NIS 2: Supervision of Essential & Important Entities 

June 17th, 2024 Posted in Information Security, NIS 2 Directive

The new NIS 2 directive is to be transposed into domestic laws in EU member countries by 17th October 2024 and entities in scope should be identified in each country by 17th April 2025.

NIS 2 sets out minimum security obligations to be met by a much wider scope of entities. Whereas the first NIS directive covered 7 sectors, this is expanded to 17 under NIS 2.

Each entity in scope will be categorised as an Essential entity or an Important one, with different supervisory approaches applicable to each category.

In this blog we are going to explain the difference between Essential and Important entities and cover the different supervisory approaches applicable to each and the supervision powers that will be made available to regulators (called ‘competent authorities’).

This is the fourth in a series of six blogs on NIS 2. Together they provide an in-depth overview of NIS 2 together with our comments and recommendations for being ready. You can read the other blogs in this series by following the links below:

Visit our NIS 2 consultancy service page to find out how we can help.

Essential & important entities

The criteria for determining whether an entity is an Essential or an Important one is based on the sector in which it operates, its size and other factors including the discretion of each member state, as shown in the following image:


NIS 2 G2


You will note that qualified trust service providers, top level domain name registries and DNS providers are always classed as Essential entities (irrespective of their size and including small and micro entities) as are Medium and Large public communication and network providers. This is because of the increased importance of these entities to the digital economy across the EU. 

Entities classed as Operators of Essentials Services (OES) under NIS 1, and public administration bodies will also be classed as Essential entities. Member states will, in addition, have the discretion to decide whether specific entity types are Essential or Important. 

For most organisations in scope, however, the key considerations will be their sector of operation and their size. As you’ll recall from our blog on the scope of NIS 2, your sector of operation determines whether you all within Annex 1 or 2 of the directive as shown in the following image: 


NIS 2 Entities In Scope


Entity size is determined by reference to the European commission’s 2003 recommendation in relation to micro, small and medium-sized enterprises (Recommendation 2003/361/EC).  

Medium sized organisations as those with more than €10m in annual revenue and over 50 employees. Large organisations are those with an annual turnover more than €50m and over 250 employees. Bear in mind that these numbers will need to take account of your group structure based on the criteria provided at Article 6 of Recommendation 2003/361/EC. 

Our advice is to start planning for compliance based on the criteria provided above. Thereafter, monitor the transposition of NIS 2 into local laws in the countries in which you are established. This is necessary to identify whether your status as an Essential or an Important entity is affected by domestic laws in the relevant member states.   

Proactive & reactive supervision

By this point, you should understand whether your organisation is an Essential entity, or an Important one. This is important to the supervisory regime your organisation will fall under, and the more extensive powers available to the competent authorities.   

NIS 1 provided limited detail on supervisory and enforcement powers. It simply required that competent authorities be given the necessary powers and means to assess compliance and to require covered entities to provide necessary information including policies and evidence of the effective implementation of security policies. 

In keeping with the rest of the new directive, NIS 2 goes much further. It sets out very specific powers to be provided to supervise covered entities, including two supervisory regimes: a proactive one and a reactive one applicable to Essential and Important entities respectively.  

Essential entities 

Competent authorities in member states will proactively engage with Essential entities and supervise them by setting expectations and monitoring progress towards and maintenance of the required cyber security requirements in NIS 2.  

The powers available to competent authorities when supervising Essential entities are more specific and extensive than those set out in NIS 1 and will include the power to: 

  • Conduct off-site supervision and onsite inspections, including random checks. 
  • Conduct regular and targeted security audits, ad hoc audits and security scans. 
  • Request information required assess risk management measures. 
  • Request access to all relevant data, document and information. 
  • Request evidence of security policy implementation. 

We’ve experienced this type of proactive supervisory approach when working with energy sector clients within scope of NIS 1 in the UK. The competent authority, Ofgem, has worked with energy providers to establish compliance baselines and target dates, provide guidance, and monitor progress through regular meetings, check ins and self-assessments. They have also conducted formal inspections / audits against the NCSC CAF with arising findings and recommendations and asked CEOs to attest to their level of compliance.  

We anticipate a similarly engaged approach from EU based competent authorities exercising their supervisory powers in member states. In the UK, OES must designate a ‘NIS responsible officer’ to act as the focal point of this engagement. A similar approach might be taken by other countries under NIS 2.  

Important entities 

In the case of Important entities, competent authorities will take a reactive approach (known as ex post supervision) whereby they will engage in supervisory activity when they provided with evidence, indication or information that the entity does not comply with NIS 2 (and Articles 21 or 23 specifically).  

This conclusion could be reached, for example, following notification of an incident or in response to a security breach. Once engaged, the competent authority has nearly identical powers to those listed above, meaning they can conduct inspections, audits and scans and request access to information and evidence.  

Interestingly, the recitals to NIS 1 referred to ex post, reactive supervision (which applied to digital service providers in the original directive) as being ‘light touch’. This expression is not used in NIS 2 for Important entities. We are intrigued to see how different member states set expectations around compliance for Important entities. As written, we get the impression that organisations will be expected to effectively ‘self-certify’ their level of compliance based on the laws and guidance in the countries in which they are established. 

The powers available to competent authorities when supervising Important entities are nearly identical to those listed above for Essential entities, with minor changes around regular and ad hoc audits.

The reactive supervision approach, we anticipate, will result in a lower level of compliance for Important entities than for Essential ones. In some cases, Important entities will simply overestimate their level of compliance (we’ve seen this even with OES under NIS 1 in the UK) whereas others will apply a ‘just good enough’ strategy. Others, we suspect, will simply be oblivious to the requirements and/or not engage with the directive at least until meaningful enforcement action is taken against similar entities. 

Steps to take now

Our advice to all organisations potentially covered by NIS 2 is to start with a scoping engagement. This will likely involve working with your legal or compliance teams to determine the sectors in which you operate and countries in which you are established.  

From there we would recommend that you assess whether your organisation is likely to be an Essential or Important entity. From there we would advise that you conduct a gap analysis and prepare a resourced and funded improvement plan with the aim of being able to demonstrate compliance with the NIS 2 security requirements.  

Need help with NIS 2?

If you need help with NIS 2, please get in touch. We can support with all aspects of your compliance readiness programme. Our experienced consultants can lead a gap analysis, develop your improvement plan, prepare policies, lead risk assessments, help establish governance processes, improve your incident response plans, business continuity plans and manage supplier security risk assessments. 

We can also support compliance assurance through compliance auditing, internal auditing, business continuity exercising, cyber incident response exercising, penetration testing and controls assessments. 

Evalian is committed to protecting and respecting your privacy. By proceeding with your inquiry, you agree to the terms of our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

 

 

Sean Huggett Evalian

Written by Sean Huggett

Sean specialises in data protection, information risk and cyber security. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in privacy and security strategy, management and compliance. Sean is also Managing Director at Evalian®. His qualifications include CISM, CISA, CRISC, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor, CISMP, CIPP-E, CIPT & GDPR Practitioner Certificate.