- Start here by finding out whether you are covered by NIS 2
There are many ways an organization can be affected by the NIS2 requirements. The first is that the organization consists of a unit in one of the sectors you can see below. In addition, the organization must have a certain size: At least 50 employees and over 10 million. EUR in annual total balance/annual turnover. If the organization is part of a group, the starting point is that the companies must be viewed together as far as the thresholds are concerned. Finally, the organization must go in and read more about how each individual sector is defined. Thus, not all units in a certain sector are covered by NIS 2.
In addition, the organization may be NIS 2-affected if the organization delivers to an NIS 2-affected entity. Many of the requirements that the NIS 2-covered entities must comply with therefore in reality end up with the NIS 2 entities' IT suppliers. NIS 2 contains a requirement for supply chain security.
The NIS 2 directive also contains a number of other possibilities to be directly covered. We review the most important, but not all, below.
Regardless of size, the directive thus also applies to entities in the sectors shown above:
1. where services are provided by providers of public electronic communications networks or of publicly available electronic communications services,
2. where services are provided by trust service providers,
3. where services are provided by TLDs and domain name system providers,
4. where the entity is the only provider in a Member State of a service essential for the maintenance of critical societal or economic activities,
5. where a disruption to the service provided by the entity could have a significant impact on public safety or public health,
6. where a disruption to the service provided by the entity could lead to a significant systemic risk, in particular for sectors where such a disruption could have a cross-border effect,
7. where the entity is critical because of its specific importance at national or regional level for the sector or type of service concerned or for other interdependent sectors in the Member State and finally
8. where the entity is a public administration entity a) under the central administration as defined by a Member State in accordance with national law or b) at regional level as defined by a Member State in accordance with national law which, following a risk-based assessment, provides services if disruption could have a significant impact on critical societal or economic activities.
In addition, NIS 2 applies:
9. If providing domain name registration services.
10. If you are a public administration unit at local level (municipality) or an educational institution that mainly carries out critical research activities. However, it requires that Denmark, as part of the implementation, decides that these unit types must be covered.
11. NIS 2 exempts national security, public safety, defense or law enforcement activities, including the prevention, investigation, detection and prosecution of criminal offences.
You are now ready to read more about Step 2 – the NIS 2 implementation process.