The NIS2 law
Scope
To be covered by the NIS2 law, an organisation must in principle
- Provide a service listed in Annexes I and II of the NIS2 law in the European Union; and
- exceed the size thresholds set out in the European Commission Recommendation 2003/361/EC, i.e. have a workforce of at least 50 annual work units (AWUs) or an annual turnover or balance sheet total exceeding €10 million (see the European Commission's guidance).
These criteria are explained in the following sections
1. The service provided
The organisation must provide a service listed in Annex I or II of the law (even if this service is only an ancillary part of its activities) in one of the following sectors:
High criticality sectors (Annex I) | Other critical sectors (Annex II) |
|
|
Each service covered by the NIS2 law is defined in its annexes I or II, or in article 8. The annexes can be consulted on Justel (at the bottom of the page, before the ‘travaux parlementaires’ section).
2. The size cap
The size of an entity is calculated on the basis of Annex I to Commission Recommendation 2003/361/EC of 6 May 2003 (the "Recommendation").
With some exceptions, an organisation must be at least a medium-sized enterprise as defined in the Recommendation in order for the NIS2 law to apply:
- A medium-sized enterprise has a number of employees of at least 50 annual work units (AWU*) and/or an annual turnover (or annual balance sheet total) exceeding EUR 10 million.
- A large enterprise has a staff headcount of at least 250 AWU*, or an annual turnover exceeding 50 million euros or an annual balance sheet total exceeding 43 million euros (bigger than SMEs).
* AWUs correspond to the number of persons who worked full-time in the enterprise or on its behalf during the whole reference year under consideration. The work of persons who have not worked the whole year, the work of persons who have worked part-time, regardless of the duration, and the work of seasonal workers are counted as fractions of AWU.
In particular, the Recommendation stipulates that the calculation of the size of an organisation that is part of a group (partners or affiliated enterprises) implies a consolidation of the data of the different components of this group.
The functioning of this Recommendation is explained in detail in the European Commission's "User Guide to the SME Definition".
However, there are two important peculiarities concerning the application of the Recommendation in the context of the law:
- The consolidation of data from the different components within a group may be waived in certain circumstances where the network and information systems of the organisation concerned are independent of those of related or partner enterprises.
- The number of employees and the financial data of a public body controlling an enterprise should not be taken into account when determining the size of the enterprise.
3. The categories of entities
The NIS2 law distinguishes between "essential" and "important" entities. In principle, this distinction is based on the size of the entity and the service provided:
- Subject to certain exceptions, an organisation constituting a large enterprise within the meaning of the Recommendation and providing at least one of the services listed in Annex I is an essential entity;
- Subject to certain exceptions, an organisation which is a medium-sized enterprise within the meaning of the Recommendation and which provides at least one of the services listed in Annex I is an important entity;
- An organisation which is a large or medium-sized enterprise within the meaning of the Recommendation and which provides at least one of the services listed in Annex II is an important entity.
The difference between essential and important entities lies mainly in the control and sanction mechanisms. Essential entities are monitored more regularly and more strictly than important entities.
However, there are some exceptions. In certain sectors, entities are classified as "essential" regardless of their size:
- Qualified trust service providers ;
- Top level domain name registries;
- DNS service providers;
- Providers of public electronic communications networks or publicly available electronic communications services that are at least medium-sized enterprises;
- public administrative bodies dependent on the State;
- entities identified as critical at national level under the CER Directive.
Independently of these rules, national authorities will also be able to specifically identify entities as "essential" or "important", for example where they are the sole provider of a service or where the disruption of the service provided could have a significant impact on public security, public safety or public health.
For a better overview of the scope of the law, we invite you to consult our visual summary of the scope.
4. The link with Belgium
In principle, Belgian law applies to entities established in Belgium. However, there are exceptions to this rule of territorial jurisdiction:
- Providers of public electronic communications networks or publicly available electronic communications services are subject to the jurisdiction of the Member State where they provide their services;
- providers of DNS services, registries of top level domain names, entities providing domain name registration services, providers of cloud computing services, providers of data centre services, providers of content delivery networks, providers of managed services, providers of managed security services and providers of online marketplaces, online search engines or social networking platforms are subject to the jurisdiction of the Member State in which they have their main establishment within the European Union;
- public administrative bodies shall be subject to the jurisdiction of the Member State in which they are established.