The increased coverage and scope under NIS2
The EU NIS2 directive (full name "Directive on measures for a high common level of cybersecurity across the Union") is now being implemented across EU member states and is expected to be enforced no later than October 2024 in national legislations. Elements of the directive will also influence neighboring countries that may not be in the EU (yet). This is widely recognized as the Brussels effect, for good or worse.
The outgoing: NIS1
The existing NIS1 regime has been enforced in 7 sectors, which were deemed vital for the economy and society and which rely heavily on ICT, such as energy, transport, banking, financial market infrastructures, drinking water, healthcare and digital infrastructure.
Entities identified by the Member States as operators of essential services (OES) in these sectors are required to undertake a cybersecurity risk assessment and put in place appropriate and proportionate security measures. They are required to notify serious incidents to the relevant authorities.
Here we go NIS2: the expanded sectors
The new and upcoming NIS2 Directive significantly expands the scope of sectors but introduces a size threshold to define which entities fall in its scope and would be required to report significant cybersecurity incidents to the national supervisory authorities.
NIS2 eliminates the distinction between Operators of essential services and digital service providers from NIS1. Instead, it defines a new list of sectors divided into 2 groups: high criticality and other critical sectors. Here's now it now looks:
Energy (electricity, district heating and cooling, gas, oil, hydrogen)
Transport (air, rail, water, road)
Banking (credit institutions)
Financial market infrastructures
Health (healthcare providers and pharma companies)
Drinking water (suppliers and distributors)
Digital infrastructure (DNS, TLD registries, telcos, data center providers, etc.)
ICT service providers (B2B): MSSPs and managed service providers
Public administration (central and regional government institutions, as defined per member state)
Other critical sectors:
Postal and courier services
Chemical manufacturing and distribution
Food production and distribution
Manufacturing: medical devices, computer, electrical equipment, vehicles and transport equipment
Digital providers: online search engines, marketplaces, social networks
Yes, but who exactly will be affected?
NIS2 provides an algorithm to determine which organizations will need to comply - the exact list of organizations. However, some discretion will rest on each state: it is up to the EU member to define the process of enrollment and classification into the list, so we will see that clarified in each country during the law implementation process.
What is now clear is the following: based on the sectors above, NIS2 defines 2 slightly different regulatory regimes, based on the designated entity category: "essential" or "important" entity.
These will be essential entities:
organizations operating in the above "highly critical" sectors, but only those which exceed the definition of medium-sized enterprises (SME definition based on EU Commission definition - see here). That typically applies to enterprises with >250 employees and either 50M EUR revenues or a 43M EUR balance sheet.
However, for telecommunications companies it applies also to those which qualify as medium-sized enterprises.
Regardless the size: qualified trust service providers and top-level domain name registries as well as DNS service providers.
Regardless the size: any critical entity under the scope of Critical Entities Resilience Directive (CER) - this one to be identified by member states (apparently, member states will have to identify the critical entities for the sectors set out in the CER Directive by 17 July 2026).
Any "operators of essential services" already defined within the member state under NIS1.
Additionally, an entity operating in the any of the above critical sectors can discretionary be identified by a member state as essential if it's considered having a key role for the society or economy.
Some central and regional level public administration entities, as defined by each member state.
All other entities not satisfying the criteria above, are considered to be important entities. These are effectively the entities in the list of "Other critical sectors" listed above.
So what's the difference between "essential" and "important"?
Both types of entities must comply with the same risk management measures. However, those categorized as "essential" are under proactive supervision. Where "important" entities will only be monitored after an incident of non-compliance is reported, "essential" entities are under increased pressure, including: on-site inspections and off-site supervision, random checks, regular and ad hoc audits, security scans, requests for data access - and more.
If supervision and enforcement is ineffective, NIS2 goes so far as to allow for the authorities to temporarily suspend operations and services carried out by the essential entity, as well as prohibit board members to exercise managerial functions in that entity.
It's unclear whether EU member states will manage to supervise and enforce NIS2 under such an expanded scope of regulatory powers. In any case, it's clear the affected organizations (especially those deemed "essential") are bound to face increased regulatory pressure and overhead. It's time to prepare now.
Want to know more on how to prepare for the increased regulatory pressures but also increase cybersecurity resilience, especially in businesses which heavily rely on OT technology? Join the webinar: Preparing for NIS2 and beyond (sponsored by Radiflow) - register below!