Scope and Applicability of NIS2

Understanding the scope and applicability of NIS2 is crucial for determining whether your organization falls under the directive’s requirements and the level of compliance expected.

Essential vs. Important Entities

Essential Entities Organizations providing services critical to the maintenance of vital societal and economic functions, subject to stricter requirements and higher penalties.

Important Entities Organizations that provide services important to society and the economy but not critical, subject to standard requirements and moderate penalties.

Covered Sectors and Activities

Essential Services

  • Energy: Electricity, district heating/cooling, oil, natural gas, hydrogen
  • Transport: Air, rail, water, road transport, and related infrastructure
  • Banking: Credit institutions and central counterparties
  • Financial Market Infrastructure: Trading venues and central securities depositories
  • Health: Healthcare providers, pharmaceutical manufacturers, medical device manufacturers
  • Drinking Water: Supply and distribution services
  • Waste Water: Collection and treatment services
  • Digital Infrastructure: Internet exchange points, DNS service providers, TLD name registries, cloud computing services, data center services, content delivery networks
  • ICT Service Management: Managed service providers and managed security service providers
  • Public Administration: Central government, regional authorities
  • Space: Space-based services and ground-based infrastructure

Important Services

  • Postal and Courier Services: Postal services providers
  • Waste Management: Collection, transport, recovery, disposal
  • Manufacturing: Manufacture of medical devices, computer/electronic products, electrical equipment, machinery, motor vehicles, chemicals, food products
  • Digital Providers: Online marketplaces, online search engines, social networking services platforms
  • Research: Research organizations

Size and Threshold Criteria

Medium-sized Enterprise Criteria Organizations qualify if they meet at least two of the following:

  • 50 or more employees
  • Annual turnover of €10 million or more
  • Annual balance sheet total of €10 million or more

Exemptions and Special Cases

  • Micro and small enterprises (unless deemed critical)
  • Public entities below certain thresholds
  • Organizations providing services exclusively within one Member State