FAQ: The NIS 2 directive in 10 questions

This FAQ aims to address the most frequently asked questions regarding the "NIS 2 Directive" (Directive (EU) 2022/2555).

It provides a general overview of the directive without being exhaustive. Each specific case requires a deeper analysis, as the reality of your obligations will depend on the specifics of your activities.

It is also important to note that NIS 2 is a European directive, meaning it sets objectives for Member States to achieve but allows each to determine how to transpose it into their national law.

This means that some obligations and specific modalities may vary between Member States. The transposing acts (laws, decrees, etc.) will therefore clarify, in each Member State, the detailed requirements and the applicable compliance deadlines.

Here is the list of questions we address:

1. How to determine if my entity is concerned by the NIS 2 Directive?
2. If my entity does not meet the size thresholds (employees, turnover, balance sheet), is it excluded from being qualified as an essential or important entity?
3. What is the difference between an "Essential Entity" and an "Important Entity"?
4. My company is a supplier/service provider to an essential or important entity, is it affected by the NIS 2 Directive?
5. My entity is located outside the European Union, is it exempt from NIS 2 obligations?
6. If one entity in my corporate group is affected, do all entities in the group need to comply with NIS 2?
7. My entity is an essential or important entity, what are its obligations?
8. My entity is already working on GDPR compliance, is that enough to comply with NIS 2?
9. Does my entity need to comply with the directive by October 17, 2024?
10. What are the sanctions for non-compliance with NIS 2?

1. How to determine if my entity is concerned by the NIS 2 Directive?

The NIS 2 Directive primarily applies to essential entities and important entities, which generally meet the following three criteria:

(i) Does your entity provide services or carry out activities within the European Union?
If so, your entity (business, etc.) is potentially subject to the directive.

(ii) Does your entity operate in a "sector of high criticality" or a "critical sector"?
The directive identifies 18 sectors in its Annexes I and II, including:

• Sectors of high criticality: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, public administration, space, digital infrastructure, and ICT services management sectors (business-to-business).
• Critical sectors: postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing, digital providers (online marketplaces, search engines, social networks), and research.

Within each of these sectors, only certain actors are concerned. These actors are designated in the directive based on:

• Definitions from existing European regulations (directives, regulations, etc.),
• The European classification of activities (NACE),
• Or new definitions created specifically for the NIS 2 Directive.

For example, in the highly critical sector of digital infrastructure, the entities concerned include:

• Internet exchange point providers
• DNS service providers (excluding root domain name server operators)
• Top-level domain name registries
• Cloud computing service providers (SaaS, IaaS, PaaS, etc.)
• Data center service providers
• Content delivery network providers
• Trust service providers
• Providers of public electronic communications networks
• Providers of publicly available electronic communications services

Some of these entities are already defined by other European regulations, to which the directive refers directly. For instance, public electronic communications network providers are defined by Directive (EU) 2018/1972. Other entities, such as "cloud computing service providers," are defined directly in the NIS 2 Directive, with further clarification provided in the recitals.

Here is an excerpt from Recital 33 of the NIS 2 Directive, which clarifies the definition of cloud computing service :"Cloud computing services should cover digital services that enable on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations. Computing resources include resources such as networks, servers or other infrastructure, operating systems, software, storage, applications and services. The service models of cloud computing include, inter alia, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) and Network as a Service (NaaS)."

If your entity operates in one of these sectors and its activity is covered by Annex I or II, it is likely to be considered an important or essential entity.

(iii) Does your entity exceed certain size thresholds?
The directive applies primarily to medium-sized entreprise (less than 250 people and with an annual turnover not exceeding EUR 50 million, or an annual balance sheet not exceeding EUR 43 million) and to those exceeding these thresholds.

Many "microenterprises" and "small enterprises" are exempt, except for exceptions provided in the directive.

If you answered "yes" to the three criteria above, it is highly likely that your entity is an essential or important entity under the NIS 2 Directive.

And if my entity does not meet these three criteria, is it  excluded from being qualified as an essential or important entity ?

No, not necessarily. 

Beyond the three mentioned criteria, other entities may also be concerned, regardless of their compliance with these criteria.

This includes, in particular, certain entities specifically targeted by Annex I and II of the directive, regardless of their size, certain  administrations, critical entities under Directive (EU) 2022/2557, as well as entities specifically identified by a Member State due to particular circumstances. Certain operators of essential services are also concerned.

To assist entities, ANSSI (the French National Cybersecurity Agency) offers "MonEspaceNIS2," an online space that allows you to conduct an initial assessment to determine if your entity could be subject to the NIS 2 Directive. However, as the French National Cybersecurity Agency points out, this tool is only indicative and does not replace the in-depth legal analysis required to consider the precise definitions in the directive, the applicable thresholds, and other specific criteria.

Most importantly, you should pay close attention to the transposition acts of the directive, which will clarify the definitions of the types of entities concerned, as well as communications from the responsible authorities in each Member State (such as the French National Cybersecurity Agency in France) on this subject.

If you have any doubts, our law firm can assist you with a detailed and tailored assessment of your situation.

‍

2. If my entity does not meet the size thresholds (employees, turnover, balance sheet), is it excluded from being qualified as an essential or important entity?

Not necessarily.‍
Many "micro-enterprises" and "small enterprises" are exempt from being qualified as essential or important entities.

However, the NIS 2 Directive provides exceptions, and some entities may be subject to its obligations regardless of size.

For example, this may apply if they provide certain services (e.g., providers of public electronic communications networks or of publicly available electronic communications services), depending on the context of a Member State, or if a disruption of their services could have a cross-border impact.

The exact criteria are detailed in the directive and require specific analysis for each situation. It is advisable to assess now whether your entity is affected by these exceptions, and we can assist you in this process.

Additionally, given your entity's potential growth, it is important to anticipate reaching the thresholds more quickly than expected, from one year to the next.

It is therefore crucial to anticipate compliance to avoid the accumulation of a sort of "technical debt" in terms of security and information system governance. This "debt," if not properly managed, may make compliance more complex and costly in the long term.

By making the right choices today, you can avoid expensive adjustments in the future and ensure that your infrastructures and processes meet the requirements of NIS 2.

3. What is the difference between an "Essential Entity" and an "Important Entity"?

The directive distinguishes between "essential entities" and "important entities."

• Essential entities include:
  • Entities from Annex I of the directive that exceed the thresholds applicable to medium-sized enterprises;
  • Certain categories of entities explicitly named in the directive, regardless of their size;
  • Providers of public electronic communications networks or publicly accessible electronic communications services that qualify as medium-sized enterprises;
  • Certain public administrations;
  • Entities designated by a Member State due to specific circumstances (e.g., the sole provider of a service that is essential to maintaining critical societal or economic activities);
  • Entities classified as critical under Directive (EU) 2022/2557 (directive on the resilience of critical entities);
  • Operators of essential services (OES) identified before January 16, 2023.
• Important entities include most of the remaining entities covered by the directive, as specified in Annex II.

The obligations imposed on essential entities will be stricter than those for important entities. Consequently, a detailed legal analysis is often necessary to determine which category your entity falls into and what obligations you will be subject to.

Our law firm can assist you in this process to assess whether your company qualifies as an essential or important entity.

‍

4. My company is a supplier/service provider to an essential or important entity, is it affected by the NIS 2 Directive?

Yes, potentially.
Even if your entity is not directly classified as an essential or important entity, it may still be affected if it acts as a subcontractor, service provider, or supplier to a regulated entity under NIS 2.

The directive requires essential and important entities to implement appropriate technical and organizational measures to manage risks to the security of their networks and information systems. This includes securing their supply chain.

In practical terms, regulated entities will be required to ensure that their suppliers, subcontractors, or service providers adhere to certain security standards. As a supplier or service provider, this means that you could be contractually bound to comply with these requirements, even if you are not directly subject to the directive.

We can support you in securing your contracts and business relationships while enhancing the protection of your information systems.

5. My entity is located outside the European Union, is it exempt from NIS 2 obligations?

No, an entity’s location outside the EU does not exempt it from the NIS 2 Directive's obligations.

The directive applies to any entity, whether based in the EU or not, as long as it "provides services or conducts activities within the Union".

This means that a non-EU entity operating in sectors covered by the directive may be subject to its obligations if it provides services or conducts activities within the EU.

Such foreign entities must also designate a representative within the European Union.

Depending on the services provided (e.g., electronic communications, cloud computing services, managed services, managed security services, etc.), an entity may be subject to the jurisdiction of multiple Member States or a single Member State, which would be the one where its "main establishment" is located.

However, the concept of "main establishment" in NIS 2 is not identical to that under the GDPR and requires a nuanced analysis based on the criteria set out in the directive (e.g., the location where the decisions related to the cybersecurity risk-management measures are predominantly taken, orwhere cybersecurity operations are carried out, or the Member State where the entity concerned has the establishment with the highest number of employees in the Union). 

We can assist you in analyzing the impact of NIS 2 on your activities within the EU, determining the location of your main establishment, and supporting you throughout the compliance process.

6. If one entity in my corporate group is affected, do all entities in the group need to comply with NIS 2 ?

No.
It is possible for one entity within your corporate group to be subject to the NIS 2 Directive, while others are not, depending on their specific activities or size.

The text primarily considers entities on an individual basis rather than as part of a group.

In France, ANSSI (the French National Cybersecurity Agency), is taking this even further by working on an approach that limits the application of cybersecurity measures to certain information systems whose compromise could lead to serious consequences, such as service disruptions or the leakage of sensitive information.

However, depending on your particular situation, it may sometimes be more effective to adopt a cohesive group-wide approach to managing your compliance, even if not all entities are directly affected (to simplify management, standardize cybersecurity best practices, etc.).

For groups with entities in multiple Member States, it is important to note that NIS 2 may be transposed differently in each country. Obligations and compliance deadlines may therefore vary from one Member State to another.

This could create disparities that should be taken into account when planning your compliance strategy.

Our law firm, in collaboration with European leaders in cybersecurity, assists you in evaluating each entity within your group and in implementing a cybersecurity strategy, whether tailored to a specific entity or applied globally across your group.

‍

7. My entity is an essential or important entity, what are its obligations?

Rest assured, compliance with NIS 2 is not an insurmountable task.

To give you an overview, and without claiming to be exhaustive, several key areas must be addressed in your compliance roadmap.

The first area concerns, of course, information system security. The directive requires affected entities to implement certain measures to protect their infrastructure from incidents. These measures are technical (such as the use of multi-factor authentication solutions), operational (such as cybersecurity hygiene), and organizational (such as crisis management). Member States may also require the use of certified cybersecurity products and services, in line with European certification schemes, some of which are still being finalized.

A crucial point to remember is that NIS 2 does not require security measures to be limited only to information systems directly linked to the activities for which an entity is classified as essential or important. However, ANSSI (the French National Cybersecurity Agency) is proposing to restrict the application of these measures to the most critical information systems. This proposal has not yet been confirmed, as it depends on the forthcoming transposition act in France. It remains to be seen if other Member States will adopt a similar approach in their own transpositions of the directive.

A second area is supply chain security. Essential and important entities must ensure that their suppliers and service providers adhere to high security standards. Contracts with these partners should include specific cybersecurity clauses, taking into account the vulnerabilities of each provider and the overall quality of their practices.

A third area is cybersecurity training. In line with Article 21 of the directive, management bodies of essential and important entities must approve the cybersecurity risk-management measures, oversee their implementation, and can be held liable for any infringements. Therefore, Member States must ensure that members of the management bodies are required to undergo training. Additionally, they encourage essential and important entities to regularly provide similar training to their staff, so that employees acquire the knowledge and skills necessary to identify risks and evaluate cybersecurity risk management practices and their impact on the services provided by the entity.

Another critical area involves integrating the incident notification obligations into your procedures. This includes early warning without undue delay and no later than 24 hours after becoming aware of an incident, notification incident within 72 hours to the CSIRT or competent authority, and submission of a final report.

Some obligations will be further clarified in the transposition texts (laws, decrees, etc.).

In France, the French National Cybersecurity Agency is working on the development of specific frameworks that will clearly distinguish between the obligations of essential entities and important entities. It is hoped that these national frameworks will be harmonized across the European Union.

Our law firm, in partnership with European leaders in cybersecurity, can assist you at every stage of your compliance process: assessing your cybersecurity maturity and developing your compliance roadmap, drafting tailored policies and procedures, drafting and negotiating specific contractual clauses, training management teams, and more in key areas.

8. My entity is already working on GDPR compliance, is that enough to comply with NIS 2?

No.
While the GDPR and the NIS 2 Directive both fall under the broader European regulatory framework, they cover different aspects. If you have already implemented risk management and data protection measures to comply with the GDPR, they can help with NIS 2 compliance.

However, the directive imposes additional specific obligations.

Our law firm can assist you in coordinating your GDPR compliance efforts with the new NIS 2 requirements.

9. Does my entity need to comply with the directive by October 17, 2024?

No.
The NIS 2 Directive is expected to be transposed into national law by October 17, 2024.

This means that each Member State should have adopted its own laws to apply the directive by that date.

However, it is not uncommon for the transposition of European directives to be delayed, sometimes by several months or even years.

In any case, once transposed into national law, certain measures will be subject to compliance deadlines, giving you valuable time to prepare before sanctions are enforced.

It is therefore strongly recommended to anticipate now and assess your compliance needs.

Our law firm, in collaboration with European cybersecurity leaders, offers comprehensive audits to assess your cybersecurity maturity and guide you step by step in achieving compliance with NIS 2.

10. What are the sanctions for non-compliance with NIS 2?

Contrary to what can be read everywhere, NIS 2 does not set a cap on fines of 10 million euros or 2% of global annual turnover!

‍In fact, Article 34 of the directive specifies that these are minimum amounts, not maximums.

For Essential Entities, the directive states that in the event of non-compliance, Member States must establish administrative fines with a maximum amount of at least EUR 10,000,000 or at least 2% of the total worldwide annual turnover of the company to which the essential entity belongs, whichever is higher.

For Important Entities, the sanctions must be at least EUR 7,000,000 or at least 1.4% of the total worldwide annual turnover of the previous financial year, whichever is higher.

This means that each Member State, when transposing the directive into its national law, can impose stricter penalties. For instance, Belgium has already provided in its transposition law for NIS 2 that these administrative fines will be doubled in the case of repeat offenses within three years for similar violations (Article 59 of this law). 

Moreover, NIS 2 establishes a new supervision and enforcement framework for essential and important entities.

In other words, competent authorities – "ANSSI" in France – will be appointed in each Member State to ensure compliance with the obligations set out in the directive. This framework grants them oversight powers, such as conducting inspections or audits, as well as enforcement powers. These enforcement measures can range from a simple warning to more severe sanctions, such as the publication of non-compliance or the imposition of administrative fines.

It is also worth noting that competent authorities will have the innovative ability to subject essential entities to security scans.

Finally, and quite uniquely, it may be possible to temporarily prohibit any director of an essential entity from carrying out their managerial responsibilities until the essential entity has rectified the identified non-compliance.

‍

About the Author

Jocelyn Pitet is an attorney at the Paris Bar (France) and co-founder of Entropy, a law firm dedicated to advanced technologies. His practice focuses on areas such as cybersecurity, data protection, IT contracts, blockchain, artificial intelligence, and other disruptive technologies. For over ten years, Jocelyn has been advising innovative startups, leading tech companies, as well as major international groups in managing complex legal challenges related to digital and innovation.

Alongside his work at the law firm, Jocelyn Pitet also holds teaching positions at the University of Paris Panthéon-Assas and the Leonard de Vinci Institute, where he teaches courses on blockchain law, data protection law, and cybersecurity law.