NIS 2: Is Your Organisation in Scope?

June 11th, 2024 Posted in Information Security

As we covered in our previous blog on NIS 2, the need to comply with the new directive, is rapidly approaching organisations in scope. Whilst NIS 2 doesn’t apply to the UK, it does apply to any UK organisations established in the EU and has some extra territorial provisions for some specific types of digital and communications entities. UK entities deemed to provide critical services may also be pulled into scope by member state law. 

In this blog we are going to cover the scope of NIS 2 through two lenses: The first is what we call the ‘material scope’. This addresses the entities in scope by reference to the sectors covered by the directive, their size and other considerations. The second is what we call the ‘territorial scope’. This is covers scope by reference to the locations of entities, including those outside the EU.  

Working out whether you fall within scope of NIS 2 can be complex, but the detail in this blog will support you in understanding the topic, and guide you in the next steps to take. Whilst there are some general rules which will likely apply to most entities, there are also some exceptions and situations where an organisation outside the general rules could still be pulled into scope.  

NIS 2 material scope 

NIS 2 applies to organisations in the EU that operate in the following sectors and qualify based on their size or other criteria (which we’ll call the ‘qualifying criteria’ in this blog). 

NIS 2 sectors 

The sectors in scope for NIS 2 are set out in Annex 1 and 2 to the directive. Annex 1 sets out the sectors of high criticality. These are: 

  • Energy* 
  • Transport* 
  • Health* 
  • Drinking Water* 
  • Financial Market Infrastructure* 
  • Banking* 
  • Digital Infrastructure* 
  • Public Administration Entities (defined by member states) 
  • Waste Water 
  • ICT Service Management 
  • Space 

Of these, the first seven (marked with an asterisk) were in scope of NIS 1. The other four are new. 

Annex 2 sets out the other critical sectors in scope. These are: 

  • Post & Courier 
  • Food Production, Processing & Distribution 
  • Waste Management 
  • Digital Providers 
  • Manufacturing 
  • Chemical Manufacture, Production & Distribution 
  • Research 

NIS 2 Entities In Scope

Qualifying criteria 

Entities operating within the EU in the sectors listing above will be in scope if they are ‘Medium’ or ‘Large’ entities or meet other qualifying criteria. Entity sizes are defined by reference to a 2003 commission recommendation in relation to micro, small and medium-sized enterprises (Recommendation 2003/361/EC). Based on this, we know that ‘Medium’ entities are those with more than €10m in revenue and 50+ employees; and ‘Large’ entities are those with more than €50m in annual revenue and 250+ employees. 

Electronic communications entities 

An entity will also be in scope, irrespective of its size, if it is a provider of a public electronic communications networks, or of publicly available electronic communications services. We’ll call these ‘Comms Entities’ in this blog (not a term used in NIS 2). An entity will also be in scope if it is a trust service provider, a top-level domain name registry or domain name system service provider. We’ll call these entities ‘Internet Entities’ in this blog (again, not a term used in NIS 2). 

Other services deemed critical by member states 

If you don’t fall within the above criteria, you can still fall within scope in specific situations where your services are deemed critical by a member state. As an example, an entity is deemed critical to the functioning of societal or economic activities; public health, security, or safety; where an absence of the service could cause significant systemic risk or where the service has specific importance within that member state.  

We can expect member state laws to address these situations as well as the circumstances where public administration entities are in scope. 

Organisations designated as Operators of Essential Services (OES) under NIS 1 will also be in scope as will organisations within scope of the Critical Entities Resilience Directive (Directive (EU) 2022/2557). 

As with DORA, there is overlap between the CER Directive and NIS 2 (with both coming into force on the same date). Whilst NIS 2 is focused on resilience to cyber risks, the CER Directive is focused on resilience to other threats and hazards.  

NIS 2 territorial scope 

Entities established in the EU 

Entities within the material scope of NIS 2 and established in an EU member state will be within the territorial scope of NIS 2. As with other EU laws, including the GDPR, the meaning of ‘established’ is not clearly defined in the directive and its meaning needs to be taken from case law and supporting guidance for other EU laws. 

In 2015, the CJEU considered the meaning of ‘established’ in the Weltimmo case (C-230/14 of 1 October 2015). In doing so it stated that the concept of establishment “extends to any real and effective activity — even a minimal one — exercised through stable arrangements 

This means, in short, that the threshold for being established in the EU can be very low and will depend on the context relating to the entity. The presence of a single representative in a member state could, according to the CJEU, constitute a stable arrangement depending on the circumstances. 

In practical terms, we suggest you will likely be in scope of NIS 2 if you have a trading legal entity, facilities, operations or staff in a country in which you provide your services as an Essential or Important Entity. 

Does NIS 2 apply to entities outside the EU?

For organisations not established in the EU, the position is a little more complex. Extra territorial obligations apply in some circumstances.  We’ve seen it stated that NIS 2 will apply to any entity within the material scope which provides its services within the EU even if it is not established in the EU. The actual position is much more nuanced.  

There are situations in which NIS 2 will apply to entities which provide services in the EU, but which are not established in the Union but it, again, depends on the context of the services provided by the organisation.  

NIS 2 will certainly apply to providers of specific electronic communications and digital services which are not established in the EU. These include DNS providers, domain registrars, CDN providers, cloud service providers, MSPs, MSSPs and other specific online / digital service providers. If not established within the Union, these entities will need a representative within the EU which may be addressed by regulators in lieu of the entity itself (not dissimilar to Article 27 representatives within GDPR). 

It may also apply to entities outside the EU depending on the nature of the services provided and the context in which they are provided. This could apply, for example, where the organisation is a sole provider of services which are essential for critical social or economic activities, or where service disruption could have consequences for public safety, security or health.  

Even then, there are other factors to consider. These include whether the entity might be deemed a ‘critical entity’ within the meaning of the Critical Entities Resilience Directive (Directive (EU) 2022/2557) which entered into EU law at the same time as NIS 2. We would expect greater clarity on as ember state law and supporting guidance becomes available.   

Steps to take now to become NIS 2 ready

If your organisation is established in the EU (or at least might be, based on having stable arrangements in a member state) and falls within one of the critical sectors, we recommend that you conduct a scope assessment. Use the details provided at Annex 1 and 2, the entity size criteria and whether you are what we’ve called a Comms Entity or an Internet Entity in this blog.  

If it is not clear cut but you take the view you are out of scope, we’d suggest making this decision based on a detailed and documented analysis, to include legal advice. The output of this work should be reviewed and agreed by your senior management to demonstrate accountability. By doing this, you can demonstrate to a regulator that you made a considered and reasoned decision if it later becomes apparent that you are in scope.  

If you are in scope, you should start planning for compliance. Depending on your current level of cybersecurity maturity, you should not underestimate the work required to meet the NIS 2 requirements. Bear in mind that the critical services covered by NIS 2 may be supported by Operational Technologies (OT) as well as IT. OT security practices are usually far more immature than in the IT space meaning there will likely be some catching up to do.  

Need support with NIS 2 compliance?

If you need support with becoming NIS 2 compliant, we can help. We can support you to identify your NIS 2 scope and legal obligations, as well as interpret member state laws and guidance as they become available, conduct a gap analysis of your current security posture, develop improvement plans and lead improvement workstreams. 

Our expert cyber security consultants are experienced in leading risk assessments, developing polices, conducting assurance activities and implementing security management systems cover IT and OT systems.    

Contact us today to chat to our friendly, expert team.  

Evalian is committed to protecting and respecting your privacy. By proceeding with your inquiry, you agree to the terms of our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

 

 

 

Sean Huggett Evalian

Written by Sean Huggett

Sean specialises in data protection, information risk and cyber security. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in privacy and security strategy, management and compliance. Sean is also Managing Director at Evalian®. His qualifications include CISM, CISA, CRISC, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor, CISMP, CIPP-E, CIPT & GDPR Practitioner Certificate.