zaro

Who does NIS2 not apply to?

Published in NIS2 exemptions 2 mins read

NIS2 does not apply to certain micro and small organizations operating within specific subsectors of the Energy and Transport industries.

The NIS2 Directive, a key piece of legislation for enhancing cybersecurity across the European Union, establishes a broad scope for essential and important entities that must comply with its cybersecurity requirements. However, it includes specific exemptions designed to reduce the regulatory burden on the smallest entities within certain sectors.

Entities Exempt from NIS2 Compliance

While the directive aims for comprehensive coverage, specific exclusions exist for organizations that do not meet certain size criteria, even when operating in sectors generally covered by NIS2. This distinction is crucial for understanding the directive's precise reach.

The following table details the specific subsectors where micro and small organizations are exempt from NIS2 compliance:

Sector Subsector Excluded Organization Size
Energy Gas Micro and small organizations
Energy Hydrogen Micro and small organizations
Transport Air Micro and small organizations

This means that entities classified as micro or small organizations within the gas and hydrogen subsectors of the Energy sector, and within the air subsector of the Transport sector, are not subject to the cybersecurity obligations mandated by the NIS2 Directive. This tailored approach helps ensure that the directive's requirements are proportionate to the resources and potential impact of different organizations.