Last updated 18th November 2024
NIS2 Frequently Asked Questions (FAQ)
The purpose of this document is to create awareness about the scope of application of the NIS2 legal framework in Ireland. This document is for awareness purposes only and should not be relied on, as the NIS2 directive has not yet been transposed into Irish law. Readers are advised to seek independent professional advice before acting on anything contained herein. This information supplements the information already available on the NCSC website.
1. What are the objectives of the NIS2 Directive?
2. What is the scope of the NIS2 Directive?
3. What is the difference between Essential and Important entities?
4. What is the difference in the supervision of "essential" and "important" entities?
6. How do you calculate the size of an entity?
7. What sectors and services are covered by the Directive?
8. Are there any entities that are exempt?
9. Could the sectors covered by the NIS2 Directive be extended in the future?
10. Does the directive apply to certain entities, regardless of size?
11. Is it possible for an entity to fall within several sectors?
13. What is the main establishment rule?
16.1 Preliminary considerations.
16.2 What is the size of my organisation?
16.3 What services does my organisation(s) provide in the European Union?
17. What are the responsibilities of the Competent Authorities?
1. What are the objectives of the NIS2 Directive?
Directive 2022/2555 (known as "NIS2") and the Irish NIS2 legislation transposing it, lays down measures that aim to achieve a high common level of cybersecurity across the European Union, with a view to improving the functioning of the internal market. It aims to strengthen cyber resilience by focusing on the following key objectives:
- National strategies: Member States must create national cybersecurity strategies and set up authorities for cybersecurity, crisis management, contact points, and incident response teams (CSIRTs).
- Risk management and reporting: Entities listed in Annex I or II, and critical entities under Directive (EU) 2022/2557, must follow cybersecurity risk management and reporting rules.
- Information sharing: There are rules for sharing cybersecurity information.
- Supervision and enforcement: Member States have obligations to supervise and enforce these rules.
2. What is the scope of the Directive NIS2?
The NIS2 Directive applies to public or private entities which are, in principle, established in Ireland of a type referred to in Annex I or II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article, and which provide their services or carry out their activities within the Union.
Additionally, it should qualify as a medium-sized enterprise as per the European Commission Recommendation 2003/361/EC dated May 6, 2003, which provides definitions for micro, small, and medium-sized enterprises.
The NIS2 law distinguishes between "essential" and "important" entities. In principle, this distinction is based on the size of the entity and the service provided: Essential entities include the following: Important entities: Entities of a type referred to in Annex I or II which do not qualify as essential entities are important entities. This includes entities identified by Ireland as important. The primary distinction between essential and important entities lies in supervision and sanctions they’re subject to. The NIS2 Directive states: Essential Entities (Article 32) Essential entities are monitored in a proactive manner, often referred to as “ex ante”. They are defined as organisations providing services critical to public safety and economic stability. Their disruption would have severe societal impacts, warranting the highest level of cybersecurity oversight. Competent Authority powers include: i. On-site inspections and off-site supervision, including random checks conducted by trained professionals. ii. Regular and targeted security audits carried out by an independent body or a competent authority. iii. Ad hoc audits, including where justified on the ground of a significant incident or an infringement of the Directive by the essential entity. iv. Security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria, where necessary with the cooperation of the entity concerned. v. Requests for information necessary to assess the cybersecurity risk-management measures adopted by the entity concerned, including documented cybersecurity policies, as well as compliance with the obligation to submit information to the competent authorities pursuant to Article 27. vi. Requests to access data, documents, and information necessary to carry out their supervisory tasks. vii. Requests for evidence of implementation of cybersecurity policies, such as the results of security audits conducted by a qualified auditor and the respective underlying evidence. Important Entities (Article 33) Important entities, however, are supervised in a more reactive manner, or “ex post.” This means their monitoring is based on evidence or signs that they might not be fulfilling their legal obligations. These Include organisations that, while not as critical as essential entities, still play a significant role in the economy or public services.
Competent authorities, when exercising their supervisory tasks in relation to important entities, have the power to subject those entities at least to: i. On-site inspections and off-site ex post supervision conducted by trained professionals. ii. Targeted security audits carried out by an independent body or a competent authority. iii. Security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria, where necessary with the cooperation of the entity concerned. iv. Requests for information necessary to assess, ex post, the cybersecurity risk-management measures adopted by the entity concerned, including documented cybersecurity policies, as well as compliance with the obligation to submit information to the competent authorities pursuant to Article 27. v. Requests to access data, documents, and information necessary to carry out their supervisory tasks. vi. Requests for evidence of implementation of cybersecurity policies, such as the results of security audits conducted by a qualified auditor and the respective underlying evidence. The targeted security audits referred to in the first subparagraph, point (b), shall be based on risk assessments conducted by the competent authority or the audited entity, or on other risk-related available information. The results of any targeted security audit shall be made available to the competent authority. The costs of such targeted security audit carried out by an independent body shall be paid by the audited entity, except in duly substantiated cases when the competent authority decides otherwise. The NIS2 Directive states: Essential Entities Competent authorities, when exercising their enforcement powers in relation to essential entities, will have the power to: Where enforcement measures are ineffective, Member States shall ensure that their competent authorities have the power to establish a deadline by which the essential entity is requested to take the necessary action to remedy the deficiencies or to comply with the requirements of those authorities. If the requested action is not taken within the deadline set, Member States have the power to: More information can be found at article 32 & 33 of the Directive. Important Entities Competent authorities, when exercising their enforcement powers in relation to important entities, have the power at least to: More information can be found at article 32 & 33 of the Directive.
Under the NIS2 directive, the size of an entity is determined based on staff headcount and financial ceilings as set out in the annex of Recommendation 2003/361/EC. Here’s how it works: Small & Medium Enterprises (SMEs)
The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million. To be classed as an SME, an organisation must have less than 250 employees and have a turnover less than €50m and/or balance sheet of less than €43m. This means that if an organisation has a turnover less than €50m or a balance sheet less than €43m they fall below the threshold and are classed as an SME. Entities must provide at least one of the services listed in annexes I or II of the Directive. These sectors include highly critical sectors such as energy, transport, public health, and others, as well as other critical sectors like postal services, waste management, and food production. The Banking and Financial market infrastructures sector are covered by DORA and are “Lex Specialis”. More information in this table: Highly critical sectors (Annex I) * (EU)2022/2554 (DORA) applies Other critical sectors (Annex II) Every service that falls under the purview of the NIS2 Directive is clearly defined in either Annex I or II. These definitions also reference the relevant European legal texts for further clarity. Additionally, some services are defined in Article 8 of the NIS2 Directive. To fully comprehend the services in question, it’s essential to consult these definitions. The NIS2 directive recognises that certain public bodies may require exemptions from specific provisions of the directive to maintain their independence, confidentiality, or operational effectiveness. For example, judicial bodies or intelligence agencies may be exempted to protect the integrity of their functions. Member States may exempt entities involved in national security, public security, defence, or law enforcement from certain obligations. Exemptions in this context are limited to provisions that would interfere with the public body’s statutory duties or compromise sensitive operations. Exemptions do not apply to general cybersecurity obligations, such as safeguarding critical networks and reporting incidents. It is likely that any exemption will be subject to periodic review to ensure they remain necessary and do not create undue risks to national cybersecurity. The answer is yes, they could. The Irish government holds the authority to include additional sectors or subsectors for regulation. Yes, regardless of their size, the Directive also applies to certain entities referred to in Annex I or II, where: Yes, entities can fall within several sectors if its activities span multiple areas covered by the directive. If an entity falls under multiple sectors with various levels of obligations, it must follow the strictest rules. For multinational corporations, the scope of regulatory oversight under the NIS2 Directive is determined by the geographical areas where they provide services. If a corporation offers services in Ireland, it falls under the jurisdiction of Irish regulations. However, if the same corporation provides identical services in another Member State (MS), it would also be subject to the NIS2 regulations of that particular MS. For sectors identified as ‘main establishment’ sectors, such as the digital sector, regulatory oversight is determined by the location of the corporation’s headquarters within the Member State. More information at question 13. Entities falling within the scope of this Directive shall be considered to fall under the authority of the Member State in which they are established, except in the case of: Under Article 26 of the NIS2 Directive, an entity’s ‘main establishment’ in the EU is defined as the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken. If such a Member State cannot be determined or if such decisions are not taken in the Union, the main establishment shall be in the Member State where cybersecurity operations are carried out. If such a Member State cannot be determined, the main establishment shall be in the Member State where the entity concerned has the establishment with the highest number of employees in the Union. If an entity is not established in the Union, but offers services within the Union, it shall designate a representative in the Union. The representative shall be established in one of those Member States where the services are offered. Such an entity shall be considered to fall under the jurisdiction of the Member State where the representative is established. In the absence of a representative in the Union designated under this paragraph, any Member State in which the entity provides services may take legal actions against the entity for the infringement of this Directive. Yes, critical infrastructures or entities identified under the Critical Entities Resilience (CER) Directive do fall under the scope of the NIS2 Directive. This means that entities identified as critical entities under the CER Directive should be essential entities under the NIS2 Directive. Therefore, both pieces of legislation will be applicable to these entities. The NIS2 Directive states that “Member States may provide for this Directive to apply to: (a) public administration entities at local level; (b) education institutions, in particular where they carry out critical research activities”. A ‘Research Organisation’ means an entity which has as its primary goal to conduct applied research or experimental development with a view to exploiting the results of that research for commercial purposes, but which does not include educational institutions. These institutions, if in scope, would be required to report incidents as per the directive. However, the entities in scope and the exact requirements would need to be verified in the Irish transposition of the directive. This section provides a step-by-step guide to help you determine if your organisation falls within the scope of the NIS2 Directive in Ireland. It is important to remember that this method is comprehensive but not exhaustive, and it’s not the only approach you can take. Here are the key points: Preliminary Considerations: First, you will need to ask yourself a couple of questions. Is your organisation an operator of essential services under the NIS1 Directive? Size of Your organisation: Next, consider the size of your organisation. This could influence whether you fall under the scope of the NIS2 Directive. Services Provided: What services does your organisation provide within the European Union? The nature of these services could determine your obligations under the NIS2 Directive. Location: Where is your organisation based in Europe? The location could have implications for how the NIS2 Directive applies to you. Future Identification and Supply Chain Considerations: Could your organisation be identified as a NIS2 entity in the future, or is it part of the supply chain of a NIS2 entity? These factors could bring you within the scope of the NIS2 Directive. Before diving into the analysis of the NIS2 Directive, it's important to consider two key aspects that significantly impact the scope of the Directive for organisations in Ireland. A. Does my organisation operate critical infrastructure? Under the NIS2 Directive, does my organisation operate in a sector specified in Annex 1 & 2. There’s an automatic application of the directive to entities that are identified as operators of critical infrastructure. B. Is my organisation an Operator of Essential Services (OES)? Entities that have been identified as operators of essential services under the NIS1 Directive, are also included within the scope of the NIS2 Directive. This means that the sectors covered by the NIS1 Directive are also encompassed by the NIS2 Directive except for financial entities that come under the scope of (EU)2022/2554 (DORA) which will be considered Lex Specialis when it comes into effect in January 2025. Determining whether an entity falls under the NIS2 Directive involves assessing its size. The directive refers to the Commission Recommendation 2003/361/EC for definitions of micro, small, and medium-sized enterprises. Typically, only medium-sized, and large enterprises are within the directive’s scope with some exceptions as noted in question 6. The size of an entity is established based on two factors: the workforce, measured in annual work units (AWUs), and financial amounts, which include annual turnover and/or annual balance sheet total. An entity can choose to meet either the turnover ceiling or the balance sheet total ceiling, and exceeding one of these doesn’t affect its status as an SME. More information can be found at Commission’s User’s Guide to the definition of SMEs and the SME-Wizard tool. For instance, a small enterprise with 35 AWUs and an annual turnover of €1,000,000 but an annual balance sheet total of €50,000,000 would still be considered a small or micro enterprise based on its turnover. On the other hand, an enterprise with 80 AWUs and an annual turnover of €1,000,000 but an annual balance sheet total of €70,000,000 would be classified as medium-sized based on its workforce. When considering the size in relation to the services provided, the scope is as follows: Certain entities fall under the NIS2 Directive regardless of size. These include qualified trust service providers, DNS service providers, TLD name registries, and others as specified. After determining the size of an entity, it’s important to conduct a thorough analysis of all the services it offers to third parties. This should be done by sector or sub-sector. It’s important to map out each service, even if it’s just a secondary activity. The NIS2 Directive provides detailed information about these services in Annexes I and II. This comprehensive approach ensures that all relevant services are considered when determining the applicability of the NIS2 Directive. See the list of critical sectors in question 7, here. Next, it is necessary to link the services provided by your organisation to the definitions mentioned earlier. The service provided meets the condition if there is a match between your services and the defined categories. An organisation may offer several of the listed services across different sectors. In summary, "important" and "essential" entities are classified as follows: Medium-sized enterprise Large enterprise Annex I services Important Essential Annex II services Important Important Article 26 of the NIS2 Directive states that “Entities falling within the scope of this Act shall be considered to fall under the jurisdiction of the Member State in which they are established, except in the case of: Providers of public electronic communications networks or providers of publicly available electronic communications services, which shall be considered to fall under the jurisdiction of the Member State in which they provide their services. DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines or of social networking services platforms, shall be considered to fall under the jurisdiction of the Member State in which they have their main establishment in the Union under paragraph 2.” The NIS2 Directive, Article 21 states “Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.”. It is important to note that the reach of the NIS2 Directive extends beyond its immediate scope. A considerable number of organisations could be indirectly affected by these new legal requirements if they form part of the supply chain for one or more NIS2 entities. While entities are obligated to secure their own supply chains under the NIS2 Directive, it is important to note that the directive doesn’t necessarily directly apply to their suppliers or service providers. Instead, these entities may indirectly fall under the purview of NIS2 through contractual obligations imposed on them by the entities. This is not a direct requirement of the NIS2 Directive, but rather a potential consequence of its implementation by entities seeking to ensure their supply chain security. Under Article 21 of the NIS2 Directive, supply chain security is one of cyber security risk management measures. Competent authorities will monitor compliance and take corrective actions against non-compliant entities. The NCSC serves as the primary authority for sectors not explicitly assigned to other regulators. Article 3 of the NIS2 Directive state that Member States shall establish a list of essential and important entities as well as entities providing domain name registration services. Member States shall review and, where appropriate, update that list on a regular basis. Member States shall require the relevant entities to submit at least the following information to the competent authorities: (a) the name of the entity. (b) the address and up-to-date contact details, including email addresses, IP ranges and telephone numbers. (c) where applicable, the relevant sector and subsector referred to in Annex I or II; and (d) where applicable, a list of the Member States where they provide services falling within the scope of this Directive. The entities shall notify any changes to the details submitted without delay, and, in any event, within two weeks of the date of the change. Member States may establish national mechanisms for entities to register themselves. (NIS2 Registration Portals). The NCSC will provide a mechanism for entities to register for NIS2. This will be operational, once the NIS2 Directive has been transposed into Irish legislation. The NIS2 Directive states that a significant incident is: “An incident shall be considered to be significant if: (a) it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned; (b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.” Further guidance on thresholds and reporting of incidents will be provided in due course. The following abbreviations and references are used in this document: Competent Authority: A “Competent Authority” under the NIS2 Directive is a regulatory entity established by EU member states, responsible for ensuring compliance with the directive by Operators of Essential Services and Digital Service Providers. CSIRT: A CSIRT (Computer Security Incident Response Team) is a team responsible for information exchange on cybersecurity and cooperation on specific cybersecurity incidents. DORA: DORA, or the Digital Operational Resilience Act, is an EU regulation that establishes a comprehensive framework for harmonising digital resilience processes and standards in the financial sector and is considered a specific law that takes precedence over the general NIS Directive Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on the digital operational resilience of the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (available on Eur-Lex). GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (available on Eur-Lex). NCSC: National Cyber Security Centre (Ireland's national cyber security authority & national CSIRT). NIS1: NIS1, or the Network and Information Systems Directive 1, is the first EU regulation adopted in July 2016 to improve cybersecurity by addressing threats to network and information systems. NIS1 Directive: Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (available on Eur-Lex) as transposed by Irish legislation. NIS2 Directive: NIS2, or the Network and Information Systems Directive 2, is an EU directive aimed at enhancing cybersecurity across the EU by setting cybersecurity requirements for critical infrastructure companies. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures to ensure a common high level of cybersecurity throughout the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (available on Eur-Lex) . NIS2 Regulations: Regulations of 9th June 2024 implementing the Directive of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security. Recommendation (2003/361/EC): Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (available on Eur-Lex). Lex Specialis: “Lex specialis” is a legal principle where a specific law (lex specialis) overrides a general one (lex generalis). In the context of NIS2 and DORA, DORA is the “lex specialis”. This means if both could apply, DORA, being more specific, takes precedence. So, for cybersecurity, while NIS2 provides general rules, DORA provides specific rules for the financial sector and thus supersedes NIS2 in this area.3. What is the difference between Essential and Important entities?
4. What is the difference in the supervision of "essential" and "important" entities?
5. What enforcement powers do the Competent Authorities have in relation to Essential and Important entities?
6. How do you calculate the size of an entity?
7. What sectors and services are covered by the Directive?
8. Are there any entities that are exempt?
9. Could the sectors covered by the NIS2 Directive be extended in the future?
10. Does the Directive apply to certain entities, regardless of their size?
11. Is it possible for an entity to fall within several sectors?
12. What is the territorial scope of the Directive? What about entities operating in several countries (multinationals, etc.)?
13. What is the main establishment rule?
14. Do critical infrastructures (or critical entities identified under the CER Directive) fall into the scope of the NIS2 directive?
15. Do educational establishments and local public administration entities fall into the scope of the Directive?
16. What is the method for determining whether an organisation falls within the scope of the NIS2 Directive?
16.1 Preliminary considerations
16.2 What is the size of my organisation?
16.3 What service(s) does my organisation provide in the European Union?
16.4 Location
16.5 Additional Identification and Supply Chain
17. What are the responsibilities of the Competent Authorities?
18. How do I register?
19. What is a significant Incident?
20. Abbreviations & References
