The new NIS2 Directive significantly expands the scope of organisations subject to cybersecurity obligations. While the original NIS Directive focused primarily on so-called critical infrastructures in sectors such as energy or transport, NIS2 targets a wider range of entities.
Now the regulation will affect not only larger players, but also smaller and medium-sized enterprises , which play a key role in the European economy. Let's take a look at who must now respect the directive and what obligations are associated with it. These are the so-called regulated service providers , which are further divided into several categories.
The European NIS2 Directive applies to both private and public organizations that simultaneously meet the following two criteria :
The service criterion means that you provide a type of service listed in the ghana phone number data annexes to the directive (energy, transport, banking, healthcare, financial market infrastructure, drinking water suppliers and distributors, wastewater treatment, digital infrastructure, managed ICT service providers and others).
The provider criterion concerns the size of the company. If you are a medium or large company or meet other requirements of the given field (in healthcare, for example, the number of beds), then you meet the given criterion.
You must therefore meet both the size requirement and also provide one of the regulated services . You meet the size requirement if you employ 50 or more people or achieve an annual turnover of EUR 10 million . If you are not sure, you can fill in the calculator on the NÚKIB website. It will help you determine whether you fall under the regulated entities. The situation of parent companies, subsidiaries and holding companies is specific .
We recommend reading:
1200-preview-66aa43f939dd0184823711.webp
Article
What is the value of big data?
Read
NIS2 also applies to state and public institutions that manage sensitive information and are important to the functioning of the state. Cybersecurity is therefore becoming important for more and more places.
You are also interested in whether you will be subject to the higher or lower obligations regime . Of course, the lower obligations regime will be easier to comply with.
Services are divided into essential sectors , which are subject to stricter controls, based on their obligations. Key sectors include: energy, transport, banking, financial market infrastructure, healthcare, water management, digital infrastructure and managed ICT service providers. It is estimated that around 1,000 organisations will fall into this category.
NIS2 also introduces a new concept of so-called important sectors , which must implement security measures even if their services are not directly connected to critical infrastructure. These sectors include postal services, waste management, the chemical industry, the food industry, manufacturing, digital service providers and research organizations, except for educational institutions.
Another 5,000 entities will likely fall into this category, and cybersecurity for them will not mean meeting such stringent requirements.
You are not yet 100% sure whether the European NIS2 Directive will apply to you, as the law is still awaiting text amendments and clarification of definitions. The situation is particularly unclear in the case of Internet providers, DNS services and cloud computing services. The term cloud computing is not clearly defined anywhere .
- Board index
- All times are UTC
- Delete cookies
- Contact us