Which companies will be included in the NIS2 Directive and why does it matter?
In essence, the NIS2 Directive applies to private or public entities that are considered as either essential or important. Generally, to determine whether an entity falls within one of these categories, several conditions are considered.
First, an organisation needs to examine the sector in which it operates. This is crucial because NIS2 clearly outlines the sectors that are in the scope of either the essential or important category.
The second condition concerns the size of an organisation. In this respect, NIS2 introduces a size cap rule, meaning that, in general, only medium and large organisations are in the scope of NIS2. The determination of an organisation’s size is based on the employee headcount and annual turnover. In the NIS2 context, this includes primarily large companies with more than 250 employees and medium-sized companies with 50–250 employees. Companies with less than 50 employees or an annual turnover of less than EUR 10 million are not included unless they are deemed of critical importance to society.
While both essential and important entities must adhere to the same cybersecurity risk management measures, the supervisory and penalty regime differ. The NIS2 Directive prepares the ground for inspections, and in light of these inspections, the distinction between essential and important should be particularly noted:
- For essential entities, the inspections will be conducted ex-ante, which means inspections will have taken place before potential incidents occur.
- For important entities, the inspections will be conducted ex-post, meaning inspections will mostly be initiated after a significant incident occurred.
The difference between when the inspections take place for essential and important entities has a direct impact on how many resources your organisation needs to allocate and what types of capabilities your organisation will need to have at its disposal.