Cybersecurity

NIS2 scope: Does your organization qualify as an essential or important entity?

April 2024

Companies impacted by the NIS2 legislation have time until October 2024 to ensure full compliance. To this end, the first thing you should do is assess whether you fall within the NIS2 scope and whether you qualify as an essential or important entity.

To support you in doing that, this blog post outlines the sectors and organizations within the Directive’s scope and the different supervision and enforcement powers of competent authorities on essential and important entities.

 

 

Which sectors and companies fall into the scope of the NIS2 Directive?

The sectors falling into the scope of the NIS2 Directive are listed in its Annexes I and II. Annex I covers “sectors of high criticality” and Annex II covers “other critical sectors”.

Not all the entities belonging to these sectors fall into the scope of the NIS2 Directive: only companies that exceed the threshold to be considered a medium-sized enterprise (i.e., employing more than 50 people or with an annual turnover/balance sheet total exceeding EUR 10 million) are impacted.

However, the Directive lists some cases where entities fall into its scope regardless of their size. A company that doesn’t reach the size threshold is subject to the Directive if:

  • is the sole provider of a critical service in a Member State;
  • the disruption of the service provided could have a significant impact on public safety, public security, or public health, or it could induce a significant systemic risk;
  • is critical because of its specific importance at a national or regional level for the particular sector or type of service;
  • is a public administration entity at a national or regional level.

 

Essential entities and important entities

All entities belonging to the sectors listed in these Annexes and meeting the size requirement fall within the scope of the NIS2 Directive. While they are all obliged to fulfill the same legal requirements, not all are subject to the same supervisory and enforcement measures.

The Directive classifies the entities falling into its scope into two categories — essential entities and important entities — each subject to a different regime. The categorization is based on how critical the entities are to the sector or service they provide, as well as on their size.

As a general guidance, the entities belonging to the sectors of high criticality listed in Annex I are qualified as essential entities, while those belonging to the other critical sectors listed in Annex II are qualified as important entities.

However, an entity belonging to the other critical sectors listed in Annex II is qualified as an essential entity if it is the sole provider in a Member State, or the disruption of its service could have a significant negative impact, or if it has specific importance at a national level.

 

The different regime essential and important entities are subject to

All companies within the scope of the NIS2 Directive are mandated to comply with the same cybersecurity requirements, regardless of whether they are qualified as essential or important entities.

However, different rules apply to these two categories when it comes to the power given to competent authorities to audit companies and issue fines.

In essence, essential entities face more proactive and intensive supervision and enforcement measures due to their critical importance, while important entities are subject to similar measures but with a focus on ex-post supervision and slightly less extensive enforcement powers.

 

Supervisory and enforcement measures:

Essential entities can be subject to on-site and off-site inspections, regular security audits, ad hoc audits, and security scans on essential entities to assess their compliance.

Competent authorities have extensive powers to gather information and broad enforcement powers, including issuing warnings, adopting binding instructions, ordering cessation of infringing conduct, imposing fines, and temporarily suspending certifications or authorizations.

Important entities, on the other hand, are only subject to ex-post supervisory measures, meaning actions are taken after evidence or indications of non-compliance have been identified or after a security incident has occurred.

The enforcement powers of competent authorities are slightly more limited. They mainly focus on issuing warnings, adopting binding instructions, ordering the cessation of infringing conduct, and imposing fines.

Both essential and important entities are entitled to procedural safeguards, including the right to be informed of preliminary findings, submit observations, and appeal enforcement measures.

Fines and personal liability:

The NIS2 Directive establishes that fines for non-compliance must be effective, proportionate, and dissuasive.

Companies violating the requirements set by the NIS2 Directive can be issued financial penalties – along with enforcement measures, such as warnings, instructions, orders, and so on.

Fines for essential entities can be up to €10,000,000 or 2% of the total worldwide annual turnover, whichever is higher.

For important entities, fines can be up to €7,000,000 or 1.4% of the total worldwide annual turnover, whichever is higher.

If the compliance violation can lead to a personal data breach under GDPR, competent authorities must inform the relevant supervisory authorities, who can impose fines under GDPR for the same conduct.

Additionally, to further strengthen the effectiveness and dissuasiveness of the enforcement measures applicable to essential entities, the competent authorities are also empowered to

  • temporarily suspend a certification or authorization concerning part or all of the relevant services provided or activities carried out by the entity, and
  • temporarily prohibit the Chief Executive Officer or other legal representative from exercising managerial functions. The natural persons holding senior management positions or the power to represent the entity, control it, and take decisions on its behalf (and consequently be able to ensure its compliance) can be held liable for breach of their duties to ensure compliance with the NIS2 Directive.

 

The power given to competent authorities
Essential entities
Important entities
Scope and focus of supervisory measures
• Proactive and random supervision
• On-site and off-site inspections, regularly scheduled security audits, ad hoc audits, and security scans.
• Competent authorities have extensive powers to gather information and assess compliance ex-ante, regardless of whether an incident has occurred.
• Ex-post supervisory measures, meaning actions (after a security incident has occurred).
Competent authorities can request access to data, documents, and information necessary to carry out their supervisory tasks, as well as request evidence of implementation of cybersecurity policies.
Enforcement Powers
• Warnings
• binding instructions
• orders of cessation of infringing conduct
• order of informing customers potentially affected by a significant cyber threat of the nature of the threat, as well as of any possible protective or remedial measures that can be taken in response to that threat
• designation of a monitoring officer to oversee the compliance of the entity
• fines
• temporary suspension of certifications or authorizations to provide services or carry out activities
• temporary prohibition from exercising managerial functions for natural persons
• personal liability for breach of duty to ensure compliance with the NIS2 Directive.
• Warnings
• binding instructions
• orders of cessation of infringing conduct
• fines
Financial penalties
Up to €10,000,000 or 2% of the total worldwide annual turnover, whichever is higher.
Up to €7,000,000 or 1.4% of the total worldwide annual turnover, whichever is higher.
Procedural Safeguards
Both essential and important entities are entitled to procedural safeguards, including the right to be informed of preliminary findings, the right to submit observations, and the right to appeal enforcement measures.

 

Are you new to the scope of NIS2? Secomea can help you

Most of the organizations belonging to the sectors of high criticality included in Annex I (Essential Entities) were already familiar with the first NIS Directive. Besides, a significant portion of them have been directly affected by the GDPR, in response to which they have already likely improved their cybersecurity profile and expanded their compliance departments and processes.

On the other hand, the majority of the companies included in the other critical sectors listed by Annex II (Important Entities) are brand new to the situation of having to fulfill the requirements of comprehensive cybersecurity legislation.

For the sectors and entities new to the scope, NIS2 compliance appears to be a particularly daunting task.

To make matters worse, they might not have the skills and resources to prepare themselves properly.

Last but not least, key decision-makers might not be used to actively participating in security conversations.

For these reasons, even knowing where to start can be challenging.

But fear not – Secomea can support you in your compliance journey!

To help you navigate the NIS2 legislation, ensure the fulfillment of all the requirements, and prepare for NIS2 inspections, we have prepared this comprehensive whitepaper.


 

All you need to know to ensure NIS2 compliance
Download it now for free!

Datenschutz & Cookie-Richtlinie // Kontakt: +45 88 70 86 50 // info@secomea.com
© Secomea 2021, Alle Rechte vorbehalten

NIS2 Compliance Roadmap. Stay secure, stay compliant.

X