NEW: AI Compliance solution.

How Does the NIS2 Directive Apply to You? Get the Answer Here

One of the most frequent questions we get from our customers is:

“Does the NIS2 Directive apply to my organization?”

We get why that’s the case. Because the answer isn’t straightforward.

Maybe someone told you that the NIS2 Directive applies to you if you’re either an essential or important entity.

Unfortunately, it’s a myth. The answer for your specific business depends on several factors and exemptions, which can be difficult to navigate.

However, we’ll make sure to lead you directly to the answer by taking you through:

Entities that are directly affected

The NIS2 Directive affects entities – across all areas and sectors and having activities in the EU – that are considered vital to the economy and society. 

For that reason, you should prepare to comply with NIS2 if you operate within or supply those areas or sectors.

First and foremost, you’re directly affected by NIS2, if your company – no matter the size of it – is within one of these 10 categories:

  1. Public communications networks and services
  2. Trust service providers (an entity that, for instance, makes and validates electronic signatures)
  3. Domain names
  4. The only provider of an essential service (this is often utility companies like water or electricity companies)
  5. Public safety or public health
  6. Systemic risk (an example of systemic risk is the financial crisis in 2008 and the collapse of Lehman Brothers that had a domino effect on the rest of the world)
  7. Critical to a sector
  8. Central government
  9. Defined as “critical” in the Critical Entities Resilience Directive
  10. Municipalities, regions, or educational institutions (if decided on a national level).


If your company isn’t within these categories, other factors decide if you’re affected by NIS2 – more specifically, if your company is defined as either an essential or important entity.


That is the case if your company is within one of the sectors shown in this illustration:

Please note that there are legal nuances of when an entity is either essential or important in the NIS2 Directive. We don’t cover these nuances here. Reach out to us if you need any help.

Furthermore, as a main rule, you are only covered by the NIS2 directive, if your company falls within both of these criteria:

  • You have 50 employees or more; and
  • You have an annual turnover or a balance sheet of €10 million.

So, put in a nutshell:

 

You need to be NIS2-compliant, if your company falls within all requirements above, hence the sector, the minimum of 50 employees, and the annual turnover or balance sheet of €10 million.

 

But…

 

Even if NIS2 does not directly apply to you, you can still be indirectly affected and must, therefore, comply with the directive.

Entities that are indirectly affected

You can be indirectly affected by the NIS2 directive if 1) your customers are directly covered and 2) if you supply an information or network system to them.

 

Let’s give you an example:

 

Your company supplies medical equipment to hospitals.

 

If your business is hit by a cyberattack, it could impact the hospital’s ability to function.

 

To protect itself against these kinds of risks, the hospital must ensure that your cybersecurity is appropriate given the potential risks. The hospital can ensure this through an obligation in the contract.

So, all the factors that we just went through with you decide whether you’re affected by NIS2 – either directly or indirectly – or not at all.  

 

However, if you still struggle to find out if you’re affected, we’ve made this NIS2 decision tree for you – it will give you a bulletproof answer. 

 

Get a sneak peek and your very own copy of the NIS2 decision tree below.

NIS2 Decision Tree

If you’d like to have our NIS2 decision tree at your fingertips at all times, feel free to grab it here.

Booking

To book a class, become a member, or rent our studio, please complete this short form. We’ll get back to you as soon as we can.