Art. 14 NIS 2

The NIS 2 Cooperation Group under Article 14

Article 14 NIS 2 sets up the Cooperation Group as the strategic coordination layer of the directive. Member States, the Commission and ENISA sit in it. The EEAS observes. It issues guidance, runs peer reviews and produces coordinated supply-chain risk assessments. It does not regulate individual entities.

Simon OrzelSimon Orzel·

The short version

The Cooperation Group is the EU-level strategic coordination body for NIS 2. Article 14(1) sets it up to support strategic cooperation and information exchange between Member States and to build trust. It is not a regulator. It does not handle incidents. It does not enforce.

Its job is policy and guidance. Article 14(4) lists nineteen tasks: orientation for competent authorities, support for coordinated vulnerability disclosure, best-practice exchange, advisory input to the Commission, peer reviews under Article 19, and the coordinated supply-chain risk assessments under Article 22. ENISA provides the secretariat.

For most entities, the Cooperation Group is invisible. You never deal with it directly. But its outputs reach you through national authorities. A coordinated Article 22 risk assessment can shape what your procurement contracts have to ask of suppliers. A BSI Infopaket may cite Cooperation Group guidance verbatim. Read it as the upstream source of national policy.

The legal source
Two layers. The directive establishes the Cooperation Group and sets its tasks. There is no implementing regulation for the Group itself (it is a Directive-level institution). National participation runs through each Member State's ministries and competent authorities.

Article 14(1) and 14(3) NIS 2 Directive (2022/2555)

In order to support and facilitate strategic cooperation and the exchange of information among Member States and to strengthen trust and confidence, a Cooperation Group is established. The Cooperation Group shall be composed of representatives of Member States, the Commission and ENISA. The European External Action Service shall participate in the activities of the Cooperation Group as an observer.

Article 14(1) creates the Group. Article 14(3) sets the composition. Article 14(2) says it works on the basis of biennial work programmes. Article 14(4) lists the nineteen tasks (letters a to s) the Group performs.

No implementing regulation

N/A — Cooperation Group is a Directive-level institution, no CIR section.

Unlike Article 21(2) measures, where CIR (EU) 2024/2690 spells out the technical detail, the Cooperation Group itself sits in the directive. There is no implementing regulation that operationalises Article 14. The Group sets its own work programme every two years.

National participation (Germany: BMI, BSI)

Strategic cooperation under NIS 2 is exercised through the federal ministries and the BSI as the competent authority.

Germany participates through the Federal Ministry of the Interior (BMI) and the BSI. §3 BSIG names BSI as the federal cybersecurity authority and points at strategic cooperation under NIS 2. Other Member States send their own representatives, usually one ministry seat plus the national cybersecurity authority.

The three building blocks of the Cooperation Group
Article 14 sets the Group up around three structural pieces. Who sits in it. What it does. And how it organises its work over time.
Art. 14(3)

Composition

Representatives of every Member State, the Commission and ENISA. The European External Action Service joins as an observer. ENISA provides secretariat support. The Member State seats are typically filled by the national cybersecurity authority plus a ministry representative.

Art. 14(4)

Nineteen tasks (a to s)

Orientation and guidance to competent authorities, support for coordinated vulnerability disclosure, best-practice and information exchange on threats and incidents, advisory exchange with the Commission on policy, exchange with EU bodies, peer reviews under Article 19, and the coordinated risk assessments of critical supply chains under Article 22.

Art. 14(2)

Biennial work programmes

The Group plans its work in two-year cycles. Each work programme sets the priorities, the deliverables and the peer-review schedule for the period. The biennial cadence keeps the agenda visible and lets Member States align their national plans.

Two rules that shape how the Cooperation Group operates
Two interpretive rules sit under everything the Group does. Both matter when you read its outputs.

Strategic, not operational

The Cooperation Group does not handle individual incidents. That is the CSIRT Network's job under Article 15. It does not handle large-scale crisis coordination either; that sits with EU-CyCLONe under Article 16. The Group's lane is policy, guidance and structured exchange between Member States.

Guidance, not enforcement

What the Group produces is recommendations, best-practice exchanges and coordinated assessments. They carry weight because they reflect the consensus of every national authority plus the Commission and ENISA. But they are not binding rules on entities. The binding layer is the directive, the CIR, and your national transposition.

How national authorities engage with the Cooperation Group
Every Member State sends people. ENISA runs the secretariat. The outputs flow back into national guidance. Here is how the three roles split in practice.
Germany

BMI and BSI

The Federal Ministry of the Interior and the BSI represent Germany in the Cooperation Group. BSI feeds Group outputs back into its NIS 2 Infopakete and into the IT-Grundschutz updates. When the Group publishes a coordinated supply-chain risk assessment under Article 22, BSI is the channel that turns it into German guidance.

EU-wide

ENISA secretariat

ENISA supports the Cooperation Group as secretariat. It prepares the analyses, runs the working groups and publishes the deliverables. ENISA does not sit on the Group with a vote; the Group is composed of Member States plus the Commission. ENISA is the operational engine behind it.

Other member states

National representatives

Every Member State has one seat per national delegation. The Netherlands sends NCSC and the relevant ministry. Austria sends the BMI and GovCERT. Belgium sends the CCB. The substance of the work is shared; the national entry point differs.

Three traps in how people read Article 14
Three misreadings show up regularly. All three lead to either dismissing the Group too quickly or expecting things from it that are not in its mandate.

  • The Cooperation Group is just another EU committee.

    It produces concrete outputs that change what entities have to do. The coordinated supply-chain risk assessments under Article 22 are formal Cooperation Group products. When a sector or supply chain is assessed as high-risk, the assessment flows into procurement requirements through national authorities. A 'committee' label undersells what Article 22 outputs can trigger.

  • We never have anything to do with the Cooperation Group.

    Correct, in one sense: entities do not file anything with the Group and the Group does not regulate them. But its outputs reach you through national channels. BSI Infopakete cite Group guidance. ENISA TIG updates absorb Group conclusions. A coordinated Article 22 assessment can land in your supplier-contract clauses. The Group is upstream of things you do touch.

  • ENISA runs the Cooperation Group.

    No. ENISA provides secretariat support. The Group itself is composed of Member State representatives and the Commission. Article 14(3) is clear on the composition. ENISA prepares, analyses and supports, but the decisions sit with the Member States and the Commission.

Where the Cooperation Group actually touches your day-to-day

For an in-scope entity, three practical touchpoints matter. First, BSI Infopakete and ENISA TIG updates often cite Cooperation Group outputs. When you read the BSI guidance, you are reading what the Group converged on. Second, the coordinated supply-chain risk assessments under Article 22 can change what your procurement contracts have to ask of ICT suppliers. Third, the biennial state-of-cybersecurity reports give you the EU-level picture your management body has to read.

None of this is a filing duty for you. The Group does not have a portal you log into. The right operating posture is: read the BSI Infopakete and ENISA TIG updates as they come out, watch for Article 22 assessments that touch sectors you depend on, and let those outputs flow into your risk register and your supplier clauses through the normal annual review.

How we handle Cooperation Group outputs on the platform

When a Cooperation Group output affects a specific NIS 2 requirement (an Article 22 assessment, a piece of orientation under Article 14(4), a peer-review finding under Article 19), we link the output directly from the requirement page. You see the citation next to the obligation it shapes, not in a separate news feed.

The platform tracks ENISA TIG versions and BSI Infopakete updates that absorb Cooperation Group material. When a new version lands, the affected requirements get flagged for re-review. You do not have to monitor Brussels yourself.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Article 14 — eur-lex.europa.eu/eli/dir/2022/2555/oj
  • Directive (EU) 2022/2555 (NIS 2), Article 15 (CSIRTs Network) and Article 16 (EU-CyCLONe)
  • Directive (EU) 2022/2555 (NIS 2), Article 19 (peer reviews) and Article 22 (coordinated supply-chain risk assessments)
  • BSI Infopakete 'NIS 2 Pflichten' — bsi.bund.de/dok/nis-2-infopakete
  • ENISA — role and secretariat function under Regulation (EU) 2019/881 (Cybersecurity Act)
Track the EU-level outputs that actually reach you
The platform links Cooperation Group, ENISA and BSI outputs to the requirements they affect. Free, open source, no lock-in.
Open the free platform