Dejan KosuticThe NIS 2 Directive clearly lists all the sectors and subsectors (industries) that need to comply with this European cybersecurity directive. However, there are many exceptions to this list, and the line between essential and important entities is not very easy to understand — in this article, I present a clear explanation of who needs to be compliant, and in what status.
Mid-size and large companies from the following sectors must comply with NIS2: energy; transport; banking; financial market infrastructures; health; drinking water; wastewater; digital infrastructure; ICT service management (business-to-business); public administration; space; postal and courier services; waste management; manufacture, production, and distribution of chemicals; production, processing, and distribution of food; manufacturing; digital providers; and research.
Criteria that determine which companies must comply with NIS2
There are three general criteria that define which organizations must comply with NIS 2:
- 1) Location — if they provide services or carry out activities in any country in the European Union (no matter if they are based in the EU or not), and
- 2) Size — if they are categorized as mid-sized or large organizations (see the criteria in the section below), and
- 3) Industry — if they operate in any of the 18 sectors listed in the table below.
However, there are some exceptions to these rules — see the table in the section below for further explanation.
What are essential and important entities?
“Essential entities” and “important entities” are what NIS 2 calls companies and other organizations that need to comply with NIS 2.
NIS 2 defines essential entities as follows:
- Companies that are categorized as large enterprises (see the criteria in the next section) and are in one of the 11 critical sectors (listed in the table below)
- Trust service providers
- DNS service providers
- Public electronic communication networks
- Public administration entities
- Any critical entity according to Critical Entities Resilience (CER) Directive (EU) 2022/2557
- Other entities specified by Member States
Important entities are all other organizations that are not categorized as essential entities, but that fall under the 3 criteria mentioned in the previous section.
Breakdown of sectors & essential and important entities
Since the above explanation from NIS 2 is a bit confusing, I made the table below to show which organizations need to comply with NIS 2, and if they are classified as essential or important entities.
For clarification, here’s how the EU classifies companies according to their size:
- Micro and small organizations — if they have fewer than 50 employees and less than 10 million euros in annual revenue.
- Mid-size organizations — if they have 50 to 250 employees and 10 to 50 million euros in annual revenue.
- Large organizations — if they have more than 250 employees and more than 50 million euros in annual revenue.
| Sector | Subsector | Type of entity | Micro and small organizations* | Mid-sized organizations | Large organizations |
| Sectors of high criticality | |||||
| 1. Energy | (a) Electricity | Electricity undertakings which carry out the function of ‘supply’ | (NIS 2 compliance not required) | Important entity | Essential entity |
| Distribution system operators | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| Transmission system operators | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| Producers | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| Nominated electricity market operators Market participants Operators of a recharging point |
(NIS 2 compliance not required) | Important entity | Essential entity | ||
| (b) District heating and cooling | Operators of district heating or district cooling | (NIS 2 compliance not required) | Important entity | Essential entity | |
| (c) Oil | Operators of oil transmission pipelines | (NIS 2 compliance not required) | Important entity | Essential entity | |
| Operators of oil production, refining and treatment facilities, storage and transmission | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| Central stockholding entities | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| (d) Gas | Supply undertakings | (NIS 2 compliance not required) | Important entity | Essential entity | |
| Distribution system operators | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| Transmission system operators | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| Storage system operators | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| LNG system operators | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| Natural gas undertakings | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| Operators of natural gas refining and treatment facilities | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| (e) Hydrogen | Operators of hydrogen production, storage and transmission | (NIS 2 compliance not required) | Important entity | Essential entity | |
| 2.Transport | (a) Air | Air carriers used for commercial purposes | (NIS 2 compliance not required) | Important entity | Essential entity |
| Airport managing bodies, airports, including the core airports, and entities operating ancillary installations contained within airports | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| Traffic management control operators providing air traffic control (ATC) services | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| (b) Rail | Infrastructure managers | (NIS 2 compliance not required) | Important entity | Essential entity | |
| Railway undertakings, including operators of service facilities | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| (c) Water | Inland, sea and coastal passenger and freight water transport companies, not including the individual vessels operated by those companies | (NIS 2 compliance not required) | Important entity | Essential entity | |
| Managing bodies of ports, including their port facilities, and entities operating works and equipment contained within ports | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| Operators of vessel traffic services (VTS) | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| (d) Road | Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity | (NIS 2 compliance not required) | Important entity | Essential entity | |
| Operators of Intelligent Transport Systems | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| 3. Banking | (Subsector not specified) | Credit institutions | (NIS 2 compliance not required) | Important entity | Essential entity |
| 4. Financial market infrastructures | (Subsector not specified) | Operators of trading venues | (NIS 2 compliance not required) | Important entity | Essential entity |
| Central counterparties (CCPs) | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| 5. Health | (Subsector not specified) | Healthcare providers | (NIS 2 compliance not required) | Important entity | Essential entity |
| EU reference laboratories | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| Entities carrying out research and development activities of medicinal products Entities manufacturing basic pharmaceutical products and pharmaceutical preparations Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list) |
(NIS 2 compliance not required) | Important entity | Essential entity | ||
| 6. Drinking water | (Subsector not specified) | Suppliers and distributors of water intended for human consumption, excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods | (NIS 2 compliance not required) | Important entity | Essential entity |
| 7. Waste water | (Subsector not specified) | Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity | (NIS 2 compliance not required) | Important entity | Essential entity |
| 8. Digital infrastructure | (Subsector not specified) | Internet Exchange Point providers | (NIS 2 compliance not required) | Important entity | Essential entity |
| DNS service providers, excluding operators of root name servers | Essential entity | Essential entity | Essential entity | ||
| TLD name registries | Essential entity | Essential entity | Essential entity | ||
| Domain name registration services | Important entity | Important entity | Important entity | ||
| Cloud computing service providers | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| Data centre service providers | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| Content delivery network providers | (NIS 2 compliance not required) | Important entity | Essential entity | ||
| Trust service providers | Essential entity | Essential entity | Essential entity | ||
| Providers of public electronic communications networks | Important entity | Essential entity | Essential entity | ||
| Providers of publicly available electronic communications services | Important entity | Essential entity | Essential entity | ||
| 9. ICT service management (business-to-business) | (Subsector not specified) | Managed service providers Managed security service providers |
(NIS 2 compliance not required) | Important entity | Essential entity |
| 10. Public administration | (Subsector not specified) | Public administration entities of central governments as defined by a Member State in accordance with national law | Essential entity | Essential entity | Essential entity |
| Public administration entities at regional level as defined by a Member State in accordance with national law | Essential entity | Essential entity | Essential entity | ||
| Public administration entities at local level | (if a Member State decides) | (if a Member State decides) | (if a Member State decides) | ||
| 11. Space | (Subsector not specified) | Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks | (NIS 2 compliance not required) | Important entity | Essential entity |
| Other critical sectors | |||||
| 1. Postal and courier services | (Subsector not specified) | Postal service providers, including providers of courier services | (NIS 2 compliance not required) | Important entity | Important entity |
| 2. Waste management | (Subsector not specified) | Undertakings carrying out waste management, excluding undertakings for whom waste management is not their principal economic activity | (NIS 2 compliance not required) | Important entity | Important entity |
| 3. Manufacture, production and distribution of chemicals | (Subsector not specified) | Undertakings carrying out the manufacture of substances and the distribution of substances or mixtures, and undertakings carrying out the production of articles from substances or mixtures | (NIS 2 compliance not required) | Important entity | Important entity |
| 4. Production, processing and distribution of food | (Subsector not specified) | Food businesses which are engaged in wholesale distribution and industrial production and processing | (NIS 2 compliance not required) | Important entity | Important entity |
| 5. Manufacturing | (a) Manufacture of medical devices and in vitro diagnostic medical devices | Entities manufacturing medical devices, and entities manufacturing in vitro diagnostic medical devices with the exception of entities manufacturing medical devices | (NIS 2 compliance not required) | Important entity | Important entity |
| (b) Manufacture of computer, electronic and optical products | Undertakings carrying out any of the economic activities | (NIS 2 compliance not required) | Important entity | Important entity | |
| (c) Manufacture of electrical equipment | Undertakings carrying out any of the economic activities | (NIS 2 compliance not required) | Important entity | Important entity | |
| (d) Manufacture of machinery and equipment n.e.c. | Undertakings carrying out any of the economic activities | (NIS 2 compliance not required) | Important entity | Important entity | |
| (e) Manufacture of motor vehicles, trailers and semi-trailers | Undertakings carrying out any of the economic activities | (NIS 2 compliance not required) | Important entity | Important entity | |
| (f) Manufacture of other transport equipment | Undertakings carrying out any of the economic activities | (NIS 2 compliance not required) | Important entity | Important entity | |
| 6. Digital providers | (Subsector not specified) | Providers of online marketplaces | (NIS 2 compliance not required) | Important entity | Important entity |
| Providers of online search engines | (NIS 2 compliance not required) | Important entity | Important entity | ||
| Providers of social networking services platforms | (NIS 2 compliance not required) | Important entity | Important entity | ||
| 7. Research | (Subsector not specified) | Research organisations | (NIS 2 compliance not required) | Important entity | Important entity |
| Education institutions, in particular where they carry out critical research activities | (if a Member State decides) | (if a Member State decides) | (if a Member State decides) | ||
*Micro and small organizations also need to be compliant with NIS 2 in the following cases:
- If, according to NIS2 Article 2 paragraph 2:
- “(b) the entity is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities;
- (c) disruption of the service provided by the entity could have a significant impact on public safety, public security or public health;
- (d) disruption of the service provided by the entity could induce a significant systemic risk, in particular for sectors where such disruption could have a cross-border impact;
- (e) the entity is critical because of its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State;”
- If a Member State has defined that entity as a “critical entity” according to Critical Entities Resilience (CER) Directive (EU) 2022/2557
What is different for essential and important entities in NIS2?
Here are the most important differences in how NIS 2 treats essential and important entities:
- Article 32 specifies stricter supervisory and enforcement measures for essential entities than those specified in Article 33 for important entities.
- Article 34 specifies higher fines for essential entities:
- For essential entities – the fines are up to 10 million euro or 2% of the total annual turnover.
- For important entities – the fines are up to 7 million euro or 1.4% of the total annual turnover.
A much wider reach than the old NIS Directive
It is estimated that at least 100,000 companies need to be compliant with NIS 2 – this is a much larger number than the old NIS Directive required. On top of this, NIS2 covers also important and essential entities that provide services in any EU country, even if these companies are based outside of the European Union.
So, there will be lots of work for cybersecurity professionals.
For more information about NIS2, download this free white paper: Comprehensive guide to the NIS 2 Directive.