NIS 2 Directive - Who The addressees and the scope To whom does the NIS 2 Directive apply? Hereinafter, the addressees and the scope of the directive are described.The directives of the European Parliament and of the Council of the European Union address the member states of the European Union, which are obligated to incorporate them into their national legislation. In addition to concrete obligations for individual member states, the NIS 2 Directive also defines rules and obligations for entities specified within its scope. These obligations become legally effective through their national implementation. Furthermore, suppliers of entities specified within the scope may be indirectly affected if, based on the national implementation of the directive, their customers have to take joint measures regarding supply chain security together with them.The scope of the NIS 2 Directive defines which entities it applies to based on its national implementation. In addition to the place where the entity provides its services or carries out its activities, the type and (with exceptions) the size of the entity are taken into account for this purpose. Hereinafter, the latter two parameters are further elaborated.The NIS 2 Directive specifies a total of 67 specific types of entities as critical. 53 types of entities in 18 subsectors are assigned to the 11 sectors of high criticality, while 14 types of entities in 12 subsectors are categorized under the 7 other critical sectors.As sectors of high criticality, the NIS 2 Directive specifies energy (subdivided into the subsectors electricity, district heating and cooling, oil, gas, and hydrogen), transport (subdivided into the subsectors air, rail, water, and road), banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management (business-to-business), public administration, and space.As other critical sectors, the NIS 2 Directive specifies postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing, digital providers, and research. The manufacturing sector is subdivided into the subsectors manufacture of medical devices and in vitro diagnostic medical devices, manufacture of computer, electronic and optical products, manufacture of electrical equipment, manufacture of machinery and equipment n.e.c., manufacture of motor vehicles, trailers and semi-trailers, and manufacture of other transport equipment.The NIS 2 Directive determines the size of entities by applying the Annex of the Commission Recommendation of May 6, 2003, concerning the definition of micro, small and medium-sized enterprises (2003/361/EC), depending on staff headcount measured in so-called annual work units, the annual turnover, as well as the annual balance sheet total. Accordingly, an entity is considered large if it employs at least 250 persons or if it generates an annual turnover of more than EUR 50 million and its annual balance sheet total exceeds EUR 43 million. An entity is considered medium-sized if it employs at least 50 persons or if it generates an annual turnover of more than EUR 10 million and its annual balance sheet total exceeds EUR 10 million, provided it is not already considered large. Details on the correct determination of individual parameters, particularly the consideration of group structures, part-time employees, and intra-year situations, are also regulated in accordance with the aforementioned recommendation.Based on the national implementation of the NIS 2 Directive, it applies to public or private entities which provide their services or carry out their activities within the European Union, if the type of the entity is explicitly mentioned in a sector of high criticality or another critical sector and the entity qualifies as medium or large in terms of size. Entities which fulfill specific criteria that indicate a key role for the society or economy in general, respectively for certain sectors or types of service in particular, fall within the scope of the directive regardless of their size. Further information Why? Why is it necessary to adopt a directive concerning cybersecurity?Learn more > What? What are the requirements of the NIS 2 Directive?Learn more > Back Back to the overview >
