NIS2: Assessing the Scope Requirement
The NIS2 Directive introduces stringent cybersecurity requirements for various entities, making it important to understand its scope and applicability. This article explores how businesses, especially those with linked and partner enterprises, can determine whether they fall under the Directive's obligations. Key factors include the nature of the services provided, the size of the entity, and the interconnections with other enterprises. By evaluating these elements, organisations can develop an accurate compliance strategy and mitigate potential regulatory risks.
Sector Inclusion
An entity’s inclusion depends on whether it falls within the sectors explicitly defined in the Directive. Generally, NIS2 applies to all large and medium-sized enterprises in these sectors, regardless of whether they are public or private. Broadly, and with considerable exceptions, micro and small enterprises are typically not covered by its scope.
Assessing the size criteria of NIS2
Article 2 of the Directive specifically highlights the importance of the entity’s size. Whereas the Directive states that it applies to both public and private entities which qualify or exceed as “medium-sized enterprises”, and which provide or carry out their services in the European Union.[1] Now, to qualify as a medium-sized enterprise (MSE) under the NIS2 Directive, an entity must have between 50 and 250 employees and meet financial thresholds, such as an annual turnover below EUR 50 million and/or an annual balance sheet total not exceeding EUR 43 million. In order to define SME, the Directive refers to the size.[2]
The relationship with linked or partner enterprises, such as parent company status or joint shareholder voting rights, can affect MSE status. Organisations that form a group through direct or indirect control of voting rights and are within the scope of the types listed in Annex I or II of the Directive are subject to NIS2 regulations regarding MSE criteria. Therefore, if an entity operates in multiple sectors and only part of its activities fall under Annex I or II, the overall activities must be considered for size assessment, not just those specified in Annex I or II. As a result, turnover, balance sheet totals, and personnel numbers are evaluated for the entire entity, including activities not covered by Annex I or II.[3]
Furthermore, the concepts of linked and partner enterprises are also important because, they directly relate to the criteria used to assess the size of an entity which helps to determine if the organisation falls into the ‘Important’ or ‘Essential’ categories, assisting in developing an effective compliance strategy.
However, it is important to remember that, Under Article 3(3), Member States have the final authority to determine which entities are included on their list of Essential and Important entities, which must be submitted to the EU Commission by 17 April 2025. Member States can also exceed the minimum requirements when incorporating NIS2 obligations into their legal systems.
How can the applicability to subsidiaries be evaluated?
When determining the applicability of the NIS2 Directive to an organisation and its subsidiaries, it is essential to assess whether services within the Directive’s scope are a part of the organisation’s overall offerings. If a subsidiary entity that for example forms 10% of overall service offerings in the organisation but is distributing chemicals as listed in Annex II and meets the criteria for MSE and EU activities, then falls within the scope of NIS2.
According to Article 21 of the Directive, organisations ought to perform a risk analysis. This helps to ascertain whether part of their business operations falls under NIS2 regulations. It is emphasised that within a corporate group, parent and subsidiary entities remain distinct legal entities. Consequently, the inclusion of a subsidiary within the regulatory scope does not automatically extend to the parent company unless the parent company independently fulfils the specified criteria of the Directive.
Companies included in a group structure falling within the scope of application could collaborate with other companies belonging to the same group in fulfilling risk management and reporting obligations. If, within the group structure or other arrangements concerning mutual ownership of companies, some of the companies are within the scope of application while others are not, they should consider factors such as dependence on services provided by other companies as part of complying with the risk management and reporting obligations which include for example, risk management, technical, operational, and organisational measures and policies, supply chain security and reporting obligations.
Contractual Obligations
When an entity does not fall within the scope of the Directive, it may still have contractual obligations if its customer is within scope. The Directive requires entities to manage cybersecurity risks in their immediate supply chain, often resulting in contractual obligations transferred to customers.
Further reading on the NIS2 Directive
[1] DIRECTIVE (EU) 2022/2555, Article 2