NIS 2

Scope and field of application

Discover the scope of application of the NIS2 Directive: sectors concerned, size-cap rule and self-registration process. Detailed guidance for the companies and organisations subject to the new cybersecurity requirements in the EU.

Scope of the NIS2 Directive

The NIS2 Directive applies to entities active in one or more sectors listed in Annexes I and II of the Directive. The following list summarises the different sectors within the scope of application.

  • Energy
  • Transport
  • Health
  • Drinking water
  • Waste water
  • Digital infrastructure
  • ICT service management (B2B)
  • Public administration
  • Space
  • Postal and courier services
  • Waste management
  • Manufacture, production and distribution of chemicals
  • Production, processing and distribution of food
  • Manufacturing
  • Digital providers
  • Research

Some sectors are made up of several sub-sectors or types of entities, such as the digital infrastructure sector (see figure below).

Exemple de sous-secteurs

Definitions of sectors

For a more detailed view, please consult the annexes of the NIS2 Directive. Please find a document proposing definitions of the various sectors of activity covered by the NIS2 Directive below.

By default in scope of application

The NIS2 Directive introduces a rule for determining the entities that fall within the scope of application linked to the size of the company, also known as the ‘size-cap’. This means that a company that is active in one of the sectors of the annexe I or II, and that is of a certain size (see below the section ‘Explanations on the size-cap’), it will by default be affected by the NIS 2 Directive.

Furthermore, the NIS 2 Directive provides several exceptions to the application of the ‘size-cap’ rule (for example: for providers of public electronic communications networks or publicly available electronic communications services, for trust service providers or top-level domain name registries and domain name system service providers).

Regardless of its size, an entity may be identified as essential or important according to specific criteria (for example: an entity already identified as a critical entity; a sole supplier in its field of activity, etc.).

Some sectors are made up of several sub-sectors or types of entity, such as the digital infrastructure sector (see figure below).

NIS 2 size cap rules - Annex 2

Self-registration

The NIS2 Directive provides that companies must register themselves with the competent authority.

On the same topic...

Security measures and supervision under NIS2
More information
Incident notification under NIS2
More information
Information sessions
More information
Discover all content related to this topic : NIS 2
More information
  • Secure your organisation

    The NISS department ensures that the law regarding the security of networks and information systems is properly enforced in several sectors.

    More information
  • NIS 2 Directive

    Receive more information on the NIS 2 Directive.

    More information
  • Incident notification

    For incident notification, please use the online form.

    More information