national transposition. Auditors mainly look for traceability from local requirements to owned controls and retrievable evidence. (Directive (EU) 2022/2555)

What evidence should I be ready to show on short notice?

Have your applicability map, obligation register, incident triage and escalation workflow, and third-party criticality mapping ready. Pair each with concrete proof of operation, not just policies. (Directive (EU) 2022/2555)

How should third-party risk management connect to Article 46?

Article 46 drives you to national implementing rules, and those rules will evaluate how you manage supply-chain dependencies that affect in-scope services. Map critical third parties to services and jurisdictions, then track assurance and remediation centrally. (Directive (EU) 2022/2555)

Our legal team owns transposition tracking. What does compliance/GRC own?

GRC should own the obligation register as the operational translation layer: owners, controls, evidence, testing, and remediation. Legal can supply the local law references, but GRC must prove execution. (Directive (EU) 2022/2555, Article 46)