Understanding the NIS2 Directive: definition and scope

What is the NIS2 Directive?

The NIS 2 Directive is the successor to the EU’s first cybersecurity directive, the NIS Directive on Security of Network and Information Systems, adopted in 2016[1]. While the original NIS Directive was a significant step in establishing a common level of cybersecurity across the EU, the rapid evolution of cyber threats called for a more comprehensive framework.

The NIS 2 Directive represents a significant overhaul of its predecessor, expanding its scope, strengthening its provisions, and imposing stricter requirements on both public and private entities. Sanctions are also a key component of NIS2.

Essential (Highly Critical) entities

These are organisations that are critical to the functioning of society and the economy. The NIS 2 Directive expands the list of essential entities to include more sectors than the original NIS Directive. Essential entities include[2]:

Energy

Companies involved in the supply and production of electricity, oil, and gas supply chains, including generation, transmission, and distribution. These would include the following: Distribution and transmission system operators, electricity producers and sellers, electricity market operators, charging station operators together with electromobility providers, operators of district heating or cooling; Operators of oil transmission pipelines, productions, refining and treatment facilities, storage and transmission, and central stockholding entities; Gas suppliers, distributors, transporters, producers and storage providers; And operators of hydrogen production, storage and transmission.

Transport and space

Operators of air, rail, water, and road transport networks, and operators of space related ground operations, including providers of space-based services. These would include the following: Commercial air carriers, airport managing bodies and entities operating ancillary facilities within airports, traffic management control operators; Operators of a national or regional railway and the carrier operating rail transport on these railways; Seaport operators; and road authorities responsible for the planning, control and management of roads operators, including relevant ITS service providers.

Banking

Financial services providers, including credit institutions, trading venues and central counterparties[3].

Health

Hospitals, healthcare providers, and laboratories, including entities conducting research and development of pharmaceutical products, manufacturers of basic pharmaceutical products

Water

Entities involved in the treatment and distribution of drinking water and the management of waste water. This would include the following for drinking water. Suppliers and distributors of water intended for human consumption except for those for whom the distribution is a non-essential part of their general activity of distributing other commodities and goods. It would include the following for waste water. Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water except for those for whom it is only a non-essential part of their general activity.

Digital Infrastructure and ICT

Providers of Internet exchange points, DNS service providers, electronic communication services, TLD name registries, cloud computing services, data centers, trust service providers, ICT managed services providers, managed ICT security service providers. entities that operate or manage ICT services and tools for customers, typically on the basis of a service level agreement (SLA), content delivery networks (CDNs), and DNS service providers, excluding operators of root name servers.

Public Administration

Government entities at the central and regional levels. This includes the following. Central government bodies, public administration at regional level, courts systems and prosecutors' offices and other institutions important for the running of the state.

Important (Other Critical) Entities

The NIS2 Directive introduces a new category called "Important Entities," which are also subject to the directive's requirements, although they are not considered as critical as essential entities. Important Entities include[4]:

• Digital service providers: providers of online marketplaces, search engines, and social networks.
• Waste management: companies involved in waste collection, processing, and disposal. Entities providing waste management services, i.e. waste management facilities, traders, intermediaries, carriers except those for whom waste management is not their main economic activity
• Manufacture, production and distribution of chemicals: undertakings carrying out the manufacture of substances and the distribution of substances or mixtures, including entities providing services in the chemical industry, i.e. manufacturers, distributors, including a retailer who stores and markets a chemical substance or article.
• Research: organisations involved in research, whose main objective is to carry out applied research or experimental development.
• Food supply chains: entities involved in the production, processing, and distribution of food.
• Manufacturing activities: namely entities involved in the manufacturing of computer, electrical, electronic and optical products, motor vehicles (including trailers and semi-trailers), transport equipment, machinery and equipment, medical and in-vitro diagnostic medical devices.
• Postal services: entities providing postal services, i.e. the collection, sorting, transport and delivery of mail, including courier service providers.

The size of the Entities narrows the scope

Because of their smaller size, some entities that would otherwise be considered Essential, fall under the category of Important Entities. Indeed, Essential Entities listed above that are at or under the thresholds set for SMEs[5] are to be considered only Important Entities, except if such are:

• Qualified Trust Service Providers,
• Top-level domain name registries or DNS service providers,
• Public electronic communications networks or of publicly available electronic communications services,
• Public administrations which are part of the central government of the relevant Member State,
• Sole providers at a national level of a service linked to critical societal or economic activities,
• A service whose disruption can impact public safety, public security or public health significantly or can induce a significant systemic risk,
• A service that is of national or regional importance, and have been identified by Member States as Essential Entities.

Guidance from Member States will prove vital for some organisations in determining first, whether they fall within the scope of the NIS2 and second, if they do, to what category of Entities they belong. In fact, the Directive provides extensive leeway for Member States to select concerned entities or exempt organisations from the scope or enforcement.

Public and private sector organisations

Both public and private sector organisations within the aforementioned sectors are covered by the NIS 2 Directive. This includes entities that are state-owned or state-controlled, as well as private companies.

Public organisations belonging to the central government are however considered Essential Entities in themselves and, as a result, any sector in which they operate would be Essential per se.

Supply chain providers

The NIS2 Directive places a strong emphasis on supply chain security. Therefore, organisations that provide services, products, or infrastructure to Essential or Important Entities are also concerned. This includes third-party vendors, service providers, and contractors who are part of the supply chains of these critical sectors. Essential and Important Entities have to ensure that the providers in their supply chain implement the same security measures as they do.

EU member states

National authorities in each EU member state are responsible for implementing the NIS 2 Directive, including designating and overseeing the entities that fall under its scope. Member States can also create exceptions and exclude some entities from the scope of the NIS 2 Directive depending on circumstances. Member states are also tasked with establishing national cybersecurity strategies, regulatory frameworks, and enforcement mechanisms in line with the Directive.

Critical service providers outside the EU

The NIS2 Directive can also impact organisations outside the EU that provide critical services or infrastructure to entities within the EU. These organisations may need to comply with the Directive's requirements if their services are deemed essential or important to the functioning of critical sectors within the EU.

Entities already covered by equivalent measures

In recent years, EU regulations have imposed cyber-resilience obligations on a number of sectors. NIS 2 does not seek to increase the burden on sectors or industries that are already specifically regulated for cybersecurity. Its article 4(1) states that, if sector-specific EU regulations require essential or important entities to adopt cybersecurity risk-management measures or report significant incidents, and those requirements are equivalent to those in the NIS 2 Directive[6], the provisions of the NIS2 Directive do not apply to those entities. Instead, the sector-specific laws govern. However, if sector-specific EU laws do not cover all entities within a sector governed by the NIS 2 Directive, the NIS 2 Directive will continue to apply to those entities that fall outside that scope.

For example, entities covered by the Digital Operational Resilience Act (DORA)[7] fall outside the scope of NIS2. DORA is considered a sector-specific regulation under Article 4 of the NIS 2 Directive for financial entities. This is also explicitly stated in Article 1(2) of DORA and echoed in recital (28) of the NIS 2 Directive’s preamble. Therefore, for financial entities covered by DORA, its provisions on ICT risk management (Article 6 onwards), incident management (Article 17 onwards), operational resilience testing (Article 24 onwards), information-sharing (Article 25), and ICT third-party risk management (Article 28 onwards) will apply instead of the equivalent provisions in the NIS 2 Directive. Consequently, Member States should not enforce the NIS 2 Directive's cybersecurity risk-management and reporting obligations or its supervision and enforcement provisions on financial entities that fall under DORA[8].

Conclusion

The NIS2 Directive’s Scope is dynamic. Member States are required to list entities that fall under the Directive’s scope by 17 April 2025. That list will be updated as the landscape of operators of critical services evolves.

However, most concerned entities will already be aware if they are listed based on the Directive’s scope definition. They must take immediate action to ensure compliance with the Directive’s requirements.

Disclaimer

The opinions, presentations, figures and estimates set forth on the website, including in this blog, are for informational purposes only and should not be construed as legal advice. For legal advice you should contact a legal professional in your jurisdiction.

The use of any content on this website, including in this blog, for any commercial purposes, including resale, is prohibited, unless permission is first obtained from Vaultinum. Request for permission should state the purpose and the extent of the reproduction. For non-commercial purposes, all material in this publication may be freely quoted or reprinted, but acknowledgement is required, together with a link to this website.

Sources

[1] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures to ensure a high common level of security of network and information systems across the Union.

[2] Annex I to NIS 2 Directive.

[3] European Commission Guidelines on the application of Article 4 (1), 13.9.2023, C(2023) 6068 final.

[4] Annex II to NIS 2 Directive.

[5] ≥250 full-time employees and either ≥50M€ annual turnover or ≥43 employees total balance sheet.

[6] When evaluating whether sector-specific cybersecurity requirements are equivalent to those in the NIS 2 Directive, the sector-specific rules should, at a minimum, align with the NIS 2 provisions or provide more detailed or stringent requirements. Importantly, these sector-specific rules should adopt an 'all-hazard approach' to cybersecurity risk management, an approach that requires involves an understanding that first cybersecurity threats can originate from a variety of sources and second that any event can negatively impact an entity's network and information systems, leading to an incident. Therefore, cybersecurity measures must protect not only the network and information systems but also their physical infrastructure from risks such as sabotage, theft, fire, flooding, power outages, or unauthorized access, which could compromise the data or services provided by the systems.

[7] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.

[8] European Commission Guidelines on the application of Article 4 (1), 13.9.2023, C(2023) 6068 final.