The NIS2 directive aims to strengthen the cyber security provision of key services and industries across EU nations. While specific mechanisms for the implementation of this directive are to be decided on a state-by-state basis (and as such, we’d always recommend seeking guidance on the criteria, inclusions, exclusions, and sanctions within your own state) the sectors impacted by NIS2 will be largely uniform across its whole scope.
“This European directive is going to help around 160,000 entities tighten their grip on security and make Europe a safe place to live and work. It will also enable information sharing with the private sector and partners around the world. If we are being attacked on an industrial scale, we need to respond on an industrial scale.”
Member of European Parliament
Essential and Important Entities: What's The Difference?
NIS2 separates the services and industries within its remit into Essential (Sectors of High Criticality) and Important (Other Critical Sectors). In the lead up to NIS2’s implementation, you are likely to see them referred to in both manners.
In practice, this differentiation between the two groups relates to the societal impact of the associated sectors and the potential consequences of a cyber breach or attack. Subsequently, Essential entities are more likely to be subject to stricter government oversight in order to achieve compliance, with harsher sanctions for non-compliance.
Which Businesses Are Exempt from NIS2?
While it is worth taking note of NIS2’s requirements and prioritising strong cyber security hygiene whatever the size of your business, it is important to understand that not all organisations, and not even all of those which fall into the below sectors, are subject to the NIS2 directive.
In general terms, only those businesses of a medium size or above will find themselves required to achieve NIS2 compliance.
However, please note that while sectors have been grouped by general criteria according to their size, should an entity not fall within the requirements of these size thresholds, it may still be considered either important or essential (and subject to NIS2 compliance) in specific circumstances, such as where the organisation is the sole provider of its respective service within its EU Member State.
Essential Entities are subject to a general size threshold which, while varying by sector, generally includes those organisations with: 250+ employees, an annual turnover of €50 million and above, or a balance sheet of €43 million and above.
Important Entities are also subject to a size threshold based on the same criteria, again, varying by sector, but to a lower threshold. This will include those organisations with: 50+ employees, an annual turnover of €10 million, or a balance sheet of €10 million or above.
Which Sectors Are Impacted by NIS2?
Not all industries and sectors will be subject to NIS2 compliance.
The directive aims to strengthen the resilience of network and information systems throughout the European Union, concentrating specifically on the providers of core (or essential and important) services. Its aim is to ensure that common cyber security standards are met across member states, and key services remain strong and functional in the event of an attack.
With this in mind, NIS2 will impact the following sectors, which have been broken down into Essential and Important:
Essential Entities (Sectors of High Criticality)
Important Entities (Other Critical Sectors)
The above constitutes a general overview of the impacted sectors. Further specific detail into the entities, providers, and producers subject to NIS2 compliance can be found within Annex 1 and Annex 2 of the directive itself.