NIS2 4/6

Published on 02 Oct 2024

4. Who is concerned?

The scope of the NIS2 Directive focuses on cybersecurity rules limited to certain entities (providing essential services for the maintenance of critical societal or economic activities). The NIS2 Directive defines measures to ensure a high common level of cybersecurity across the EU for certain entities classified as "essential" or "important" due to the services they provide and their size.

Whereas the previous directive provided for a national procedure for identifying operators of essential services, the NIS2 Directive now uses the activity carried out within one of its annexes and the size of the entity as criteria to determine whether or not it falls within the scope.

The entities concerned are those providing essential services listed in the "high-impact sectors" of Annex I or in the "other critical sectors" of Annex II, which are medium-sized enterprises pursuant to Article 2 of the Annex to Recommendation 2003/361/EC [8], or which exceed the thresholds provided for in paragraph 1 of that Article, and which provide their services or carry out their activities within the Union.

Indeed, the European Union now applies a rule associated with an explicit threshold to 18 sectors, namely 11 sectors listed in Annex I and 7 sectors listed in Annex II (see table below). Thus, any entity referred to in Annex I must, in order to be considered important, have at least 50 employees or generate an annual turnover of more than 10 million euros. If the number of its employees is 250 or more and its annual turnover exceeds 50 million euros, the entity in question is considered essential (see diagram in the figure below).

The obligations of the NIS2 Directive therefore apply only to a limited number of entities that are part of critical sectors and provide services of general interest to the public and businesses, or that are critical to the country's economic potential.

The Belgian Centre for Cyber Security (CCB) [9] has calculated that Belgium has around 800 essential entities and 1,600 important entities. In total, 2,400 entities should therefore fall within the scope of this legislation, including public authorities.

[8] Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises.
[9] CCB: https://ccb.belgium.be

Tableau. Critical sectors of entities concerned by the NIS2 Directive

Companies, managers, producers, operators, actors, operators, entities, companies, suppliers, service providers, laboratories... in the following sectors and sub-sectors

Highly Critical Sectors (Annex I of the Directive)

1. Energy: electricity, heating and cooling networks, petroleum, gas, hydrogen
2. Transport: air transport, rail transport, water transport, road transport
3. Banking Sector
4. Financial Market Infrastructures
5. Health
6. Drinking water
7. Wastewater
8. Digital Infrastructure
9. Management of ICT services (inter-enterprise)
10. Public Administration
11. Space

Other critical sectors (Annex II of the Directive)

1. Postal and shipping services
2. Waste management
3. Manufacturing, production, and distribution of chemicals
4. Production, processing, and distribution of food products
5. Manufacturing: medical devices and in vitro diagnostic medical devices, computer, electronic, and optical products, electrical equipment, machinery and equipment, automotive vehicles, trailers and semi-trailers, other transport equipment
6. Digital providers
7. Research

Note: Annexes I and II provide more detailed information than this table, and should be consulted for further reference.

Figure. This flowchart will help you determine if your organization is subject to the NIS2 Directive.

Source : CNPP

<<< previous article – ^^^summary^^^ - Next article >>>