To determine if the NIS2 Directive applies to your company, you need to assess your operational location, your company's size, and the sector in which you operate.
The NIS2 Directive (Network and Information Security 2) aims to significantly enhance cybersecurity across the European Union. Its applicability is broader than its predecessor, covering a wider range of entities.
Key Criteria for NIS2 Applicability
Your company is likely subject to NIS2 if it meets all three of the following conditions:
- Operates within the EU: Your company provides services or operates in the European Union.
- Meets Size Thresholds: Your company is considered a medium or large enterprise based on its employee count or financial figures.
- Belongs to a Critical Sector: Your company operates within one of the sectors designated as critical by the Directive.
Let's explore each criterion in more detail.
1. Operational Presence in the EU
The primary geographical criterion for NIS2 applicability is whether your company provides services or operates within the European Union. This includes companies headquartered outside the EU but with substantial operations or service provision to customers in EU member states.
2. Company Size Thresholds
NIS2 primarily targets medium and large enterprises. You meet the size threshold if your company satisfies either of the following conditions:
- Employee Count: You employ at least 50 people.
- Financial Thresholds: You have an annual turnover exceeding 10 million EUR and an annual balance sheet total exceeding 10 million EUR.
This means if your company has 50 or more employees, it meets the size criterion regardless of its financial figures. Similarly, if it has fewer employees but meets both financial thresholds (turnover and balance sheet), it also qualifies.
Quick Company Size Check
| Criterion | Threshold |
|---|---|
| Employees | ≥ 50 employees |
| OR | |
| Annual Turnover | > 10 million EUR |
| AND | |
| Balance Sheet | > 10 million EUR |
3. Belonging to a Critical Sector
This is a crucial determinant. NIS2 categorizes critical sectors into two main groups: "Essential Entities" (EE) and "Important Entities" (IE). While both are subject to the Directive, Essential Entities typically face stricter enforcement and supervisory measures due to their high criticality.
Essential Entities (EE)
These sectors are considered vital for the functioning of society and the economy. They include:
- Energy: Electricity, district heating and cooling, oil, gas, hydrogen.
- Transport: Air, rail, water, road.
- Banking: Credit institutions.
- Financial Market Infrastructures: Trading venues, central counterparties.
- Health: Healthcare providers, EU reference labs, pharmaceutical companies, medical device manufacturers.
- Drinking Water: Suppliers and distributors.
- Wastewater: Collection, treatment, and distribution.
- Digital Infrastructure: Internet Exchange Point (IXP) providers, DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery networks, trust service providers, public electronic communications networks, or publicly available electronic communications service providers.
- ICT Service Management: Managed service providers (MSPs), managed security service providers (MSSPs).
- Public Administration: Central government and regional government entities.
- Space: Operators of ground-based infrastructure.
Important Entities (IE)
These sectors are also critical but are generally subject to reactive supervision, meaning authorities intervene primarily after an incident. They include:
- Postal and Courier Services: Providers of postal and courier services.
- Waste Management: Waste management undertakings.
- Chemicals: Manufacturers of chemicals.
- Food: Food production, processing, and distribution.
- Manufacturing: Manufacturers of medical devices, computer, electronic, and optical products, electrical equipment, machinery and equipment, motor vehicles, other transport equipment.
- Digital Providers: Online marketplaces, online search engines, social networking service platforms.
- Research: Research organisations.
What to Do If NIS2 Applies to Your Company
If your company meets all three criteria, you are obligated to comply with the NIS2 Directive. This entails implementing a comprehensive set of cybersecurity measures, including:
- Risk Management: Implementing appropriate technical and organisational measures to manage risks to the security of network and information systems.
- Incident Reporting: Notifying competent authorities of significant cybersecurity incidents within strict timelines.
- Supply Chain Security: Ensuring the security of your supply chain and relationships with direct suppliers or service providers.
- Business Continuity: Establishing robust business continuity and crisis management plans.
- Employee Training: Providing regular cybersecurity training and awareness for employees.
Next Steps and Resources
To definitively assess your company's applicability and prepare for compliance, it is advisable to:
- Conduct a Self-Assessment: Utilize official checklists or tools provided by national cybersecurity authorities in EU member states. For a quick initial check, resources like nis2-check.com can provide guidance.
- Consult Legal and Cybersecurity Experts: Obtain professional advice tailored to your specific operations and sector.
- Monitor National Transposition: Stay informed about how NIS2 is being transposed into national law in the EU member states where you operate, as specific requirements may vary slightly.
