Does your organization fall within the scope of NIS 2?
Does your organization fall within the scope of NIS 2?
In 2016, the initial NIS Directive made reference to 7 key sectors. Since then, the EU has expanded their view of the sectors that are considered critical to a safe, efficient and effective society. Under the NIS2 Directive the scope has therefore broadened significantly with an expansion of 9 additional sectors. Sixteen key sectors in total now fall within the broadened scope of the revised NIS2 Directive.ย
Questions to askย
- Does our company provide a critical service or essential function directly to end clients or as a key supplier that could impact public safety or economic stability, such as those listed here?
- Does our company operate in a sector covered by the NIS2 Directive, such as those listed here?
- Is our company based outside the EU but offering critical services within the EU? If so, this Directive also applies to you!
- Does the lex specialist principle apply? (Where a sector-specific EU legal act provides equivalent cybersecurity requirements or incident notification obligations, these sector-specific acts take precedence – e.g., DORA, PSD2.)
Critical sectors: Annex I & Annex II
The NIS2 scope is covered by two annexes. The Directive applies to both public and private entities referred to in Annex I or II, as depicted below. Annex I lists the sectors of high criticality, which can be either an Essential or an Important entity depending on the total annual revenue and size of the organisation.
Annex II provides the other critical sectors set out by the EU, which will only fall into the Important Entity category.ย
Criteria that determine which companies must comply with NIS 2
There are three general criteria that define which organizations must comply with NIS 2:
- Location โ if they provide services or carry out activities in any country in the European Union (no matter if they are based in the EU or not), and
- Size โ if they are categorized as mid-sized or large organizations (see the criteria in the section below), and
- Industry โ if they operate in any of the 18 sectors listed in the table below.
However, there are some exceptions to these rules โ see the table in the section below for further explanation.
Essential and Important entities
NIS2 categorizes entities within its scope into two groups: ‘essential’ and ‘important’. The primary distinction is that a disruption of services by entities in the essential group would have serious consequences for the country’s society as a whole.
Both groups must comply with the same security measures. However, entities in the essential category are under proactive supervision, while important entities are monitored only after a non-compliance incident is reported. Organizations must promptly determine if they fall within the scope and whether they are classified as an essential or important entity.
โEssential entitiesโ and โimportant entitiesโ are what NIS 2 calls companies and other organizations that need to comply with NIS 2.
NIS 2 defines essential entities as follows:
- Companies that are categorized as large enterprises (see the criteria in the next section) and are in one of the 11 critical sectors (listed in the table below)
- Trust service providers
- DNS service providers
- Public electronic communication networks
- Public administration entities
- Any critical entity according to Critical Entities Resilience (CER) Directive (EU) 2022/2557
- Other entities specified by Member States
Important entities are all other organizations that are not categorized as essential entities, but that fall under the 3 criteria mentioned in the previous section.
ย
Classification of Sectors: Essential and Important Entities
Given the potentially confusing explanation of NIS2 above, the table below clarifies which organizations need to comply with NIS2 and whether they are classified as essential or important entities.
To further clarify, hereโs how the EU classifies companies according to their size:
- Micro and small organizations โ if they have fewer than 50 employees and less than 10 million euros in annual revenue.
- Mid-size organizations โ if they have 50 to 250 employees and 10 to 50 million euros in annual revenue.
- Large organizations โ if they have more than 250 employees and more than 50 million euros in annual revenue.
