Who does NIS2 apply to?
The scope of the NIS2 Directive goes far beyond the previously known critical infrastructures (KRITIS). To this end, 18 economic sectors have been defined based on their criticality. Companies are thus regulated as "essential entities" or "important entities" depending on their area of activity and size.
Companies are considered "essential institutions" if they are active in a sector with high criticality and exceed the threshold of at least 250 employees and either 50 million annual revenue or a balance sheet total of 43 million euros. The following industries belong to the sectors with high criticality:
- Energy
- transport
- banking
- Financial market infrastructures
- health
- Drinking Water
- Waste Water
- Digital infrastructure
- ICT service management (business-to-business) (business-to-business)
- Public administration
- Space
Companies are considered "important institutions" if they are active in one of the 18 sectors and are not an "essential institution". In addition to the above-mentioned sectors, there are also
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing and distribution of food
- Manufacturing
- Digital providers
- Research
NIS2 divides the sectors mentioned above into further sub-sectors.
Small and micro enterprises can be regulated as special cases if they fulfill certain criteria that indicate a key role for society, the economy or certain economic sectors.