Art.36.1 NIS2

NIS2 Art.36.1: Mutual Assistance Between Competent Authorities

What This Control Requires

Where an entity provides services in more than one Member State, the competent authorities of those Member States shall cooperate with and assist each other as necessary. Such cooperation shall comprise at least the following: the competent authorities applying supervisory or enforcement measures shall inform and consult the competent authorities of the other Member States concerned.

In Plain Language

If you operate across multiple EU countries, regulators will talk to each other about you. NIS2 creates a mutual assistance framework between competent authorities, meaning supervisory activities in one jurisdiction can be coordinated with or informed by authorities elsewhere.

This closes the loophole of playing jurisdictions against each other. A non-compliance finding in one Member State may trigger interest or investigation in another. On the positive side, a strong compliance posture demonstrated in one country supports your regulatory standing everywhere.

The practical consequence is clear: your compliance efforts must be consistent across all Member States where you operate. Inconsistent security measures or contradictory incident reports across jurisdictions will raise red flags with regulators who are actively sharing information.

How to Implement

Map your NIS2 obligations in every Member State where you provide services. Identify the competent authority and CSIRT in each, determine your primary Member State (typically where your main establishment is), note any differences in national implementation that affect your requirements, and clarify registration obligations in each jurisdiction.

Implement a group-wide cybersecurity programme that meets NIS2 requirements consistently across all jurisdictions. National implementations may differ in details, but your core security measures, policies, and procedures should be harmonised so your compliance posture looks the same regardless of which regulator is looking.

Appoint a primary point of contact for NIS2 regulatory interactions who can coordinate across jurisdictions. When a competent authority in one Member State takes action, your response should be coordinated to provide consistent information everywhere.

Stay aware of supervisory activity across all your jurisdictions. If a competent authority in one country issues findings or guidance, assess what that means for your operations in other Member States and close any cross-jurisdictional gaps proactively.

Set up internal coordination procedures for multi-jurisdictional incident reporting. If an incident affects services in several Member States, your reports to different authorities need to meet each jurisdiction's requirements while telling a consistent factual story.

Join industry groups that tackle cross-border NIS2 compliance challenges. Peer organisations dealing with similar multi-jurisdictional complexity can share practical guidance and lessons learned.

Document your multi-jurisdictional compliance approach, including why you harmonised certain measures and where you made jurisdiction-specific adaptations. This documentation will support you in regulatory interactions no matter which Member State is asking questions.

Evidence Your Auditor Will Request

Multi-jurisdictional NIS2 obligations mapping
Group-wide cybersecurity programme documentation
Cross-jurisdictional coordination procedures for incident reporting
Designated regulatory liaison for multi-jurisdictional interactions
Jurisdiction-specific compliance adaptations documentation

Common Mistakes

Compliance treated as a national matter without cross-jurisdictional coordination
Inconsistent security measures across different Member State operations
No designated coordinator for multi-jurisdictional regulatory interactions
Incident reporting in different jurisdictions provides inconsistent information
Unaware that supervisory findings in one Member State are shared with others

Related Controls Across Frameworks

Framework	Control ID	Relationship
GDPR	Art.56	Related
ISO 27001	A.5.36	Related

Frequently Asked Questions

Do we need to register in every Member State where we provide services?

It depends on national implementation. Generally, you register in the Member State of your main establishment. Some national implementations may require notification in other countries as well, and certain entity types (DNS providers, cloud computing services) may have specific jurisdictional rules. Check with competent authorities in each relevant Member State to be sure.

Can supervisory findings in one Member State lead to enforcement in another?

Absolutely. Competent authorities share information about findings and enforcement actions for entities operating across multiple Member States. A non-compliance finding in one jurisdiction can prompt investigation in another. This is exactly why consistent, group-wide compliance matters so much.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment