A NIS2 pan-European registry for identifying and classifying essential and important entities

TL;DR

This paper presents a modular, legally grounded registry system for NIS2 cybersecurity governance in the EU, automating entity classification and notification processes to support authorities and reduce administrative burdens.

Contribution

It introduces a scalable, adaptable framework translating legal provisions into technical workflows, algorithms, and dashboards for NIS2 compliance and supervision.

Findings

Automates entity registration, classification, and notification processes.

Supports context-aware supervision with a flexible labeling system.

Designed for easy adaptation across EU member states.

Abstract

The NIS2 Directive establishes a common cybersecurity governance model across the European Union, requiring member states to identify, classify, and supervise essential and important entities. As part of a broader governance network, member states are also obligated to notify the European Commission, the Cooperation Group, and ENISA about their cybersecurity infrastructure landscape. This thesis presents an analysis of the NIS2 Directive in this context and translates its provisions into concrete technical requirements. These requirements inform the design and implementation of a modular, legally grounded registry system intended to support competent authorities across the EU in meeting their obligations. Using the Design Science Research methodology, the thesis transforms complex legal provisions into structured workflows, deterministic classification algorithms, and interactive dashboards. The resulting system automates key regulatory processes, including entity registration, classification, and notification, while enabling context-aware supervision and reducing administrative burden. It supports both automated and manual registration methods and introduces a contextual labeling system to handle edge cases, risk factors, and cross-directive dependencies. Although developed for the Norwegian regulatory ecosystem, the system is designed for adaptation by other member states with minimal modification. This thesis contributes a reusable framework that bridges legal interpretation and technical implementation, offering a scalable solution for national and EU-level NIS2 cybersecurity governance. It also identifies key limitations and outlines opportunities for future research and development.