The European Union has strengthened its cybersecurity framework through the NIS 2 Directive, which seeks to establish a harmonised and enhanced level of protection for critical infrastructure. The Directive requires entities classified as “essential” or “important” to implement appropriate security measures, notify any significant incident to the competent authorities, and submit to reinforced regulatory oversight. Failure to comply may result in severe penalties, including potential personal liability for senior executives.
This article outlines the background, scope, and entities subject to NIS 2.
Sommaire
- What is the NIS 2 Directive?
- Essential entities
- Important entities
- Size, status and classification criteria
- Public and private sector coverage: a transversal directive
- Supply chains and third-party providers
- Geographical scope: beyond the EU
- Sector-specific regimes: when the Directive does not apply
- Qualified timestamping: a compliance tool under NIS 2
Key takeaways on the NIS 2 Directive
- The NIS 2 Directive strengthens the European cybersecurity framework and applies to a broader range of public and private sector organisations.
- It distinguishes between two categories of entities, essential entities and important entities, both of which are subject to obligations relating to security measures, risk management, and incident notification.
- The scope of application now includes additional sectors such as energy, healthcare, transport, public administration, digital infrastructure, industry, and postal services, among others.
- The Directive also expressly covers supply chains and third-party providers, which must ensure an adequate level of cybersecurity.
- Failure to comply may result in substantial sanctions, including potential liability for individuals in management positions.
- To demonstrate compliance, organisations must document and timestamp their security logs, incident timelines, and evidence of remediation efforts.
What is the NIS 2 Directive?
The NIS 2 Directive succeeds the original NIS Directive (2016) on the security of network and information systems. While the initial framework introduced a common approach to cybersecurity across the European Union, the rapid evolution of threats, combined with the increasing reliance of critical services on digital technologies, has necessitated a more stringent regulatory regime.
Through NIS 2, the EU expands the scope of the Directive, strengthens security obligations and introduces stricter penalties. It applies to both public and private entities operating in sectors considered strategic.
Essential entities
The term “essential entities” refers to organisations whose proper functioning is considered vital to society or the economy. The NIS 2 Directive broadens the list compared to its previous version. The following sectors are now included:
- Energy: entities involved in the production, transmission and distribution of electricity, oil, gas and hydrogen; operators of electric vehicle recharging points; and district heating and cooling networks.
- Transport and space: airlines, airport operators, railway undertakings, maritime ports, road infrastructure operators, and entities involved in space-related services.
- Banking and financial market infrastructure: credit institutions, trading venues, and central counterparties.
- Healthcare: hospitals, healthcare providers, pharmaceutical R&D laboratories, and manufacturers of active pharmaceutical ingredients.
- Drinking water and wastewater: suppliers of potable water and wastewater treatment operators, provided such activities are not ancillary.
- Digital infrastructure and ICT service providers: data centres, cloud service providers, managed service providers, content delivery networks (CDNs), DNS service providers, and managed cybersecurity service providers.
- Public administration: central and regional government bodies, courts, prosecution services, and institutions deemed of strategic importance.
This extended scope reflects the EU’s intention to cover all sectors whose continuous operation is now regarded as essential in a digitised environment.
Important entities
Although their role is considered less strategic than that of essential entities, important entities remain subject to the same cybersecurity and risk management obligations. These include:
- Digital service providers: search engines, online marketplaces and social networking platforms.
- Waste management: entities involved in the collection, treatment or disposal of waste, provided such activity is not incidental.
- Chemical sector: manufacturers, distributors and retailers of chemical substances.
- Research activities: organisations conducting applied or experimental research and development.
- Food supply chains: entities involved in the production, processing or distribution of food products.
- Industry: manufacturers of IT, electronic and optical equipment, vehicles, transport systems, mechanical machinery, and medical devices (including in vitro diagnostics).
- Postal and courier services: providers involved in the collection, sorting, transport and delivery of mail, including express courier services.
Size, status and classification criteria
An entity’s classification also depends on its size. Some organisations that would otherwise fall under the “essential” category may be treated as “important” if they meet the thresholds applicable to small or medium-sized enterprises. However, certain exceptions apply: qualified trust service providers, domain name registries, providers of publicly available electronic communications services, and central government authorities are considered essential entities regardless of their size.
This approach allows the scope of the Directive to reflect economic realities, while ensuring that genuinely critical services remain subject to enhanced regulatory oversight.
Public and private sector coverage: a transversal directive
The Directive applies to both public bodies and private undertakings. Organisations owned or controlled by the State, as well as private companies operating in the covered sectors, fall within its scope. Central government authorities are systematically classified as essential entities. This cross-sectoral approach reinforces the Directive’s reach across the entire ecosystem.
Supply chains and third-party providers
A key aspect of the NIS 2 Directive is its treatment of supply chains. Providers of products, services or infrastructure to essential or important entities may also fall within the scope of the Directive. As a result, entities subject to NIS 2 bear responsibility for ensuring that their third-party suppliers implement security measures equivalent to those they apply internally
Geographical scope: beyond the EU
The Directive is not limited to Member States. It may also apply to service providers established outside the European Union, insofar as they offer critical services or infrastructure to entities located within the EU. In other words, a non-EU organisation involved in the delivery of a strategic service to the Union may fall within the scope of NIS 2.
Sector-specific regimes: when the Directive does not apply
Some organisations are already subject to regulatory frameworks considered equivalent to, or more stringent than, the NIS 2 Directive, as is the case in the financial sector. In such instances, the sectoral legislation takes precedence, and the Directive does not apply to those aspects. This prevents overlapping obligations. However, where certain entities within a given sector are not covered by these specific regimes, they may still fall within the scope of NIS 2.
Qualified timestamping: a compliance tool under NIS 2
The NIS 2 Directive requires essential and important entities to ensure the security of their information systems, to document incidents, and to demonstrate the implementation of corrective measures. Evidency, as a Qualified Trust Service Provider (QTSP) operating in accordance with the eIDAS Regulation, offers qualified timestamping solutions that support compliance with these obligations.
Through qualified timestamping, organisations can:
- secure and trace security logs
- establish reliable incident timelines
- retain evidence of remediation and corrective actions
By integrating these services directly into their processes via API, organisations ensure the integrity, authenticity and evidential value of their data. Qualified timestamping thus becomes a strategic instrument for demonstrating compliance with NIS 2 and strengthening overall cybersecurity governance.
Conclusion
The scope of the NIS 2 Directive is broad and subject to further evolution. Member States had until 17 April 2025 to identify the entities falling within its scope. While each organisation must assess its own situation, entities operating in strategic sectors now have sufficient information to begin preparing for compliance. It is advisable to initiate without delay the implementation of appropriate cybersecurity measures and incident notification procedures.
Disclaimer
The opinions, presentations, figures and estimates set forth on the website including in the blog are for informational purposes only and should not be construed as legal advice. For legal advice you should contact a legal professional in your jurisdiction.
The use of any content on this website, including in this blog, for any commercial purposes, including resale, is prohibited, unless permission is first obtained from Evidency. Request for permission should state the purpose and the extent of the reproduction. For non-commercial purposes, all material in this publication may be freely quoted or reprinted, but acknowledgement is required, together with a link to this website.
