# NIS2 Registration & Reporting

> Prepare entity registration submissions and annual reports per NIS2 Art. 27-28. Validates registration form completeness against required fields (entity details, sector, IP ranges, contact information) and checks annual report content. Produces registration-ready submissions and structured annual compliance reports.



Tags: NIS2, Registration, Reporting, CSIRT, GRC, Compliance


## Example Prompts

- Prepare our NIS2 entity registration for the national competent authority
- Draft our annual NIS2 compliance report
- Check if our registration submission has all required fields
- Update our NIS2 registration after a change in services

URL: https://rakenne.app/skills/nis2-registration-reporting/index.md

Try this skill: https://rakenne.app/a/?skill=nis2-registration-reporting



## Overview

NIS2 Articles 27 and 28 require essential and important entities to register with their national competent authority or CSIRT and submit annual compliance reports. The registration must include entity identification details, sector classification, IP address ranges, designated contact persons, and a list of services provided across member states. Missing or incomplete submissions can delay an entity's formal recognition and expose it to supervisory action.

This skill walks you through both obligations end to end. It gathers the information required by Art. 27(2), populates a registration form template, and validates every field before submission. When the annual reporting cycle arrives, it drafts a structured compliance report covering incidents, measures, training, and metrics, then validates that all expected sections are present. DNS service providers, TLD name registries, and domain name registration service entities get additional field checks automatically.

### What It Covers

- **Entity registration (Art. 27)** — structured data collection for all required fields: legal name, address, contacts, sector/sub-sector, entity classification, IP ranges, member states, and services list
- **DNS/TLD additional fields** — automatic detection and validation of extra requirements for DNS service providers, TLD name registries, and domain name registration service entities
- **Registration completeness validation** — tool-based check against every Art. 27(2) field with PRESENT/ABSENT status and actionable remediation
- **Annual compliance reporting (Art. 28)** — incident summaries, cybersecurity measures, training activities, audit results, supply chain updates, performance metrics, and planned improvements
- **Report content validation** — section-by-section check with completeness score and guidance on missing content
- **Change notifications** — support for updating registration data within the Art. 27(3) two-week notification window

## Example Conversation

> **You:** We need to register as an essential entity with our national CSIRT under NIS2. We're an energy company operating in Germany and the Netherlands.
>
> **Agent:** I'll guide you through the NIS2 entity registration process per Art. 27. Let me collect the required information. First, the basics:
>
> 1. What is the entity's full legal name and any trading names?
> 2. What is the registered address?
> 3. Which sector and sub-sector apply — energy generation, transmission, distribution, or supply?
> 4. Do you have a designated contact person for the competent authority?
>
> **You:** Legal name is Nordsee Energie GmbH, trading as NordEnergy. Registered at Hafenstraße 12, 20457 Hamburg, Germany. We're in energy distribution — electricity. I'm not sure we've formally named a contact person yet.
>
> **Agent:** Good. Let me continue gathering the remaining fields. I need:
>
> - Contact email and telephone for the entity
> - The full list of services you provide, with the member states where each is offered
> - IP address ranges used by your operational and corporate networks
> - Your entity classification — essential or important
>
> **You:** Main email is compliance@nordsee-energie.de, phone +49 40 555 0100. We provide electricity distribution in Germany and the Netherlands. Classification is essential. For IP ranges, I only have our corporate block: 185.42.16.0/22.
>
> **Agent:** I've drafted the registration form. Let me run the completeness check. Running `registration_completeness_checker`...
>
> **Results:**
>
> | Field | Status |
> |-------|--------|
> | Entity name (legal name and trading names) | PRESENT |
> | Registered address | PRESENT |
> | Contact email | PRESENT |
> | Contact telephone | PRESENT |
> | Sector and sub-sector (Annex I or Annex II) | PRESENT |
> | Member state(s) where services are provided | PRESENT |
> | IP address ranges | PRESENT |
> | Entity classification (essential/important) | PRESENT |
> | List of services provided | PRESENT |
> | Contact person (name, role, email, phone) | **ABSENT** |
>
> **Status: INCOMPLETE — 1 required field missing.**
>
> You mentioned you haven't formally designated a contact person. Art. 27(2) requires a named individual with role, email, and phone number. Who should this be?
>
> **You:** That should be Maria Schulz, Head of Cybersecurity, m.schulz@nordsee-energie.de, +49 40 555 0142. Also, I realize I didn't include our OT network ranges — those are 10.200.0.0/16 and 172.18.0.0/16.
>
> **Agent:** Updated. Running `registration_completeness_checker` again...
>
> **Status: COMPLETE — All required fields are present.**
>
> The registration form is ready for submission. I've written it to `output/NIS2-Registration-Form.md`. Remember: any changes to this information must be notified to the competent authority within 2 weeks per Art. 27(3).
>
> ---
>
> *Three months later...*
>
> **You:** We need to prepare our annual NIS2 compliance report. Can you draft it?
>
> **Agent:** I'll draft your annual report. Let me gather the key information for the reporting period. Tell me:
>
> 1. What is the reporting period (start and end dates)?
> 2. Were there any significant cybersecurity incidents during the period?
> 3. What cybersecurity measures were implemented or updated?
> 4. What training and awareness activities were conducted?
>
> **You:** Period is January to December 2025. We had two significant incidents — a phishing campaign in March (contained in 4 hours, no data loss) and a DDoS on our customer portal in September (mitigated in 90 minutes). We rolled out a new SIEM, updated our incident response plan, and conducted quarterly phishing simulations plus annual security awareness training for all staff.
>
> **Agent:** I've drafted the report with those details plus sections for audit activities, supply chain updates, metrics, and planned improvements. Let me validate it. Running `annual_report_validator`...
>
> **Results — Completeness score: 100% (9/9 sections)**
>
> | Section | Status |
> |---------|--------|
> | Reporting period | PRESENT |
> | Significant incidents summary | PRESENT |
> | Measures taken or updated | PRESENT |
> | Training and awareness activities | PRESENT |
> | Audit or assessment activities | PRESENT |
> | Changes to entity classification or services | PRESENT |
> | Supply chain security updates | PRESENT |
> | Key performance metrics | PRESENT |
> | Planned improvements for next period | PRESENT |
>
> **Status: COMPLETE — All expected sections are present.**
>
> The annual report is ready for review. I've written it to `output/NIS2-Annual-Report.md`.

## Sample Output Excerpt

Below is a representative excerpt from a generated registration form showing the entity identification and sector classification sections.

---

### 1. Entity Identification

| Field | Value |
|-------|-------|
| **Legal name** | Nordsee Energie GmbH |
| **Trading name(s)** | NordEnergy |
| **Registered address** | Hafenstraße 12, 20457 Hamburg, Germany |
| **Contact email** | compliance@nordsee-energie.de |
| **Contact telephone** | +49 40 555 0100 |
| **Entity classification** | Essential entity |

### 2. Designated Contact Person

| Field | Value |
|-------|-------|
| **Name** | Maria Schulz |
| **Role** | Head of Cybersecurity |
| **Email** | m.schulz@nordsee-energie.de |
| **Telephone** | +49 40 555 0142 |

### 3. Sector Classification

| Field | Value |
|-------|-------|
| **Sector** | Energy (Annex I, Sector 1) |
| **Sub-sector** | Electricity — Distribution |
| **Entity type** | Distribution system operator per Directive (EU) 2019/944 |

### 4. Services and Member States

| Service | Member State(s) |
|---------|-----------------|
| Electricity distribution — medium and low voltage | Germany, Netherlands |

### 5. IP Address Ranges

| Network | CIDR Block | Purpose |
|---------|-----------|---------|
| Corporate | 185.42.16.0/22 | Office and administrative systems |
| OT Network A | 10.200.0.0/16 | SCADA and distribution control systems |
| OT Network B | 172.18.0.0/16 | Substation monitoring and metering |

<!-- /excerpt -->

## Extension Tools

### `registration_completeness_checker`

Validates a registration document against all NIS2 Art. 27(2) required fields. Pass the full text of the registration form and receive a field-by-field checklist with PRESENT or ABSENT status.

**Core fields checked (10):**

| Field | What It Looks For |
|-------|-------------------|
| Entity name | Legal name and trading names |
| Registered address | Postal address or head office |
| Contact email | Email address for the entity |
| Contact telephone | Phone number for the entity |
| Sector and sub-sector | Annex I or Annex II sector classification |
| Member state(s) | Jurisdictions where services are provided |
| IP address ranges | CIDR blocks, IPv4/IPv6 ranges |
| Entity classification | Essential or important designation |
| List of services provided | Services offered with delivery scope |
| Contact person | Named individual with role, email, and phone |

**DNS/TLD additional fields (3):** If the document mentions DNS service providers, TLD name registries, or domain name registration services, the tool automatically checks three extra fields — TLD names managed, number of domain names registered, and entity type designation.

The tool returns an overall COMPLETE or INCOMPLETE verdict. When incomplete, it lists every absent field with a remediation prompt so you know exactly what to add.

### `annual_report_validator`

Checks an annual compliance report against the nine expected content sections. Pass the full text of the report and receive a section-by-section checklist with a completeness score.

**Sections checked (9):**

| Section | What It Looks For |
|---------|-------------------|
| Reporting period | Start and end dates for the covered period |
| Significant incidents summary | Incident counts, types, severity, impact, resolution |
| Measures taken or updated | Controls, safeguards, or policies implemented or revised |
| Training and awareness | Training sessions, phishing simulations, exercises |
| Audit or assessment activities | Audits, penetration tests, vulnerability scans |
| Classification changes | Changes to entity type, scope, or services |
| Supply chain security | Third-party, vendor, and supplier security updates |
| Key performance metrics | KPIs such as MTTD, MTTR, or other performance indicators |
| Planned improvements | Roadmap, future actions, or improvements for the next period |

Returns a completeness percentage (e.g., 78% — 7/9 sections) and lists any missing sections with guidance on what content to add.

## Getting Started

Have this information ready before you begin:

- **Entity details** — legal name, trading names, registered address, and general contact email and phone
- **Sector classification** — your sector and sub-sector per NIS2 Annex I (essential) or Annex II (important), and whether you are classified as essential or important
- **IP address ranges** — CIDR blocks for both corporate IT and operational technology networks
- **Designated contact person** — name, role, direct email, and phone number for the individual responsible for NIS2 compliance
- **Services list** — each service you provide and the EU member states where it is offered
- **For DNS/TLD entities** — TLD names managed, domain registration volumes, and entity type designation

Install the *NIS2 Registration & Reporting* skill from the skill library. If you have completed the *NIS2 Entity Classification* skill, load it first — the agent will pull your classification results (essential vs. important, applicable sectors) directly into the registration form.

Start with a prompt like *"Prepare our NIS2 entity registration for the national competent authority"* and the agent will walk you through each required field, validate completeness, and produce a submission-ready registration document. When reporting season arrives, ask it to *"Draft our annual NIS2 compliance report"* and it will structure the report, populate sections from your inputs, and validate that nothing is missing.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)