Is my business regulated by NIS2

Discover steps for NIS2 compliance: From assessing if you're regulated to navigating cross-border considerations.

In brief

• NIS2 affects numerous sectors, requiring entities to assess their operations and size to determine if they fall under its scope.
• Entities must classify themselves and tackle EU-wide jurisdictional complexities under NIS2.
• NIS2 emphasises supply chain security, impacting thousands and requiring organisation-wide proactive compliance strategies.

On 30 August 2024 the Irish Government published the much anticipated general scheme of legislation to transpose the NIS2 Directive. The deadline for transposing NIS2 is 17 October 2024, and this is likely to be missed in Ireland.

Any delay enacting the National Cyber Security Act 2024 is likely to be brief. Irish organisations, and foreign ones who conduct certain activities in Ireland, should not de-escalate their NIS2 compliance efforts.

As the countdown continues, many organisations remain unsure on whether they are regulated by NIS2, the available exemptions and whether they may be designated by an EU Member State as a regulated entity, notwithstanding they otherwise fall outside NIS2’s scope.

This article sets out some initial steps to assess whether an entity is regulated by NIS2, and some important considerations when operating on a cross-border basis and when engaging third parties.

Initial assessment steps

The first step when assessing the application of NIS2, aside from the jurisdiction rules, is to check if the entity operates in any of the prescribed 18 sectors and any of the 67 types set out in the third column of Annex I and II of NIS2. For some, this will require consideration of sectoral EU legislation referenced in the Annexes. For entities involved in manufacturing, this will require an assessment of NACE code classifications.

If the entity is covered by Annex I or II, it should consider available exemptions. For most entities, the only exemption available is based on their staff headcount and financial data.

While most small businesses (so-called 'micro' and 'small' enterprises) will not be in-scope for NIS2, some will be brought into NIS2’s scope by national legislation because of their particular importance.

If the entity falls within the types set out in Annex I or II, and cannot rely on an exemption, it must classify itself as an ‘essential’ or ‘important’ entity.

An 'essential' entity is typically an Annex I entity above the medium-sized enterprise threshold, but some medium-sized entities are automatically ‘essential’. An 'important' entity is either Annex I or II but not 'essential'. EU Member States may classify any Annex I or II entity as 'essential' or 'important' irrespective of size, based on their importance.

Once the entity self-classifies as essential or important, it must notify this designation to its competent authority. For most entities, this must be done before 17 April 2025, with an earlier deadline of 17 January 2025 applying to providers of certain digital services, managed ICT services and digital infrastructure. There will be 9 competent authorities in Ireland, which will be responsible for supervising and enforcing NIS2 compliance for the sectors they oversee.

Entity size considerations

Commission Recommendation 2003/361/EC sets out the definitions for micro, small and medium-sized enterprises, applicable to NIS2, and the data that should be used when calculating staff headcount and the financials applicable to the definitions.

Entities must consider the headcount and financial data of any 'partner' or 'linked' enterprises when determining their size classification. This may cause the entity to fall within the size thresholds for regulation under NIS2, notwithstanding it would not have done so if assessed solely on its own data. However, NIS2 recognises that this may in some cases have a disproportionate effect and therefore allows EU Member States, when applying the Commission Recommendation, to take into account the degree of independence the entity may have from its partner and linked enterprises.

Jurisdiction

Wider questions arise if an organisation is operating in more than one EU Member State, as it may be regulated under NIS2 separately and concurrently in each of those countries. Organisations not headquartered in the EU but providing certain services within it, or have one or more ‘establishments’ in the EU, may also be subject to NIS2 in multiple Member States.

These entities will need to identify the EU jurisdictions where they will be regulated by NIS2, and the specific requirements under their transposing laws, as EU Member States have a degree of flexibility on how they transpose NIS2 into national law and may introduce or maintain cybersecurity requirements that are more onerous to the baseline contained in NIS2.

NIS2 acknowledges that some digital services, like cloud services, mainly function across borders and therefore shouldn't be regulated by every EU Member State where they're provided. Accordingly, providers of such services will only be subject to the jurisdiction of the EU country of their ‘main establishment’. Entities without an EU establishment must appoint a representative in an EU Member State where they operate to make use of this arrangement. For many multinationals, these aspects will require strategic decisions impacting tax, corporate governance, people, information security and legal.

Supply chain

While the primary focus here is on entities directly regulated by NIS2, the Directive's influence extends to organisations that supply ICT products or services to regulated entities.

NIS2 requires that essential and important entities implement ‘appropriate’ and ‘proportionate’ measures to manage risks and safeguard against incidents affecting their network and information systems. In this regard, NIS2 sets out ten risk management measures that all entities must maintain.

One of these requirements is to ensure the security of their supply chain. Essential and important entities must assess and take into account the overall quality and resilience of ICT products and services relevant to their network and information systems, the cybersecurity risk-management measures embedded in them, and the cybersecurity practices of their suppliers and service providers, including their secure development procedures.

Relevant product and service providers should expect their NIS2 regulated customers to require a greater degree pre-contract diligence and contractual controls.

NIS2 regulated entities should be assessing their supply chain risk management framework, identifying relevant supply and service contracts for enhancement and ensuring mechanisms to assess the vulnerabilities, quality and cybersecurity practices of their supply chain.

Essential and important entities, and their relevant product and service providers, should monitor transposition of NIS2 in the EU Member States they operate and keep watch for national policies and regulations dealing with supply chain risk management.

The European Commission will adopt an Implementing Regulation by 17 October 2024, which will provide further detail on supply chain risk management measures that certain entities must take. While these measures will not be mandatory for all entities, voluntary adoption for others will provide a robust baseline.