What is the Threshold for NIS2? The Network and Information Security Directive, commonly known as the NIS Directive, was first introduced by the European Union in 2016. It was a significant step toward bolstering the cybersecurity of essential services and digital service providers within the EU. In the face of rapidly evolving cyber threats, the European Commission recognized the need to further strengthen this framework, which led to the proposal and subsequent adoption of the NIS2 Directive. NIS2, introduced in 2022, aims to address gaps and shortcomings in the original directive, broadening its scope and setting more stringent requirements for organizations across the EU.
One of the most important questions businesses and organizations must answer is: What is the threshold for NIS2 compliance? The threshold represents the conditions under which an organization becomes subject to the obligations outlined in the directive. Understanding this threshold is crucial for companies operating in Europe, particularly those providing essential services or engaged in critical infrastructure sectors.
The Evolution of NIS: From NIS1 to NIS2
Before diving into the threshold for NIS2, it’s worth understanding why the directive evolved in the first place. The NIS Directive (NIS1) sought to build resilience against cybersecurity incidents across EU member states, focusing on two categories of stakeholders:
- Operators of Essential Services (OES): Entities providing services crucial for society and the economy, such as energy, transportation, and healthcare.
- Digital Service Providers (DSP): Entities providing digital services, such as online marketplaces, cloud computing services, and search engines.
However, as technology evolved and cyber threats became more complex, the scope and obligations of the original NIS Directive were deemed insufficient. The NIS1 had limitations regarding its scope of application, consistency across member states, and enforcement mechanisms. It also did not account for the rapid digitalization of industries and the increasing interconnectedness of digital systems, leaving certain sectors and smaller businesses vulnerable.
The NIS2 Directive was introduced to rectify these issues. The updated framework expands the range of sectors and organizations under its purview, establishes stricter obligations, and improves the overall cybersecurity posture of the EU by increasing harmonization across member states.
What is the Threshold for NIS2?
The threshold for NIS2 compliance is based on various criteria, primarily focusing on the type of service provided, the size of the organization, and the potential impact of a disruption. Unlike NIS1, which had some ambiguities in its scope, NIS2 provides clearer guidelines, making it easier to determine which organizations are covered. You can also visit Official Documentation.
1. Sector-Based Criteria
The NIS2 Directive divides organizations into two main categories:
- Essential Entities (EE)
- Important Entities (IE)
Both categories are subject to the directive’s requirements, but the level of oversight and obligations differ slightly. The division is primarily based on the criticality of the services provided, with Essential Entities being more critical to the functioning of society and the economy.
Essential Entities (EE)
Essential Entities are organizations that operate in sectors considered critical to the functioning of society. These include, but are not limited to:
- Energy: Electricity, oil, gas, district heating, and other energy-related sectors.
- Transport: Aviation, railways, road, and water transport.
- Banking and Financial Market Infrastructure: Banks, financial institutions, stock exchanges, and payment providers.
- Health: Hospitals, health clinics, and other healthcare providers.
- Drinking Water: Operators of public water supplies.
- Digital Infrastructure: Providers of DNS services, data centers, and content delivery networks.
- Public Administration: Public sector entities handling critical state functions.
These entities are expected to comply with the highest level of cybersecurity standards due to the potential catastrophic consequences of service disruptions.
Important Entities (IE)
Important Entities, while still critical, operate in sectors where a disruption may not have as immediate or widespread an impact as those covered by the Essential Entities category. Sectors under this category include:
- Postal and Courier Services: Companies responsible for logistics and deliveries.
- Food: Organizations involved in food production and supply chains.
- Waste Management: Providers of waste management and recycling services.
- Manufacturing: Particularly in sectors like pharmaceuticals, chemicals, and medical devices.
- Digital Providers: Companies offering various digital services, including software development, and social networking services.
Though subject to slightly fewer obligations than Essential Entities, Important Entities still face stringent cybersecurity requirements under NIS2.
2. Size of the Organization
One of the most significant changes under NIS2 is the introduction of size-based thresholds. Under NIS1, some small and medium-sized enterprises (SMEs) were exempt from the directive’s requirements, which left certain critical services vulnerable to cyberattacks.
NIS2 eliminates these size-based exemptions by broadening its scope to include more organizations. Specifically, organizations with 50 or more employees or an annual turnover exceeding €10 million are subject to NIS2 requirements, regardless of the sector in which they operate. This is a crucial shift, as even SMEs can have a significant role in the functioning of critical sectors.
However, micro and small enterprises (i.e., those with fewer than 50 employees or a turnover of less than €10 million) are generally exempt, except under certain conditions where their services are deemed critical for the economy or society, such as being key suppliers to Essential Entities.
3. Impact-Based Criteria
NIS2 also introduces an impact-based assessment to determine whether an organization should fall within the scope of the directive. This means that even if an organization does not meet the size-based or sector-based thresholds, it may still be subject to NIS2 if the disruption of its services would have significant consequences for public safety, economic activity, or national security.
This impact-based criterion ensures that critical services provided by smaller organizations or niche players are not overlooked. For instance, a small company providing specialized digital infrastructure or cybersecurity services to a critical energy provider may be covered under NIS2 due to the potential impact of a cyberattack on its operations.
Obligations for Organizations Under NIS2
Once an organization meets the threshold for NIS2 compliance, it must adhere to a set of obligations designed to improve its cybersecurity posture and mitigate risks. These obligations include:
1. Risk Management
Organizations are required to implement appropriate risk management measures. These measures should be proportional to the size of the organization, the nature of the services it provides, and the potential impact of a disruption. The risk management framework should cover various aspects of cybersecurity, including:
- Technical and organizational measures to mitigate the impact of incidents.
- Incident detection and response mechanisms.
- Security policies and governance frameworks that are regularly reviewed and updated.
- Staff training and awareness programs.
Organizations are encouraged to adopt industry standards and best practices when developing their risk management frameworks.
2. Incident Reporting
NIS2 imposes stricter incident reporting requirements than its predecessor. Organizations must report significant cybersecurity incidents to the relevant national authorities within 24 hours of detection, and they are required to provide a detailed report within 72 hours. The directive also emphasizes the need for cross-border cooperation between member states to ensure timely and efficient responses to cyber incidents affecting multiple countries.
3. Supply Chain Security
One of the key lessons from recent cyberattacks, such as the SolarWinds breach, is the importance of securing the supply chain. NIS2 introduces new requirements for supply chain security, mandating that organizations assess the security posture of their suppliers and partners. This includes ensuring that third-party vendors and service providers comply with cybersecurity standards and do not introduce vulnerabilities into critical systems.
4. Accountability and Governance
Organizations covered by NIS2 must establish clear governance structures for cybersecurity. This includes the appointment of a designated individual or team responsible for cybersecurity, the creation of incident response plans, and the establishment of accountability mechanisms to ensure compliance with the directive’s requirements.
5. Penalties for Non-Compliance
NIS2 introduces more stringent penalties for organizations that fail to comply with the directive’s requirements. These penalties can include fines of up to 2% of the organization’s global annual turnover or €10 million, whichever is higher. This is a significant increase from the fines imposed under NIS1 and reflects the EU’s commitment to enforcing stronger cybersecurity measures across all sectors.
Key Differences Between NIS1 and NIS2 Thresholds
To further clarify the NIS2 threshold for NIS2, it is important to understand the differences between the thresholds set under NIS1 and the new, more inclusive thresholds under NIS2.
NIS1 Thresholds
Under NIS1, But the threshold for NIS2 focus was primarily on the largest organizations within certain critical sectors, such as energy, healthcare, and finance. SMEs were largely exempt from the directive’s requirements, even if they provided critical services. Additionally, the implementation of NIS1 varied across member states, with some countries applying different thresholds and criteria for determining which organizations were covered.
NIS2 Thresholds
NIS2 threshold for NIS2 the shortcomings of NIS1 by introducing size-based thresholds, ensuring that more organizations are covered. The directive also introduces the impact-based criteria, ensuring that even smaller organizations with critical roles are included. This harmonization of thresholds across all member states ensures that there is a consistent level of cybersecurity across the EU, reducing the risk of cyberattacks exploiting weaker links in the network.
Sectoral Impact of NIS2 Thresholds
The broadening of the NIS2 threshold has significant implications for various sectors, particularly those that were previously exempt or loosely regulated under NIS1. Let’s explore the impact on a few key sectors:
1. Financial Sector
Under NIS2, the financial sector is divided into two main categories: banking and financial market infrastructure. Banks and financial institutions are considered Essential Entities, subject to the strictest obligations under the directive. The inclusion of financial market infrastructure providers, such as stock exchanges and payment providers, reflects the growing interconnectedness of the global economy and the reliance on digital systems to manage financial transactions.
The financial sector is already heavily regulated, with existing cybersecurity standards such as the Payment Services Directive 2 (PSD2) and General Data Protection Regulation (GDPR). However, NIS2 adds an additional layer of oversight, particularly regarding supply chain security and incident reporting.
2. Healthcare Sector
The healthcare sector, particularly hospitals and health clinics, is considered one of the most critical sectors under NIS2. The COVID-19 pandemic demonstrated the vulnerabilities of healthcare systems to cyberattacks, with hospitals across Europe facing ransomware attacks and other threats.
Under NIS2, healthcare providers must implement robust cybersecurity measures to protect sensitive patient data and ensure the availability of critical services. The directive also encourages cross-border cooperation between healthcare providers, ensuring that disruptions in one member state do not have a cascading effect on others.
3. Digital Infrastructure
The digital infrastructure sector, including providers of DNS services, data centers, and content delivery networks, is a key focus of NIS2. The directive recognizes that these entities are critical for the functioning of the internet and the digital economy. As such, they are subject to some of the most stringent cybersecurity requirements, including incident reporting and supply chain security.
The inclusion of digital infrastructure providers under the Essential Entities category reflects the growing importance of the internet in everyday life and the potential catastrophic consequences of a disruption to these services.
Conclusion
NIS2 represents a significant step forward in enhancing the cybersecurity posture of organizations across the EU. By broadening the threshold for compliance, the directive ensures that more organizations, including SMEs and important service providers, are covered under its scope. The sector-based, size-based, and impact-based criteria provide a clear framework for determining which organizations must comply with the directive’s requirements.
Organizations covered by NIS2 must implement robust cybersecurity measures, including risk management, incident reporting, and supply chain security. The penalties for non-compliance are substantial, reflecting the EU’s commitment to enforcing strong cybersecurity standards.
For organizations operating in Europe, understanding the threshold for NIS2 compliance is crucial. Whether you are an Essential Entity or an Important Entity, the obligations under NIS2 are designed to improve the resilience of your services and protect against the growing threat of cyberattacks. By proactively addressing these requirements, organizations can not only avoid penalties but also ensure the continuity of their operations in an increasingly digital world.
