March 18, 2024 | less than a minute read

European Data Strategy: NIS2 - Keeping you informed

Get in touch

Aselle Ibraimova

Counsel

Get in touch

Aselle Ibraimova

Counsel

While NIS2 appears to emphasise that EU member states will identify organisations in scope, it requires organisations themselves to determine whether they fall within its scope and self-identify with a relevant EU member state regulator. If they fall within the scope, they must take measures to comply with related cybersecurity requirements by October 2024. Importantly, they must also notify the relevant EU member state regulator that they fall within the scope of NIS2 by April 2025. Digital infrastructure organisations caught by NIS2 will need to notify the relevant EU member state regulator by 17 January 2025.

Under Directive (EU) 2016/1148, Member States were responsible for identifying the entities which met the criteria to qualify as operators of essential services. In order to eliminate the wide divergences among Member States in that regard and ensure legal certainty as regards the cybersecurity risk-management measures and reporting obligations for all relevant entities, a uniform criterion should be established that determines the entities falling within the scope of this Directive. That criterion should consist of the application of a size-cap rule, whereby all entities which qualify as medium-sized enterprises under Article 2 of the Annex to Commission Recommendation 2003/361/EC (5), or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article, and which operate within the sectors and provide the types of service or carry out the activities covered by this Directive fall within its scope.