NIS2 Directive in a Few Steps – Check if You Qualify!

NIS2 Directive in a Few Steps – Check if You Qualify!

The NIS2 Directive, introduced by the European Union, aims to strengthen protection against cyber threats and enhance the resilience of key sectors of the economy to cyberattacks. The adoption of the law establishing the effective date of the directive in Poland is scheduled for October 2024. The new regulations cover a wide range of companies and institutions that are critical to the functioning of EU member states and the European economy as a whole. These entities are classified as either essential or important, depending on the scale of their operations and the potential impact of disruptions on public safety, the economy, or health. A key factor in this classification is also the size of the company, and in some cases, the significance of the services they provide.

At first, this may seem complex, but we hope that after reading this article, it will be easier for you to understand which companies and institutions are subject to the new regulations.

As previously mentioned, the NIS2 Directive divides entities into essential and important. If your company qualifies under one of these groups, you will be required to meet specific obligations. However, the details of these obligations are covered in another article on our website. Here, we will focus on how to check whether your company is actually subject to the new regulations.

ESSENTIAL ENTITIES

The first step is to consider the sector in which you operate. If your company operates within one of the “essential sectors” there is a chance you qualify as an essential entity. Why “a chance”? Because at this step, it’s important to remember that only companies exceeding the threshold for medium-sized enterprises from these sectors are considered essential entities. This means employing at least 50 people and having an annual turnover or balance sheet total of at least €10 million. If you do not meet this condition, you qualify as an important entity.

Who else qualifies as an essential entity:

  • Qualified trust service providers and top-level domain name registries, as well as DNS service providers, regardless of their size;
  • Providers of public electronic communications networks or publicly available electronic communications services that qualify as medium-sized enterprises;
  • Public administration entities at the central government level as defined by the member state in accordance with national law;
  • Other entities from the sectors listed in Annex I or II of the directive (see “essential sectors” and “important sectors”) that have been designated by the member state as essential entities;
  • Entities designated as critical entities under the Critical Entities Resilience Directive;
  • Entities identified by the member state before the NIS2 Directive came into force as operators of essential services.

IMPORTANT ENTITIES

Again, start by focusing on the sector of operation. If your company operates in one of the “important sectors” you qualify as an important entity.

Who else qualifies as an important entity:

  • Entities from the sectors listed in Annexes I and II of the NIS2 Directive that do not qualify as essential entities.

The full text of the NIS2 Directive, including the complete description of the sectors (Annexes I and II), can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555

As with almost every rule, there are exceptions. An entity can be classified as essential or important, regardless of size, if:

  • It belongs to a group of service providers offering services:
    • as providers of public electronic communications networks or publicly available electronic communications services;
    • as trust service providers;
    • as top-level domain name registries, or DNS service providers;
  • The entity is the sole provider of a service in a given member state that is critical for maintaining essential social or economic activities;
  • A disruption of the service provided by the entity could have a significant impact on public order, public safety, or public health;
  • A disruption of the service provided by the entity could lead to a serious systemic risk, particularly in sectors where such disruption could have a cross-border impact;
  • The entity is critical due to its specific importance at the national or regional level for a particular sector or type of service, or for other interdependent sectors within the member state;
  • The entity is a public administration entity:
    • at the central government level, as defined by the member state in accordance with national law; or
    • at the regional level, as defined by the member state in accordance with national law, that, based on a risk analysis, provides services whose disruption could significantly impact essential social or economic activities;
  • Entities identified as critical under Directive (EU) 2022/2557;
  • Entities providing domain name registration services;
  • By decision of the member states:
    • Public administration entities at the local level;
    • Educational institutions, especially those conducting research activities of critical importance.

There are also several groups of entities to which the NIS2 Directive does not apply:

  • Public administration entities operating in the fields of national security, public safety, defense, or law enforcement (including crime prevention, investigations, detection, and prosecution);
  • Certain entities operating in the areas of national security, public safety, defense, or law enforcement, including those providing services exclusively to public administration entities mentioned above, which will be exempted by member states from the obligations set forth in Articles 21 or 23 in relation to these activities or services. Exempt entities are not subject to supervision and enforcement provisions (Chapter VII) regarding exempt activities. If the above activities are the sole activities carried out by the entity, it may also be exempted from the obligations under Articles 3 and 27 (data reporting for registration purposes).

One last important aspect – the supply chain.

The security rules in the NIS2 Directive apply not only to essential and important entities themselves but also to their suppliers and business clients, in both directions. What does this mean in practice?

Essential and important entities are obligated to monitor their supply chains for compliance with security rules. On the other hand, companies operating within this chain, wanting to maintain cooperation with entities subject to NIS2, will also need to implement appropriate security measures. This applies to micro and small enterprises that collaborate with companies from sectors covered by the directive – as subcontractors, contractors, or business clients, they will also be required to meet cybersecurity requirements under NIS2.

The NIS2 Directive introduces significant changes in cybersecurity that could impact your business. Whether your company qualifies as an essential entity, an important entity, or operates within the supply chain – appropriate security measures are not only a legal requirement but also a safeguard against increasingly complex digital threats.

If after reading this article you still have doubts about whether your company falls under the new regulations, or if you’re wondering how best to prepare for the required security measures – contact us here.

Don’t wait for inspections or hackers – take care of your security today!