The European Union has significantly expanded the scope of its cybersecurity regulation through the NIS2 Directive, representing an important step in strengthening digital resilience across the Union. These are the key and important entities covered by this directive, highlighting the expanded scope and differentiated approach to supervision.
Read more about NIS2 Directive and compliance in this detailed guide.
Key Entities: Foundation of Critical Infrastructure
NIS2 defines eight "key" sectors considered vital for the functioning of society and economy:
1. Energy
2. Transport
3. Finance
4. Public Administration
5. Healthcare
6. Space
7. Water supply (drinking water and wastewater)
8. Digital infrastructure
These sectors are subject to the strictest supervision due to their critical importance. Entities in these sectors must implement robust cybersecurity measures and be prepared for regular inspections and audits.
Important Entities: Expanding the Security Perimeter
In addition to key sectors, NIS2 introduces a category of "important" sectors, recognizing their significant role in the economy and society:
1. Postal services
2. Waste management
3. Chemicals
4. Research
5. Food
6. Manufacturing
7. Digital service providers
Although these sectors are not classified as critical as the key sectors, their security is still of great importance to the EU.
Differentiated Approach to Supervision
The key difference between key and important entities lies in how they are supervised:
• Key entities are subject to proactive and continuous supervision. This may include regular inspections, audits, and testing of security measures.
• Important entities are subject to ex-post supervision. This means that supervisory activities will be initiated primarily if there is evidence of non-compliance or after an incident report.
Flexibility for Member States
NIS2 gives significant flexibility to member states in determining specific supervision methods. Some possible measures include:
1. On-site inspections and remote supervision
2. Targeted security audits
3. Risk-based security scans
4. Requests for documentation on cybersecurity policies
5. Access to relevant data and information
6. Evidence of security measure implementation, including results of independent audits
Implications for Organizations
For organizations falling into the categories of key or important entities, NIS2 brings significant obligations:
1. Risk assessment: Regular and comprehensive assessment of cyber risks becomes mandatory.
2. Measure implementation: Organizations must introduce technical and organizational measures to manage risks.
3. Reporting: Rapid reporting of significant incidents becomes a legal obligation.
4. Readiness for supervision: Especially for key entities, readiness for regular inspections and audits becomes a necessity.
How can Alfatec help?
The NIS2 Directive represents a significant step forward in strengthening the EU's cyber resilience. By expanding the scope and introducing differentiated categorization of entities, the EU aims to create a comprehensive framework that responds to the complex challenges of the digital age. For organizations, compliance with NIS2 is not just a matter of regulatory compliance but also a strategic investment in long-term security and resilience. Here is where Alfatec steps in with significant assistance from vendors such as Thales, Entrust, Qualys, Forcepoint, and many other global IT security names.
As member states prepare for full implementation of NIS2, organizations should proactively review their security practices and prepare for enhanced supervision. In a world where cyber threats are becoming increasingly sophisticated, NIS2 provides a framework for building a more resilient and secure digital ecosystem across the European Union.
Feel free to contact us and find out more at azur.saciragic(at)alfatec.ai or dario.selimagic(at)alfatec.ai .
