Designing an NIS2-Compliant Registry System: A Design Science Approach to the Classification and Supervision of Essential and Important Entities
摘要
The NIS2 Directive establishes a comprehensive cybersecurity governance framework across the European Union, mandating Member States to identify, classify, and oversee essential and important entities. As part of this governance ecosystem, Member States are required to submit national registries of these entities to the European Commission, the Cooperation Group, and ENISA. This paper critically examines the NIS2 Directive, with particular emphasis on its provisions for creating registries of essential and important entities. Specifically, Article 3 requires Member States to compile national registries containing entity details such as name, sector, and contact information, while Article 27 assigns ENISA the responsibility of maintaining a centralized EU-level registry for designated digital infrastructure and service providers. We operationalize these legal mandates by translating them into concrete technical specifications, guiding the design and development of a modular, legally compliant registry system. Employing the Design Science Research (DSR) methodology, we decompose complex legal requirements into a structured workflow, deterministic classification algorithms, and a comprehensive set of system specifications. The resulting conceptual registry prioritizes automation, harmonization, information sharing, and context-aware supervision, thereby supporting competent authorities in fulfilling their obligations and ensuring compliance at both national and EU levels. This study contributes a reusable framework that effectively bridges legal interpretation with technical implementation, offering a scalable and robust solution for cybersecurity governance under the NIS2 Directive.