The NIS2 Directive distinguishes between essential and important entities based on the criticality of their sectors, the type of services they provide, and their size. Understanding whether your organization falls under the category of essential or important is crucial for compliance with NIS2’s risk management measures.
Essential Entities Include:
- Large companies in highly critical sectors: These sectors are listed in Annex I of the directive.
- Qualified trust service providers and top-level domain name registries and DNS service providers: These are considered essential regardless of their size.
- Medium-sized companies providing public electronic communications networks or services: These entities are critical due to the essential nature of their services.
- Entities identified as critical under Directive (EU) 2022/2557: This applies regardless of the entity’s size and must be transposed into national legislation alongside NIS2.
- Entities identified by a Member State before January 16, 2023, as operators of essential services under Directive (EU) 2016/1148 or national law.
Important Entities Include:
Entities that fall into one of the categories mentioned in Annexes I or II of the directive but do not meet the criteria for being considered essential are classified as important entities. These entities still play a vital role but have a slightly lower criticality level compared to essential entities.
Additional Considerations:
Member States have the discretion to classify an entity as essential or important regardless of its size if:
- The entity is the sole provider of an essential service in a Member State: This is crucial for maintaining critical social or economic activities.
- Disruption of the entity’s services could significantly impact public security, public order, or public health.
- Disruption could cause significant systemic risks, especially if it affects sectors with cross-border implications.
- The entity is critical at a national or regional level: This is based on its specific importance to the sector or interdependent sectors.
Member States are required to compile and periodically update a list of essential and important entities by April 17, 2025. This list must include domain name registration service providers and can involve national self-registration mechanisms.