Time is of the essence, as the transposition deadline for the NIS2 Directive approaches on October 17, 2024, organizations across the EU must brace for its significant impact. This new Directive, updating and expanding its predecessor (NIS1), will dramatically increase the number of regulated entities. According to Ireland’s National Cyber Security Centre, the number of regulated entities is expected to rise from about 120 under NIS1 to an estimated 3,500 under NIS2.
Who Does the NIS2 Directive Apply To?
Sectors:
The NIS2 Directive expands the range of sectors required to comply. While NIS1 included critical sectors like Transport, Banking, Financial Markets, Drinking Water, Digital Infrastructure, Energy, and Health, the new Directive extends its reach to additional areas:
- Postal and Courier Services
- Manufacture of Certain Critical Products
- Waste Water and Waste Management
- Public Administration
- Space
- Research
- Digital Services
- Food Production, Processing, and Distribution
- Providers of Public Electronic Communications Networks or Services
- Manufacture, Production, and Distribution of Chemicals
- Digital Service Providers
Size:
The Directive applies to all medium and large entities within these sectors. Here’s a quick rundown of the size criteria:
- Large Enterprises: Annual revenue of €50 million and 250+ employees.
- Medium Enterprises: Annual revenue of €10 million and 50+ employees.
Entities are categorized as either “essential” or “important,” ensuring broad coverage of the economy, particularly sectors vital to societal and economic activities. Notably, the Directive also includes small and micro enterprises if their services are critical to society, the economy, or specific sectors.
Key Criteria for Inclusion
To determine whether your organization falls under the NIS2 Directive, consider the following:
Sector Relevance:
Does your company operate within any of the sectors listed above?
Size Requirements:
Does your company meet the size thresholds for medium or large enterprises?
Specific Criteria for Critical Entities:
Beyond general sector and size applicability, certain entities are included due to their critical role or potential impact on society and the economy. These include:
- Providers of public electronic communications networks or services
- Trust service providers
- Top-level domain name registries and domain name system service providers
- Entities whose service disruption could significantly impact public safety, security, health, or induce systemic risk
- Sole providers of essential services in a Member State
- Public administration entities, especially those critical at the central or regional level
Who Will Be Held Responsible?
Under the NIS2 Directive, essential entities face rigorous enforcement measures for non-compliance, including the temporary suspension of certifications or authorizations and the temporary prohibition of managerial functions at the CEO or legal representative level. These actions, proportional to the severity of the infringement, aim to enforce strong cybersecurity practices. Such measures can disrupt operations, affect financial stability, and harm reputations, highlighting the critical need for high compliance standards.
A key change introduced by NIS2 is the requirement for “management bodies” of essential and important entities to approve and oversee the implementation of cybersecurity risk-management measures. These management bodies, including individuals with managerial responsibilities at the CEO or legal representative level, can be held liable for any breaches of NIS2 provisions. This responsibility underscores the pivotal role of top management in ensuring compliance and illustrates the significant consequences of failing to meet the Directive’s requirements.
Steps to Determine Your Organization’s Status
- Assess Sector Involvement: Review the expanded list of sectors in the NIS2 Directive to see if your organization falls within any of these categories.
- Evaluate Size Criteria: Check if your organization meets the financial and employee size thresholds for medium or large enterprises.
- Identify Critical Role: Determine if your organization provides essential services, particularly those that could impact public safety, security, or health if disrupted.
The NIS2 Directive’s broad scope and stringent requirements mean that many more entities will now fall under its jurisdiction. Ensuring compliance involves not just understanding if your organization fits the sector and size criteria but also recognizing the critical nature of the services you provide. Preparing for NIS2 will help safeguard your organization against cyber threats and contribute to the overall security and resilience of the EU’s critical infrastructure and essential services.
Take Action Now
With only four months left until the Directive’s transposition deadline, it’s crucial to begin your compliance preparations immediately. Identify whether your organization is impacted, understand the specific requirements, and implement necessary changes to ensure adherence to the NIS2 Directive.
Stay tuned for more detailed guidance on the implementation of cybersecurity risk management measures and incident reporting obligations for aligning with the NIS2 Directive.
