The proposed extension of the scope of NIS2, which would effectively oblige more entities and sectors to take measures, would help to increase the level of cybersecurity in Europe in the long term. The interconnectedness of society as a whole and of the organizations within it is now so great that there is virtually no sector where information systems do not play an important role. For this reason, NIS2 no longer seeks to identify systems that are important to society, but defines entire services that are important to its functioning.
The NIS2 Directive lays the foundation for cybersecurity risk management measures and notification obligations in all sectors covered by the Directive, such as energy, transport, health, and digital infrastructure.
According to the Czech National Cyber and Information Security Authority (hereinafter referred to as NUKIB): the NIS2 Directive does not intend to impose obligations on absolutely everyone who provides a given service. The development process led its creators to conclude that the primary way of determining whether a private or public organization falls under the regulation of the directive is the simultaneous fulfillment of the following two rules:
- the organization provides at least one service listed in the annexes to the Directive, and at the same time
- it is a medium-sized or large enterprise, i.e., it employs 50 or more employees or has an annual turnover or annual balance sheet total of at least EUR 10 million.
The first rule thus corresponds to the regulation of sectors and services that are important to society. The second rule then states that not everyone who provides such a service is large and important enough for regulation to be appropriate in their case.
In other words, the list of operators of essential services is to be extended to include so-called "essential" and "important" entities, and a size limit will also be introduced. The Directive will thus regulate approximately 60 services in 18 sectors. This means that all medium-sized and large enterprises (regulated entities will be those employing at least 50 employees or with an annual turnover or balance sheet total of at least EUR 10 million) operating in the areas/sectors defined in the Directive will fall within its scope. This measure will therefore significantly increase the number of entities that will be subject to cybersecurity obligations.
However, for some sectors, the Directive stipulates that all organizations in a given sector will be subject to NIS2 regulation, regardless of their size.
Please note that when assessing the size of an enterprise according to the above description, attention should be paid to the category of so-called partner or linked enterprises (e.g. groups or subsidiaries), which must also be included in the calculation of the size of the enterprise.
However, the Directive also defines areas that will not be regulated by it. It will not apply to entities performing activities in areas such as defense or national security, public security, law enforcement and the judiciary, but also parliaments or central banks of individual EU Member States.
When transposing the NIS2 Directive, Member States are to establish regulations in such a way as to use additional criteria and extend cybersecurity regulation to organizations that provide the services listed in the annexes to the Directive, regardless of their size. For example, as stated by NUKIB, these include:
- sole providers of a service that is essential in a Member State from a social or economic perspective,
- companies providing services whose disruption could have a significant impact on public security or human health,
- companies providing services whose disruption could pose a significant risk, in particular with cross-border impact.
At the same time, the provisionally agreed text of the Directive also includes additional provisions to ensure proportionality, a higher level of risk management and clear criteria for determining the entities covered by the Directive.
There will also be new rules for critical entities and the financial sector. The European Parliament and the Council have aligned the text of NIS2 with the legislation applicable to specific sectors, in particular the Regulation on digital operational resilience of the financial sector (DORA) and the Directive on critical entities (CER), in order to ensure legal clarity and consistency between NIS2 and these acts.
Download the overview documents on:
- which areas of services will be subject to mandatory regulation
- how the decision-making/selection process will work to determine whether a company will be subject to mandatory regulation
