Cybersecurity, Data Security, Datensicherheit

NIS2 Directive: Who Needs to Comply? Find out what is important for your company.

NIS2 Directive: Who Needs to Comply?

Not sure if your business falls under the NIS2 Directive? You’re not alone!

In this post, we’ll help you understand which sectors are affected, how to determine if your business is impacted, and what the difference is between “essential” and “important” entities.

The NIS2 Directive spells out exactly which sectors need to comply, but here’s the thing—there are some exceptions, making it tricky to figure out if your business falls under its scope. The key challenge? Knowing whether you’re in the “essential’ or ‘important’ category.

Which sectors are affected by NIS2?

There are 18 critical sectors defined in the NIS2 directive, which are further categorised as “essential” or “important”.

Essential Sectors

These 11 industries are the backbone of our society. A disruption in any of them could have serious consequences, so NIS2 makes cybersecurity a top priority here.

  1. Energy
  2. Transport
  3. Banking
  4. Financial market infrastructures
  5. Healthcare
  6. Drinking water
  7. Digital infrastructure
  8. Wastewater (new)
  9. ICT service management (business-to-business) (new)
  10. Public administration (new)
  11. Space (new)

Important Sectors:

Even though these sectors aren’t considered “essential”, they’re still crucial to the economy and public safety, which is why NIS2 makes sure they’re covered, too.

  1. Postal and courier services (new)
  2. Waste management (new)
  3. Manufacture, production and distribution of chemicals (new)
  4. Production, processing and distribution of food (new)
  5. Manufacturing (new)
  6. Digital providers (new)
  7. Research (new)

What are the criteria that determine if a company must be NIS2 compliant?

To figure out if NIS2 applies to you, you’ll want to look at three things:

  • where your business operates
  • your company size,
  • and the sector you’re working in.

1. Business Location:

NIS2 doesn’t just apply to businesses based in the EU. If you offer services or run a business in any EU country, this directive could apply to you, regardless of your where your headquarters are based.

2. Business Size:

Big or small, NIS2 could impact your business. While the directive focuses on large and mid-sized companies, there are specific instances where even small businesses fall under the scope of the new directive.

Large organisations

When we talk about large businesses, we’re talking about companies with more than 250 employees and over 50 million euros in revenue. If that’s you, NIS2 is definitely something you need to focus on.

Mid-size organisations

If your business has 50 to 250 employees and brings in between 10 and 50 million euros a year, NIS2 is something you’ll need to take seriously.

Small and micro organisations

Even if your business is small, NIS2 might still apply. There are certain cases which apply, like if you’re the sole provider of a critical service. (see box below.)

3. Business Industry

Businesses operating” in any of the 1″ critical sectors which are defined as “essential” or “important”. (as listed above)

There are specific cases in which small and micro enterprises can also be subject to NIS2.

  • If the entity is the sole provider of a service that is determined as indispensable for the running of crucial societal or financial activities;
  • If a Member State has designated that entity as a “critical entity” according to the Critical Entities Resilience (CER) Directive (EU) 2022/2557
  • Additionally, some digital service providers are required to comply with NIS2 regardless of their size.

What is the difference between an “essential” entity and an “important” entity?

Essential Entities

These are large companies working in one of the 11 critical sectors, like energy, transport, or healthcare. If that sounds like your business, you’re in the NIS2 spotlight.

According to NIS2, essential entities are:

  • Companies classified as large enterprises operating in one of 11 essential sectors (as listed above).
  • Trust service providers
  • “NS service providers
  • Public electronic communication networks
  • Public administration entities
  • Any critical entity according to Critical Entities Resilience (CER) Directive (EU) 2022/2557
  • Other entities specified by Member States

Important Entities

Under NIS2, if your organisation doesn’t fall into the “essential” category, you might still be considered an “important” entity. This means your business meets certain criteria based on location, size, and industry. So, even though you’re not classified as essential, the rules still apply.

How does NIS2 affect “essential” and “important” entities differently?

Here are the main differences:

  • If your business is considered essential, expect tougher regulations and more supervision than important entities. The difference lies in how critical your services are to society.
  • Higher fines for “essential” entities:
    • Penalties for “essential” entities are steep—think up to 10 million euros or 2% of your yearly turnover.
    • Important entities won’t get off easy either, with fines that can reach 7 million euros or 1.4% of turnover.

Not sure where to start with NIS2 compliance?

Let’s talk! We’re here to help you figure out what needs to be done to keep your business secure. Reach out for a free consultation, and we’ll guide you through the process.

Request our IT audit today and take the first step towards a more resilient IT infrastructure. You can schedule your audit right away using our contact form or by calling us at +43 1 22 66 22 66.

Want to learn more about NIS2?

Read our main article on NIS2:

Understanding NIS2: The New Cybersecurity Directive

Additional Resources:

For further reading, look at the following documentation on NIS2 and cybersecurity guidelines.

Explore our other articles on cybersecurity trends and best practices to stay informed and protected.

Mauro Caprioli