Does European NIS2 Directive Apply to Your Company or Entity?

Key Takeaways

• NIS2 applies to medium and large organizations in 18 specific sectors providing services in the EU (regardless of company location), with compliance required by October 17, 2024.

• Organizations are classified as "essential entities" (high-criticality sectors like energy, healthcare) or "important entities" (other sectors like manufacturing, digital providers), with essential entities facing stricter supervision and higher penalties (up to €10M/2% vs €7M/1.4%).

• While micro and small organizations (under 50 employees, less than €10M revenue) are generally exempt, exceptions exist for sole service providers, entities with significant impact on public safety, or those with critical regional importance.

• Unlike the original NIS Directive, NIS2 applies to approximately 100,000 organizations and introduces consistent criteria for entity classification, reporting timelines, and security requirements across all EU member states.

The Network and Information Security 2 (NIS2) Directive represents a significant expansion of the EU's cybersecurity framework, requiring compliance from at least 100,000 organizations - a dramatic increase from the original NIS Directive. If your organization operates in or provides services to the European Union, you need to understand whether these regulations apply to you. Let's break down exactly who falls under NIS2's scope.

Core Compliance Criteria

NIS2 applies to organizations based on three fundamental criteria:

First, if you provide services or carry out activities in any of the 27 EU member countries, the directive applies to you - regardless of whether your company is based within the EU or elsewhere. This extraterritorial reach means companies from the US, UK, Asia or anywhere else must comply if they serve EU customers in covered sectors.

Second, your organization's size matters. Generally, medium businesses (50-250 employees and €10-50 million annual revenue) and large businesses (over 250 employees and more than €50 million annual revenue) must comply with NIS2, while micro and small organizations (fewer than 50 employees and less than €10 million annual revenue) are typically exempt (though important exceptions exist, which we'll cover later).

Finally, you need to determine if your organization operates in one of the 18 sectors covered by the directive. These sectors are:

1. Energy (electricity, district heating/cooling, oil, gas, hydrogen)

2. Transport (air, rail, water, road)

3. Banking

4. Financial market infrastructures

5. Health

6. Drinking water

7. Wastewater

8. Digital infrastructure

9. ICT service management (business-to-business)

10. Public administration

11. Space

12. Postal and courier services

13. Waste management

14. Manufacture, production, and distribution of chemicals

15. Production, processing, and distribution of food

16. Manufacturing (medical devices, computers, electronics, machinery, etc.)

17. Digital providers (online marketplaces, search engines, social platforms)

18. Research

Understanding these three factors - location, size, and sector - gives you the starting point for determining your NIS2 compliance obligations. The directive must be transposed into national law by all EU member states by October 17, 2024.

Entity Categories Under NIS2

NIS2 classifies organizations into two main categories: essential entities and important entities. These classifications determine the specific requirements and potential penalties you'll face.

Essential Entities

Essential entities operate in sectors considered critical to the functioning of the economy and society. They face more stringent requirements, more frequent audits, and potential fines of up to €10 million or 2% of global annual turnover, whichever is higher.

If you run a large organization (over 250 employees and more than €50 million annual revenue) in any of the 11 high-criticality sectors (energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, or space), you're classified as an essential entity.

This classification also automatically applies to certain organizations regardless of size, including:

• Trust service providers

• DNS service providers

• TLD name registries

• Public electronic communications networks providers

• Public administration entities at central and regional levels

Beyond these straightforward designations, an organization might be classified as essential if it's been identified as a critical entity under the Critical Entities Resilience (CER) Directive (EU) 2022/2557.

Important Entities

Important entities operate in sectors that, while still significant, are considered less critical to society's core functions than those housing essential entities. They face less frequent audits and lower potential penalties - up to €7 million or 1.4% of global annual turnover.

If your organization is medium-sized (50-250 employees and €10-50 million annual revenue) in any covered sector, you'd typically be classified as an important entity. Additionally, large organizations in the 7 "other critical sectors" (postal and courier services, waste management, chemicals, food, manufacturing, digital providers, and research) are classified as important entities.

Under this classification, you face somewhat less stringent supervision requirements than essential entities. For example, important entities are typically subject to reactive supervision (after incidents) rather than the proactive supervision faced by essential entities.

The distinction between essential and important entities aims to create proportionality in the regulatory burden based on an organization's potential impact on society if compromised. According to statistics in the NIS2 documentation, this two-tier approach allows authorities to focus intensive supervision on the approximately 35,000 essential entities while still maintaining oversight of roughly 65,000 important entities.

Sector-by-Sector Breakdown

High Criticality Sectors (Essential Entities)

Organizations in the 11 high-criticality sectors face the most stringent requirements under NIS2. Let's look at which sectors and specific entity types fall into this category:

The energy sector encompasses 16 distinct entity types across five subsectors (electricity, district heating/cooling, oil, gas, and hydrogen). For example, if you operate as an electricity supplier, distribution system operator, transmission system operator, or producer meeting the size criteria, you're classified as an essential entity. The same applies to oil pipeline operators, gas storage system operators, and hydrogen production facilities.

The transportation sector includes 11 distinct entity types across four subsectors (air, rail, water, and road). This covers air carriers, airport managing bodies, traffic control operators, railway infrastructure managers, water transport companies, port managing bodies, and intelligent transport system operators - all classified as essential entities when meeting size criteria.

Financial institutions fall under two specific sectors: banking (covering credit institutions) and financial market infrastructures (covering trading venue operators and central counterparties). Under NIS2, these are considered separate sectors, both containing essential entities.

Public administration at central and regional levels must comply with NIS2 requirements regardless of size - with approximately 80,000 such entities across the EU. Local public administration entities (an additional 90,000 entities) might need to comply if the Member State decides to include them.

The healthcare sector includes healthcare providers, EU reference laboratories, entities researching and developing medicinal products, pharmaceutical manufacturers, and manufacturers of critical medical devices - all classified as essential entities when meeting size criteria.

The space sector specifically includes operators of ground-based infrastructure supporting space-based services.

Water utilities are divided into two sectors: drinking water suppliers and wastewater management companies. Both are classified as essential entities when meeting size criteria.

Digital infrastructure providers include 8 distinct types: internet exchange points, DNS service providers, TLD name registries, domain name registration services, cloud computing service providers, data center service providers, content delivery network providers, and trust service providers. Some of these (DNS providers, TLD registries, trust service providers) are essential entities regardless of size.

Other Critical Sectors (Important Entities)

Seven sectors are categorized under the important entity classification, covering approximately 65,000 organizations across the EU:

Postal and courier service providers face NIS2 compliance requirements when they meet the size thresholds of 50+ employees and €10+ million annual revenue. The EU postal sector alone employs over 1.7 million people across approximately 800 companies meeting these criteria.

Waste management companies with 50+ employees and €10+ million annual revenue need to comply unless waste management is not their principal economic activity. Across the EU, approximately 6,000 waste management companies meet these thresholds.

Chemical manufacturers and distributors fall under NIS2 if they're medium-sized or larger. This includes companies manufacturing substances, distributing substances or mixtures, and producing articles from chemicals - covering about 3,300 companies across the EU.

Research organizations, particularly those with 50+ employees and €10+ million annual revenue involved in critical research activities, are included. Educational institutions carrying out critical research may be included if the Member State decides.

Food production, processing, and distribution companies engaged in wholesale or industrial operations must comply when they reach the standard size thresholds. This covers approximately 15,000 food businesses across the EU.

Manufacturing operations in six specific subsectors are covered: medical devices and in vitro diagnostics; computers, electronic and optical products; electrical equipment; machinery and equipment; motor vehicles, trailers and semi-trailers; and other transport equipment. Together, these subsectors include approximately 22,000 companies meeting the size criteria.

Digital providers - specifically online marketplaces, search engines, and social networking platforms - are included as important entities when they meet size criteria. This applies to approximately 11,000 digital providers serving EU customers.

Size-Based Applicability

Size plays a significant role in determining your NIS2 compliance requirements, with specific thresholds defining each category.

Micro and small organizations (fewer than 50 employees AND less than €10 million annual revenue) are generally exempt from NIS2 requirements - estimated to exclude approximately 8.1 million EU businesses from compliance obligations. However, five important exceptions exist:

Even if your organization is small, you must comply with NIS2 if:

1. You're the sole provider of an essential service in a Member State

2. Your service disruption could significantly impact public safety, security, or public health

3. A disruption of your service could induce significant systemic risk, especially with cross-border impact

4. You're deemed critical because of specific importance at national or regional level

5. You've been designated as a "critical entity" under the Critical Entities Resilience Directive

Medium-sized organizations (50-250 employees AND €10-50 million annual revenue) typically fall under the important entity classification, requiring standard NIS2 compliance. If operating in high-criticality sectors, they're classified as important entities.

Large organizations (over 250 employees AND more than €50 million annual revenue) in high-criticality sectors are classified as essential entities, facing the highest level of requirements and scrutiny. Large organizations in other critical sectors become important entities with somewhat reduced obligations.

According to EU statistics, approximately 0.2% of all EU businesses (roughly 100,000 entities) will need to comply with NIS2 - dramatically expanding the estimated 5,000-10,000 entities covered by the original NIS Directive.

Compliance Differences

The requirements for essential and important entities differ in several key measurable ways under Articles 32-34 of NIS2.

Supervision approaches vary significantly based on entity classification. According to Article 32, essential entities face proactive, rigorous supervision with regular documentary checks and targeted security audits. National authorities must conduct systematic, risk-based on-site inspections of essential entities at least every 3 years. In contrast, Article 33 specifies that important entities typically face reactive supervision - primarily after evidence of non-compliance emerges.

Incident reporting timelines apply to both entity types but with different urgency levels. Both must submit an initial notification within 24 hours of becoming aware of a significant incident. However, essential entities must provide intermediate updates if requested by authorities and submit a final incident report within 1 month, while important entities have more flexibility in their final reporting timeline.

Potential penalties differ substantially. According to Article 34, essential entities can face administrative fines of up to €10 million or 2% of total worldwide annual turnover (whichever is higher). Important entities face lower penalties - up to €7 million or 1.4% of annual turnover. These penalties can be applied for failing to implement required security measures, not notifying incidents properly, not addressing identified vulnerabilities, or not complying with supervisory instructions.

Security implementation requirements include seven specific measures for both categories: risk analysis, incident handling, business continuity, supply chain security, security in network acquisition and development, vulnerability handling and disclosure, and effectiveness assessment. However, essential entities face more rigorous verification of these measures.

Special Cases and Exceptions

NIS2 includes provisions for several special cases that require close attention to determine your compliance status.

Micro and small enterprises with critical functions may face full compliance requirements despite their size. According to Article 2(2), if your organization employs fewer than 50 people and has less than €10 million annual revenue, you still must comply with NIS2 if you meet any of these five specific conditions:

1. You're the sole provider of an essential service in a Member State

2. A disruption of your service could have a significant impact on public safety, security, or health

3. Your service disruption could induce significant systemic risk, especially with cross-border impact

4. You have specific importance at national or regional level

5. You've been designated as a "critical entity" under Directive (EU) 2022/2557

Public administration entities at different levels face varying requirements. All central government entities (approximately 10,000 across the EU) and regional government entities (approximately 70,000) must comply with NIS2 as essential entities regardless of size. Local government entities (approximately 90,000) are subject to NIS2 only if the Member State decides to include them.

Digital infrastructure providers face unique classifications. DNS service providers, TLD name registries and trust service providers are always considered essential entities regardless of size - even micro businesses. Domain name registration services are always classified as important entities regardless of size.

Extraterritorial application affects non-EU companies. Any organization providing services to EU customers in covered sectors must comply with NIS2 if they meet size and sector criteria - even if headquartered outside the EU. For major international corporations, this creates compliance obligations in every EU country where they operate.

Sectoral exemptions exist for specific industries. Entities in defense, national security, public security, law enforcement, judiciary, parliaments, and central banks are explicitly excluded from NIS2 scope, regardless of their size or importance.

The directive must be transposed into national law by all EU member states by October 17, 2024, with additional implementing regulations expected to follow from various national authorities.

Need Help With NIS2 Compliance?

Navigating NIS2 compliance can be complex and time-consuming, especially with approaching deadlines and potential penalties at stake. At Gauss, we understand the cybersecurity challenges your organization faces in meeting these new regulatory requirements.

Our team specializes in developing custom IT solutions to help businesses and organizations become fully NIS2 compliant. We'll work with you to assess your current security posture, implement necessary measures, and develop systems that satisfy both essential and important entity requirements - all tailored to your specific sector and business needs.

Don't risk non-compliance or security vulnerabilities. Contact us tody to start a conversation about how our cybersecurity services can help you achieve NIS2 compliance while strengthening your overall security infrastructure.