The proposed expansion of the scope of NIS2, which would effectively require more entities and sectors to adopt measures, would help improve the level of cybersecurity in Europe in the long term. The interconnectedness of society as a whole and the organizations within it is already so great that there is virtually no sector where information systems do not play a significant role. For this reason, the NIS2 Directive no longer seeks out systems critical to society, but defines entire services critical to its functioning.
The NIS2 Directive establishes the basis for cybersecurity risk management measures and notification obligations across all sectors covered by this directive—such as energy, transport, healthcare, and digital infrastructure.
According to the Czech National Cyber and Information Security Agency (hereinafter NUKIB): the NIS2 Directive does not intend to impose obligations on absolutely everyone who provides a given service. Developments have led its drafters to conclude that the primary way to determine whether a private or public organization falls under the directive’s regulation is the simultaneous fulfillment of the following two criteria:
- the organization provides at least one service listed in the annexes to the directive, and at the same time
- it is a medium-sized or large enterprise, i.e., it employs 50 or more employees, or has an annual turnover or balance sheet total of at least EUR 10 million.
The first rule thus corresponds to the fact that sectors and services important to society are regulated. The second rule then states that not everyone who provides such a service is sufficiently large and significant for regulation to be appropriate in their case as well.
In other words, this means that the list of operators of essential services is to be expanded to include so-called “essential” and “important” entities, and a size-based restriction rule will also be introduced. The Directive will thus regulate approximately 60 services across 18 sectors. This means that all medium-sized and large enterprises (regulated entities will be those employing at least 50 employees or achieving an annual turnover or balance sheet total of at least EUR 10 million) operating in the areas/sectors defined in the Directive will fall within its scope. This measure will therefore significantly increase the number of entities for which cybersecurity will be mandatory.
For certain sectors, however, the Directive stipulates that all organizations in that sector will fall under the NIS2 regulation, regardless of their size.
