Publication
Autres publications
Cybersécurité - NISS
November 6, 2024
NIS 2
Scope and field of application
Discover the scope of application of the NIS2 Directive: sectors concerned, size-cap rule and self-registration process. Detailed guidance for the companies and organisations subject to the new cybersecurity requirements in the EU.
Scope of the NIS2 Directive
The NIS2 Directive applies to entities active in one or more sectors listed in Annexes I and II of the Directive. The following list summarises the different sectors within the scope of application.
- Energy
- Transport
- Health
- Drinking water
- Waste water
- Digital infrastructure
- ICT service management (B2B)
- Public administration
- Space
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing and distribution of food
- Manufacturing
- Digital providers
- Research
Some sectors are made up of several sub-sectors or types of entities, such as the digital infrastructure sector (see figure below).
Definitions of sectors
For a more detailed view, please consult the annexes of the NIS2 Directive. Please find a document proposing definitions of the various sectors of activity covered by the NIS2 Directive below.
By default in scope of application
The NIS2 Directive introduces a rule for determining the entities that fall within the scope of application linked to the size of the company, also known as the ‘size-cap’. This means that a company that is active in one of the sectors of the annexe I or II, and that is of a certain size (see below the section ‘Explanations on the size-cap’), it will by default be affected by the NIS 2 Directive.
Furthermore, the NIS 2 Directive provides several exceptions to the application of the ‘size-cap’ rule (for example: for providers of public electronic communications networks or publicly available electronic communications services, for trust service providers or top-level domain name registries and domain name system service providers).
Regardless of its size, an entity may be identified as essential or important according to specific criteria (for example: an entity already identified as a critical entity; a sole supplier in its field of activity, etc.).
Some sectors are made up of several sub-sectors or types of entity, such as the digital infrastructure sector (see figure below).
Explanations on the size-cap
The user guide to the SME definition published by the European Commission can facilitate the interpretation of the size cap rule in the NIS 2 Directive.
An entity is considered medium-sized if it has at least 50 and no more than 249 employees, or if it has an annual turnover of between €10 million and €50 million, or if its annual balance sheet total is between €10 million and €43 million.
If any of these criteria are exceeded, the company is considered large.
The ceiling rule is applied at the group level. To calculate the size of the entity under review, it must take into account not only its own workforce and turnover, but also the workforce and turnover of its partner enterprises and linked enterprises.
According to Article 6 of the Annex to Commission Recommendation 2003/361/EC, the following data must be taken into account:
1) 100% of the data of the enterprise under review;
2) 100% of the data of all linked enterprises and of all linked enterprises to these linked enterprises;
3) the pro rata (based on control) data of the partner enterprises of the entity under review, as well as the companies related to the partner companies.
The partner companies of the partner companies are not taken into account.
More details and calculation examples can be found in the user guide to the SME definition.
Self-registration
The NIS2 Directive provides that companies must register themselves with the competent authority.
Auto-enregistrement des entités importantes et essentielles
Formulaire
Déclarations et notifications
Cybersécurité - NISS
