The increased coverage and scope under NIS2

The EU NIS2 directive (full name "Directive on measures for a high common level of cybersecurity across the Union") is now being implemented across EU member states and is expected to be enforced no later than October 2024 in national legislations. Elements of the directive will also influence neighboring countries that may not be in the EU (yet). This is widely recognized as the Brussels effect, for good or worse.

The outgoing: NIS1

The existing NIS1 regime has been enforced in 7 sectors, which were deemed vital for the economy and society and which rely heavily on ICT, such as energy, transport, banking, financial market infrastructures, drinking water, healthcare and digital infrastructure.

Entities identified by the Member States as operators of essential services (OES) in these sectors are required to undertake a cybersecurity risk assessment and put in place appropriate and proportionate security measures. They are required to notify serious incidents to the relevant authorities.

Here we go NIS2: the expanded sectors

The new and upcoming NIS2 Directive significantly expands the scope of sectors but introduces a size threshold to define which entities fall in its scope and would be required to report significant cybersecurity incidents to the national supervisory authorities.

NIS2 eliminates the distinction between Operators of essential services and digital service providers from NIS1. Instead, it defines a new list of sectors divided into 2 groups: high criticality and other critical sectors. Here's now it now looks:

High criticality:

• Energy (electricity, district heating and cooling, gas, oil, hydrogen)

• Transport (air, rail, water, road)

• Banking (credit institutions)

• Financial market infrastructures

• Health (healthcare providers and pharma companies)

• Drinking water (suppliers and distributors)

• Digital infrastructure (DNS, TLD registries, telcos, data center providers, etc.)

• ICT service providers (B2B): MSSPs and managed service providers

• Public administration (central and regional government institutions, as defined per member state)

• Space

Other critical sectors:

• Postal and courier services

• Waste management

• Chemical manufacturing and distribution

• Food production and distribution

• Manufacturing: medical devices, computer, electrical equipment, vehicles and transport equipment

• Digital providers: online search engines, marketplaces, social networks

• Research organizations

Yes, but who exactly will be affected?

NIS2 provides an algorithm to determine which organizations will need to comply - the exact list of organizations. However, some discretion will rest on each state: it is up to the EU member to define the process of enrollment and classification into the list, so we will see that clarified in each country during the law implementation process.

What is now clear is the following: based on the sectors above, NIS2 defines 2 slightly different regulatory regimes, based on the designated entity category: "essential" or "important" entity.

These will be essential entities:

• organizations operating in the above "highly critical" sectors, but only those which exceed the definition of medium-sized enterprises (SME definition based on EU Commission definition - see here). That typically applies to enterprises with >250 employees and either 50M EUR revenues or a 43M EUR balance sheet.

• However, for telecommunications companies it applies also to those which qualify as medium-sized enterprises.

• Regardless the size: qualified trust service providers and top-level domain name registries as well as DNS service providers.

• Regardless the size: any critical entity under the scope of Critical Entities Resilience Directive (CER) - this one to be identified by member states (apparently, member states will have to identify the critical entities for the sectors set out in the CER Directive by 17 July 2026).

• Any "operators of essential services" already defined within the member state under NIS1.

• Additionally, an entity operating in the any of the above critical sectors can discretionary be identified by a member state as essential if it's considered having a key role for the society or economy.

• Some central and regional level public administration entities, as defined by each member state.

All other entities not satisfying the criteria above, are considered to be important entities. These are effectively the entities in the list of "Other critical sectors" listed above.

So what's the difference between "essential" and "important"?

Both types of entities must comply with the same risk management measures. However, those categorized as "essential" are under proactive supervision. Where "important" entities will only be monitored after an incident of non-compliance is reported, "essential" entities are under increased pressure, including: on-site inspections and off-site supervision, random checks, regular and ad hoc audits, security scans, requests for data access - and more.

If supervision and enforcement is ineffective, NIS2 goes so far as to allow for the authorities to temporarily suspend operations and services carried out by the essential entity, as well as prohibit board members to exercise managerial functions in that entity.

It's unclear whether EU member states will manage to supervise and enforce NIS2 under such an expanded scope of regulatory powers. In any case, it's clear the affected organizations (especially those deemed "essential") are bound to face increased regulatory pressure and overhead. It's time to prepare now.