Is Your Company a Key or Important Entity? How to Determine Whether the NIS2 Directive Applies to You

The EU’s NIS2 Directive, followed by the proposed amendment to the Act on the National Cybersecurity System, impose new obligations on businesses operating in specific sectors of the economy. Companies considered important or critical entities must meet specific requirements for the protection of networks and information systems.

This article outlines how entrepreneurs can determine whether their businesses fall under the new regulations and what steps should be taken to prepare for their implementation.

Who Does NIS2 Apply To?

The new provisions distinguish between two main categories of entities – essential entities and important entities – depending on how critical they are to the sectors in which they operate or the types of services they provide, as well as their size. The key differences between these categories relate primarily to the level of supervision (as a rule, essential entities will be subject to proactive supervision, while important entities – to reactive supervision), potential sanctions, and the scope of reporting obligations.

How to Check Whether Your Business Falls Under NIS2

Step 1. Verify whether you operate in one of the sectors covered by the Directive.

Essential sectors include:

• Energy (e.g. energy undertakings, district heating and cooling operators, oil pipeline operators, or gas suppliers),
• Transport (aviation, rail, water, and road transport),
• Banking and financial services (e.g. credit institutions),
• Financial market infrastructure (e.g. trading system operators),
• Health (e.g. hospitals, laboratories, medical device manufacturers),
• Water and wastewater (e.g. drinking water suppliers and distributors, operators of wastewater treatment systems),
• Digital infrastructure (e.g. cloud service providers),
• ICT service management (business-to-business ICT providers),
• Public administration entities at the central and regional level,
• Space sector (e.g. ground infrastructure operators).

Important sectors include:

• Postal and courier services,
• Waste management,
• Manufacture, production, and distribution of chemicals,
• Production, processing, and distribution of food,
• Manufacturing, including: medical devices and in vitro diagnostic medical devices, computers, electronic and optical products, electrical equipment, other machinery and equipment, motor vehicles, trailers, semi-trailers, and other transport equipment,
• Digital service providers (e.g. online marketplaces, search engines, and social media platforms),
• Research activities.

If your company operates in any of the above sectors, it potentially falls within the scope of the NIS2 Directive.

Step 2. Assess the size of your organization

As a rule, the Directive applies to medium-sized and large enterprises within the meaning of EU law — in short, entities employing at least 50 persons and having an annual turnover exceeding EUR 10 million.

Micro and small enterprises (below these thresholds) are covered only in exceptional cases – where their operations are critical for the functioning of a given sector (e.g. they manage critical infrastructure).

Step 3. Identify your role in the supply chain

The Directive covers not only entities directly providing services in the listed sectors but also those that form part of the supply chain relevant for NIS2 purposes. If your company supplies components, systems, or IT services to an entity covered by NIS2, you may also be required to comply with the security obligations set out therein.

Step 4. Verify national implementing legislation

Each Member State publishes a list of sectors and criteria for identifying essential and important entities. In Poland, the relevant provisions will be included in the forthcoming amendment to the Act on the National Cybersecurity System (KSC), which is currently under legislative review (for more information on the proposed assumptions of the Act, see here).

The draft Act reflects the same categories of sectors designated as essential and important entities as listed in Annexes I and II to the NIS2 Directive, though it introduces minor variations concerning the types of entities specified within subsectors.

The Polish draft also slightly modifies the criteria that businesses must meet in order to be classified as essential or important entities.

An essential entity will be:

1. an entity listed in Annex 1 to the Act exceeding the criteria for a medium-sized enterprise;
2. an electronic communications undertaking qualifying as a medium-sized enterprise;
3. a managed cybersecurity services provider meeting at least the criteria for a small or medium-sized enterprise;
4. regardless of size: a DNS service provider, a qualified trust service provider, a critical entity, a public entity listed in Annex 1 (public sector), an entity identified as essential by a competent authority, a non-commercial entity listed by name or type in Annex 1, a nuclear energy facility operator, a top-level domain (TLD) registry, or a domain name registration service provider.

An important entity will be:

1. an entity listed in Annex 1 meeting the criteria for a medium-sized enterprise and not classified as essential;
2. an entity listed in Annex 2 meeting or exceeding the criteria for a medium-sized enterprise and not classified as essential;
3. a non-qualified trust service provider being a micro, small, or medium-sized enterprise;
4. an electronic communications undertaking being a micro or small enterprise;
5. an investor in a nuclear energy facility;
6. an entity identified as important by a competent authority;
7. a non-commercial entity listed by name or type in Annex 2;
8. a public entity that is not an essential entity and operates as a local government budgetary unit, local government cultural institution, or a public utility company performing public tasks using information systems.

As under the Directive, determining whether an activity should be registered as that of an essential or important entity requires examining whether the business operates within the sectors listed in Annexes 1 and 2 to the Act and meets the criteria of one of the categories described above. If the activity falls within the scope of the new legislation, the company will be required to implement and comply with the relevant cybersecurity regulations.

What if a Business Meets the Criteria for More Than One Category?

Where an entity meets the conditions for both categories, the Act provides that:

• if an entity meets the requirements for both an essential and an important entity, it shall be classified as an essential entity;
• if the classification depends on the size of the entity, the criteria for determining whether it is essential or important shall be assessed as of the date of the entity’s financial statement.

Summary

Public and private entities will have cybersecurity obligations if they:

• directly meet the conditions set out in the NIS2 Directive;
• are classified as an essential or important entity under the amended KSC Act; or
• act as a supplier or client of a company subject to NIS2, which imposes corresponding security expectations in relation to the supply chain.

It is worth emphasizing that entities will be required to submit an electronic application for registration in the register maintained by the Minister of Digital Affairs within three months of meeting the criteria for classification as an essential or important entity.