The NIS2 Directive : For whom? Why?
This article is part of a series of articles published on the transposition of the NIS2 Directive in Belgium. The other articles can be accessed here.
FROM WHOM ?
The NIS2 Directive is aimed at organisations of a certain size that provide services in critical sectors listed in Annexes I and II of the Directive. The size ("size cap") and the service provided are the two main criteria for determining whether the NIS2 Directive applies to an organisation.
The size cap
The size of an entity is calculated on the basis of Annex I of Commission Recommendation 2003/361/EC of 6 May 2003 (the "Recommendation").
With some exceptions, an organisation must be considered to be at least a medium-sized enterprise within the meaning of the Recommendation in order for the NIS2 Directive to apply. A medium-sized enterprise has a workforce equivalent to at least 50 full-time workers and/or an annual turnover (or annual balance sheet total) exceeding 10 million euros.
The Recommendation stipulates in particular that the calculation of the size of an organisation which is part of a group (partner or affiliated enterprises) implies a consolidation of the data of the different components of this group.
How this Recommendation works is explained in detail in the European Commission's "User Guide to the SME Definition".
However, there are two important specificities regarding the application of the Recommendation in the context of the directive:
- The consolidation of data from the various components within a group may be waived, in certain circumstances, where the network and information systems of the organisation concerned are independent of those of linked or partner enterprises.
- The number of workers and the financial figures of a public body that controls a concerned organisation should not be taken into account when determining the size of the latter.
The provided service
The organisation must provide a service listed in Annexes I or II to the Directive (even if this service is only an ancillary part of its activities):
Sectors of high criticality (Annex I) |
Other critical sectors (Annex II) |
|
|
Two categories
The NIS2 Directive draws a distinction between "essential" and "important" entities. This distinction is in principle made on the basis of the size of the entity and the service provided:
- With certain exceptions, an organisation constituting a large enterprise within the meaning of the Recommendation and providing at least one service listed in Annex I is an essential entity;
- With certain exceptions, an organisation constituting a medium-sized enterprise within the meaning of the Recommendation and providing at least one service listed in Annex I is an important entity;
- An organisation constituting a large enterprise or a medium-sized enterprise within the meaning of the Recommendation and providing at least one service listed in Annex II is an important entity.
The difference between essential and important entities lies mainly in the control and sanction mechanisms. Essential entities will be monitored more regularly and more strictly than important entities.
For a better overview of the scope of the directive, we invite you to consult our visual.
WHY?
Network and information systems have become a central part of our daily lives as a result of the digital transformation and interconnection of society. Many critical societal and economic activities now depend on their smooth operation.
This development has led to an ever-expanding landscape of cyberthreats and cyberincidents. These represent real threats to public security for the general public, businesses and public authorities. Nowadays, a cyberincident is likely to cause serious operational disruption in critical sectors, affecting individuals or companies and causing considerable material, physical or moral damage.
All citizens, businesses and public authorities must therefore be aware of the importance of preventively protecting themselves against cyberthreats and cyberincidents.