Understanding the NIS 2 Directive: Are You in Scope?

Headshot

Nicole Janko

Senior Director, Advisory Services, Coalfire

Image 26

Mukund Cadambi

Director, Advisory Services, Coalfire

December 11, 2024
Adobe Stock 829568587

The evolving cybersecurity landscape within the European Union (EU) continues to challenge organizations as regulatory frameworks expand to safeguard critical infrastructures and digital services. The Network and Information systems (NIS 2) Directive (Directive (EU) 2022/2555), a comprehensive overhaul of its predecessor, sets a high standard for cybersecurity practices and oversight. But does your organization fall within its jurisdiction? Let’s unpack this directive to help you understand your obligations and ensure compliance.

What is the NIS 2 Directive?

The NIS 2 Directive (Directive on measures for a high common level of cybersecurity across the Union) aims to enhance the cybersecurity resilience of essential and important entities operating in the EU. It places obligations on both member states, and individual companies within select sectors. The three main pillars of NIS 2 are:

  1. Member State responsibilities: Establish National strategies to provide a framework for cybersecurity and crisis management, with oversight by designated national authorities
  2. Risk Management: In scope organizations shall make prudent efforts to minimize cybersecurity risks, with top management being accountable
  3. Co-operation and info exchange: Establish a network for information exchange on cybersecurity topics, including but not limited to vulnerabilities, approved vendors and threat intelligence.

Effective compliance involves organizations understanding its scope and applicability, which is driven by sector of service/product offering and organizational sizes.

Does My Organization Fall Under the NIS 2 Directive?

The NIS 2 Directive applies broadly to public and private entities, categorized into essential entities (e.g., energy, transport, health) and important entities (e.g., manufacturing, digital infrastructure). Here's how to determine if your organization is included:

Essential Entities

Your organization is considered an essential entity if:

  1. You exceed the size threshold for medium-sized enterprises as defined by EU standards (i.e., your business employs more than 250 people, or has annual revenue exceeding €50 million and/or a balance sheet total exceeding €43 million), and you operate in one of the following critical sectors:
    • Energy: Electricity, oil, gas, district heating.
    • Transport: Air, rail, water, and road transport services.
    • Banking and financial market infrastructures.
    • Healthcare: Hospitals, clinics, laboratories, and pharmaceutical companies.
    • Drinking water and wastewater.
    • Space and satellite services.
    • Digital Infrastructure: Internet exchange points, domain name systems (DNS), datacenter providers, content delivery network providers and cloud computing services.
  2. Regardless of size, you provide the following services:
    • Qualified trust service providers
    • DNS services, or top-level domain (TLD) registries.
    • Public electronic communications networks or publicly available communication services.
  3. Your organization is critical to societal or economic activities, as identified by your Member State.
  4. You were previously identified as an operator of essential services under earlier regulations like NIS Directive 2016/1148.

Important Entities

If your organization does not qualify as an essential entity but falls under similar critical sectors listed above or provides services listed, you are considered an important entity.

  • Food production and distribution.
  • Postal and Courier Services
  • Waste Management
  • Chemical manufacturing, production and distribution
  • Manufacturing and distribution of medical devices; computer, electronic, optical products; electrical equipment; machinery; motor vehicles, trailers, semi-trailers; other transport equipment
  • Digital Providers such as online marketplaces, search engines and social networking platforms
  • Research organizations

Special Cases

  • Public administration entities (national or regional level) may also fall under the directive if they provide services that, if disrupted, could significantly impact societal or economic functions.
  • Small entities (under 49 employees and has annual revenue less than €10 million) may still be covered if they are the sole providers of essential services or pose significant risks to public safety or national security.

Cross-Border and Non-EU Entities

Jurisdictional Clarity

The directive considers an entity’s main establishment in the EU as the key factor for determining jurisdiction. If your decision-making or cybersecurity operations are centralized in a Member State, that location governs your compliance.

Non-EU Organizations

Organizations outside the EU providing services within the Union must:

  • Designate an EU-based representative in a Member State where services are offered.
  • Understand that failure to designate a representative could lead to enforcement actions across any Member State served.

How Does This Impact You?

The NIS 2 Directive introduces stringent cybersecurity risk-management obligations to:

  • Implement risk-based measures for prevention, detection, and response.
  • Report significant incidents within strict timelines.
  • Cooperate with competent authorities and supervisory bodies.

Failure to comply can result in significant penalties and reputational damage, across jurisdictions within the EU. Essential entities can incur fines of minimum €10 Million or up to 2% of total worldwide annual turnover, while important entities can incur fines of minimum €7 Million or up to 1.4% of total worldwide annual turnover, in addition to any jurisdiction specific fines or penalties. 

How Can Coalfire Help?

Navigating the complexities of the NIS 2 Directive can be overwhelming. As a global leader in cybersecurity advisory services, Coalfire offers tailored solutions to help organizations comply with NIS 2 requirements, including:

  • Assess Your Applicability: Determine whether your organization qualifies as essential or important under the directive’s scope.
  • Develop Compliance Strategies: Tailored roadmaps to implement required cybersecurity controls and meet reporting requirements.
  • Review Cybersecurity Policies: Update processes to meet the directive’s requirements, focusing on risk management, incident response, and reporting.
  • Offer Ongoing Support: Continuous monitoring and risk management to ensure sustained compliance.

Next Steps

Understanding whether your organization falls under the NIS 2 Directive is the first step toward compliance. Reach out to Coalfire today to ensure your cybersecurity posture aligns with EU regulations and secures your operations against emerging threats. Position your organization for success under the NIS 2 Directive—partner with Coalfire, your trusted cybersecurity advisor.