NIS2: Who is affected?

This is a question we get a lot from our customers. The NIS2 Directive’s wording is not always very explicit. NIS2 is a framework that countries need to implement. Because it’s a Directive and not a Regulation, each EU country has the autonomy to roll it out under their own interpretation.

NIS2’s language is broad, making it challenging to get your head around, especially until countries publish their specifics. But, we will answer as clearly as possible which companies NIS2 currently affects.

Aikido’s quick NIS2 self-check to see if you’re in scope

We like things to be practical and straightforward. So, to help make it easier, here’s our quick 5-step self-check to see if you’re in NIS2 scope:

1. Is your company working in an ‘essential’ or ‘important’ industry?
2. Check if you’re part of a sub-industry.
3. Do you fall within the size requirements?
4. If ‘no’ to 1, 2, and 3, double-check that you’re not an exception (pro tip: you may need to seek legal counsel to be on the safe side).
5. And, if ‘no’ to all of the above, check if your customers are or are not in scope.

Who does NIS2 apply to?

There are two key parameters to check to see if NIS2 impacts your company:

• Industry: If you’re part of an industry that is ‘essential’ or ‘important’.
• Size: If the size of your company meets certain ‘essential’ or ‘important’ thresholds, i.e. above X # of employees, €X revenue, or €X balance sheet.

Let’s look at both in more depth.

Which sectors does NIS2 apply to?

It all starts here. NIS2 is all about getting essential and important industries to be secure. NIS2 expands the number of industries that were the focus of the first NIS Directive. It differentiates between essential and important, but both categories are included in its scope.

Essential industries: energy, drinking water, wastewater, transportation, banking, financial markets, ICT service management, public administration, healthcare, and space.

Important industries: postal and courier services, waste management, chemicals, food, manufacturing (e.g. medical devices, computers/electronics, machinery/equipment, motor vehicles, trailers/semi-trailers/other transport equipment), digital providers (e.g. online marketplaces), and research organizations.

Some sectors are instantly in scope, no matter what. Some examples include domain name registrars, trust service providers, DNS service providers, TLD name registries, and telecom providers.

Beyond that, national authorities will have the power to designate individual companies that do not fall neatly into the essential or important sector categories. They can do this if they deem the company to provide a sole service, have a significant impact, and/or be essential to society.

NIS2 company size criteria

NIS2 has size cap rules. This means you’ll need to comply with the Directive if you cross certain thresholds.

What are essential and important companies for the size criteria?

• Essential companies: 250+ employees OR €50m+ annual turnover OR €43m+ balance sheet
  Note: An essential company that does not meet the essential size thresholds (above) but still meets the important companies size thresholds (below) is considered an important company. And, therefore still in scope.
• Important companies: 50+ employees OR €10m+ annual turnover OR €10m+ balance sheet

So, on the surface, NIS2 applies to medium enterprises and large corporations. And, leaves out small and micro enterprises. But, there will be exceptions. For example, if a company doesn’t meet the size thresholds, a national authority can exert its designation prerogative as with the sector criteria.

How do I know which country has jurisdiction over my business?

The European Commission says: ‘As a rule, essential and important entities are deemed to be under the jurisdiction of the Member State where they are established. If the entity is established in more than one Member State, it should fall under the jurisdiction of each of these Member States.’

There are exceptions. In some cases, that means considering where the company provides the service  (e.g. DNS service providers). In other cases, the key is where their main establishment is (e.g. cloud computing service providers).

Are there other exceptions to the rules?

Of course, there are some related to the industry and size rules. On top of that, as countries implement the directive, there will be country-to-country differences to pay attention to as the localized rules come into effect (all by October 17, 2024).

For example, if you don’t meet the size requirements BUT are the sole provider of a critical service for societal or economic activity in a member state, you may still need to implement NIS2.

Note: If you’re active in the finance industry, you’re probably already familiar with the Digital Operational Resilience Act (DORA). DORA is a piece of legislation – not a directive like NIS2 – so it takes precedence over NIS2. We recommend focusing your efforts there first but make sure you check in when NIS2 is transposed into local law by your EU member state.

Don’t forget about the Cyber Resilience Act (CRA) as well. CRA sets out cybersecurity requirements for a range of hardware and software products placed on the EU market. These include smart speakers, games, operating systems, etc.

Are you looking for a bit more detail?

Here’s a great overview of who’s in scope, developed by the Centre for Cyber Security Belgium:

If your customers are in-scope, NIS2 will likely impact you

Did you know that NIS2 includes the third-party knock-on effect? That means even if you’re not directly in scope but your customers are, you will likely need to comply with NIS2.

Companies that must implement NIS2 will need to ‘manage and assess the risks’ associated with their ‘third-party providers’. This includes, for example, conducting regular security assessments, ensuring that you have adequate cybersecurity measures in place, and implementing contracts/agreements that require you to comply with NIS2 requirements.

So, if you’re a B2B company and you thought you were out of scope because of sector and size, but your customers are in NIS2’s scope, you should start preparing!

Aikido provides NIS2 report

Aikido Security has created a NIS2 report feature available in our app. We’ve designed this report to help companies who need to comply with the directive.

Are you likely affected by NIS2?
Find out where you stand with your application on NIS2.
Although our report is not exhaustive (and only covers your technical setup) , it’ll get you on started and on the right track.

Register for Aikido and get your NIS2 report for free!