NIS2 does not apply to certain micro and small organizations operating within specific subsectors of the Energy and Transport industries.
The NIS2 Directive, a key piece of legislation for enhancing cybersecurity across the European Union, establishes a broad scope for essential and important entities that must comply with its cybersecurity requirements. However, it includes specific exemptions designed to reduce the regulatory burden on the smallest entities within certain sectors.
Entities Exempt from NIS2 Compliance
While the directive aims for comprehensive coverage, specific exclusions exist for organizations that do not meet certain size criteria, even when operating in sectors generally covered by NIS2. This distinction is crucial for understanding the directive's precise reach.
The following table details the specific subsectors where micro and small organizations are exempt from NIS2 compliance:
Sector | Subsector | Excluded Organization Size |
---|---|---|
Energy | Gas | Micro and small organizations |
Energy | Hydrogen | Micro and small organizations |
Transport | Air | Micro and small organizations |
This means that entities classified as micro or small organizations within the gas and hydrogen subsectors of the Energy sector, and within the air subsector of the Transport sector, are not subject to the cybersecurity obligations mandated by the NIS2 Directive. This tailored approach helps ensure that the directive's requirements are proportionate to the resources and potential impact of different organizations.