Scope of NIS2 Directive: Does It Apply to You? 20% of UK Enterprises Unsure
Meeba Gracy
Dec 13, 2024This November, a concerning revelation came to light: over a fifth of senior cybersecurity professionals at the UK’s largest organizations were unsure whether the EU’s NIS2 directive applied to them.
The study by Green Raven Limited stated that 22% of respondents admitted they didn’t know if the directive impacted their business—a significant gap in awareness given the potential consequences of non-compliance. And while 68% confirmed that the rules apply, this lingering uncertainty raises critical questions.
Despite Brexit, any UK organization with ties to the EU, whether through subsidiaries or trade, must adhere to these regulations. Failure to do so could result in severe penalties or reputational damage.
If your organization falls within the scope of NIS2, this is a wake-up call to understand your responsibilities and avoid costly oversights. The consequences of complacency are monumental. Let’s dive in.
TL;DR
If your organization is in a critical sector or has over 50 employees and annual revenue above €10 million, NIS2 likely applies to you—even if you’re not in the EU. |
A significant portion of senior cybersecurity professionals remain unsure whether NIS2 applies to their organizations. |
Even if your company isn’t directly named in NIS2’s scope, you might still be affected if you supply critical services to an organization that is. |
What is NIS2, and why does it matter?
The NIS2 Directive is a comprehensive overhaul of the EU’s approach to cybersecurity, designed to safeguard critical infrastructure and essential services from escalating digital threats. It sets stringent security requirements and mandates that organizations fortify their systems against risks like ransomware, phishing, and unauthorized access.
Introduced in 2020 and enforced as of January 16, 2023, NIS2 builds on the original EU NIS directive, addressing its shortcomings and raising cybersecurity standards across Europe. Its expanded scope and stricter requirements are primarily aimed at strengthening supply chain security, streamlining reporting obligations, and imposing tougher sanctions for non-compliance.
Scope of NIS2: Who’s covered?
The EU’s NIS2 Directive is gearing up to become part of European law, setting stricter rules for network and information security. It’s designed to cover a broad range of companies and organizations, but how do you know if your business falls under its scope? Here’s a quick guide.
Your company is covered if:
- It is a significant or essential organization
- It meets specified size thresholds (If your company is a critical sector or has over 50 employees and annual revenue above €10 million)
- It supplies services or products to companies that fall under the first two categories.
Let’s unpack these a bit further.
Important or Essential Organizations
The directive lists certain sectors as important or essential. If you operate in one of these industries, you’re likely covered.
Important Entities
These organizations are significant but less critical than essential entities. The following sectors typically fall under this category:
- Postal Services: Delivery and logistics providers
- Waste Management: Recycling and waste disposal services
- Chemicals: Manufacturing and supply of chemical products
- Food Production and Distribution: Agriculture, food processing, and supply chains
- Manufacturing: Includes pharmaceuticals, electronics, machinery, optical equipment, and vehicles
Essential Sectors Include
These are organizations considered critical to the functioning of society and the economy. If you operate in the following sectors, you’re likely classified as an essential entity:
- Energy: Includes electricity, oil, and gas sectors
- Transport: Covers air, rail, water, and road transport services
- Banking: Core banking and financial services
- Financial Market Infrastructure: Trading, clearing, and settlement systems
- Healthcare: Hospitals, healthcare providers, and medical facilities
- Drinking Water: Supply and distribution networks
- Wastewater: Treatment and management systems
- Digital Infrastructure: Cloud service providers, data centers, content delivery networks
- Public Administration: Critical government bodies and services
- Space Activities: Satellites and related operations
Size Criteria
Even if your company isn’t in one of the above sectors, size matters under NIS2. A business is generally covered if:
- It falls within the listed sectors
- It has more than 50 employees
- Its annual turnover exceeds €10 million
Quick Test: do you qualify?
Check your sector against the lists aboveEvaluate your size criteria (over 50 employees and €10 million annual turnover)Assess whether your services are critical to other covered entities
What if you’re a supplier?
You might still be indirectly covered by NIS2 if you provide critical services or are a subcontractor to a company within the directive’s scope. Think of it as a ripple effect—if your work is vital to an organization that’s covered, NIS2 might apply to you too.
In short, NIS2 casts a wide net, so it’s worth taking a closer look at where your business fits.
Pre-mapped controls and 24×7 monitoring for NIS2
The 20% Conundrum: Why the confusion exists
If nearly 97% of IT leaders at UK companies were confident in June 2024 that they were (or soon would be) NIS2-compliant, why did almost 10% of large organizations admit to non-compliance just months later? And to make matters worse, 3% weren’t even sure.
NIS2 officially came into force in January 2023, yet here we are, almost two years later, with organizations still grappling with the basics, like whether the directive even applies to them. Morten Mjels, CEO of Green Raven Limited, summed it up bluntly:
“Saying yes, we’re compliant may be acceptable. Admitting no, we’re not compliant but we’re working on it—assuming there’s a grace period—may also be acceptable. But eventually, failure to comply is going to hurt. Saying ‘we weren’t sure’ is unlikely to fly as a defense.”
He’s not wrong. Non-compliance doesn’t just invite fines; it can jeopardize a company’s ability to operate in Europe altogether.
This blunt assessment echoes a growing sense of unease. Just a week before the NIS2 deadline, an Infosecurity Magazine webinar revealed widespread confusion among participants about whether the directive even applied to their organizations. With the stakes so high, this uncertainty is alarming.
What about the UK’s approach?
While the EU moves forward with NIS2, the UK is gearing up to update its own NIS Regulations with the Cyber Security and Resilience Bill, which is set to roll out next year. Early indications suggest this bill will be less ambitious than NIS2, but that doesn’t mean it will be without its challenges.
In fact, 46% of CISOs surveyed by Green Raven expect the bill to place “unwanted demands” on UK businesses. The tension here is clear: balancing necessary security improvements with the practical realities of implementation is no easy task.
Don’t wait for a regulatory knock—take action with Sprinto
If you’re in the business of managing critical infrastructure in