Skip to content
AuditFront
Art.33.1 NIS2

NIS2 Art.33.1: Supervision of Important Entities

What This Control Requires

Where competent authorities are provided with evidence, indication or information suggesting that an important entity allegedly does not comply with this Directive, in particular with Articles 21 and 23 thereof, Member States shall ensure that the competent authorities take action, where necessary, by way of ex post supervisory measures.

In Plain Language

Important entities get a lighter supervisory touch than essential ones - regulators investigate reactively, when there is evidence of non-compliance, rather than running proactive scheduled audits. But do not let that create a false sense of comfort.

Evidence of non-compliance can surface from many directions: your own incident reports, customer complaints, CSIRT intelligence, media coverage, sector intelligence, or whistleblowers. Once a competent authority has grounds to investigate, the supervisory powers are still substantial - on-site inspections, targeted audits, security scans, and formal information requests.

The maximum fines are lower than for essential entities (7 million euros or 1.4% of turnover), but they are still serious money. Relying on the reactive nature of supervision as a reason to deprioritise compliance is a gamble that rarely pays off.

How to Implement

Maintain a proactive compliance posture even though supervision is reactive. Implement all Art.21 measures and Art.23 reporting obligations with the same rigour as essential entities. The substantive requirements are identical - only the supervisory intensity differs.

Run regular internal compliance assessments to catch and fix gaps before they become the subject of a regulatory investigation. Self-identified and self-corrected issues look far better than problems discovered by a regulator.

Keep your documentation comprehensive and well-organised. Important entities may go years between supervisory interactions, so your records need to support historical compliance demonstration. If an auditor turns up in 2028 asking about your 2026 posture, you need to produce that evidence.

Have investigation response procedures ready even if you rarely need them. When supervision is triggered, the response must be prompt and thorough. Cover how to receive and acknowledge regulatory notifications, gather evidence and documentation, facilitate inspections or audits, and implement corrective actions.

Manage the triggers that could invite regulatory attention. Make sure your incident reports are accurate and timely, address cybersecurity-related customer complaints promptly, maintain a good relationship with your CSIRT, and handle public communications about security issues carefully.

Remember that even an investigation that results in no enforcement action can create uncertainty among customers and partners. Proactive compliance is the best way to avoid that situation entirely.

Stay informed about sector-specific supervisory expectations and any thresholds that might trigger investigations for important entities in your sector.

Evidence Your Auditor Will Request

  • Internal compliance assessment records
  • Documentation demonstrating implementation of all NIS2 requirements
  • Incident reporting records showing timely and accurate submissions
  • Investigation response procedures
  • Customer complaint handling records related to cybersecurity

Common Mistakes

  • Complacency due to reactive supervision; compliance efforts deprioritised
  • Documentation not maintained between supervisory interactions; evidence gaps accumulate
  • No investigation response procedures; unprepared when supervision is triggered
  • Incident reports that triggered investigation reveal systemic non-compliance
  • Management treats NIS2 compliance as less important because entity is 'only' important, not essential

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.35 Related
SOC 2 CC4.1 Related

Frequently Asked Questions

What can trigger an investigation of an important entity?
Plenty of things: incident notifications suggesting inadequate security, complaints from service recipients, information from CSIRTs or other authorities, media reports of security issues, intelligence from peer organisations, or any other evidence pointing to non-compliance. The sources are diverse, which is why maintaining genuine compliance is the only reliable defence.
Are the fines lower for important entities?
Yes - the maximum is 7 million euros or 1.4% of worldwide annual turnover, whichever is higher. That is lower than the essential entity cap, but still a very significant amount. Do not treat the lower ceiling as a reason to take compliance less seriously.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment