You already know what NIS2 is from the previous post, now let's take a look at which companies need to be on the lookout because NIS2 directly affects them.
Who will be affected by NIS2
The scope of these entities is listed in the Decree on regulated services, which stipulates that the so-called obliged persons are mainly:
- providers of electronic communications services and related networks,
- major networks,
- critical information infrastructure,
- operators of essential services,
- digital service providers,
- public authorities using cloud computing providers.
In general, these are information and communication systems operators and organisations in the banking, financial services, energy, healthcare, water, transport and chemical industries. For each of these sectors there is a process for determining whether an entity is an obliged person, as described on the website.
The classification of obligated persons varies by industry, and the new law generally applies to companies designated as "basic entities" and "important entities". Basic entities are organisations with 250 or more employees and a turnover of EUR 50 million or a balance sheet of EUR 43 million. Important entities are companies with more than 50 employees and an annual turnover or balance sheet of €10 million. A smaller company or organisation may fall into the category of higher obligations if the nature of its activities so requires.
In addition, size is assessed on a group-wide basis, i.e. after including parent and subsidiaries. Moreover, security measures do not only apply directly to the services provided, but also to the related information systems or databases, which means new obligations for subcontractors or their selection.
In practice, this means the need to review and ensure security throughout the supply chain - for every direct supplier and service provider. Does the company subject to the regulation use a cloud-based CRM from an external supplier? Then it must also review its security. Does it have its own custom applications and systems developed? Then only by a vendor that also meets cybersecurity requirements.
It is clear from the above that NIS2 will not only affect statutorily defined businesses and organisations, but also some of their suppliers - we are preparing our next blog post on this very topic. If you are still unclear whether NIS2 will also affect you, please do not hesitate to contact us.
Your Safee team