Before answering the question that interests you most and that gives the title to this post, we would like to give you an introduction by answering the following questions:
What is the NIS2 Directive?
The NIS2 Directive (Directive 2022/2055) is the update and extension of the NIS1 Directive and is a regulation that aims to address the cybersecurity problems that currently exist in the European Union.
The NIS2 Directive has broadened the scope of application and considers critical or important entities, depending on the degree of criticality of the sector, its size or the type of service provided.
When does it enter into force?
The NIS2 Directive entered into force on 16 January 2023 and Member States must transpose it and communicate the text of the transposition by 17 October 2024. The transposition will apply from 18 October 2024.
The deadline for the Member States to transpose the Directive has arrived and so far, although the Directive is already binding, it is not known that Spain has prepared its text, so, for the time being, the scenario for obliged entities is unclear.
Does it apply to my institution?
It will apply to:
1.Public or private entities (medium and large companies*) of one of the types mentioned in Annexes I or II (we add some summary images at the end) and which provide their services or carry out their activities in the EU.
2. Irrespective of size when they are listed in Annexes I and II and:
a) The services are provided by:
- providers of public electronic communications networks or publicly available electronic communications services;
- trust service providers;
- top level domain name registries and domain name system service providers;
(b) the entity is the sole provider in a Member State of a service essential for the maintenance of critical social or economic activities;
(c) a disruption of the service provided by the entity could have a significant impact on public safety, public order or public health;
a disruption of the service provided by the institution could induce significant systemic risks, in particular for sectors where such a disruption could have cross-border implications;
(d) the entity is critical in the light of its specific importance at national or regional level for the particular sector or type of service or for other interdependent sectors in the Member State;
(e) the entity is a central or regional public administration entity which is likely to be significantly impacted by the disruption.
3. Critical entities within the meaning of Directive 2022/2557
4. Entities providing domain name registration services.
5. If Member States so provide, the following may be added: local government entities and educational establishments.
The most uncertainty is when your company, being in one of the sectors referred to in Annexes I and II, will fall within the scope of application of the NIS2. This will need to be carefully reviewed together with the corresponding sectoral regulations and the transposition of the NIS2 in Spain.
Am I a critical or important entity under the NIS2?
The NIS2 distinguishes between critical and important entities for determining compliance with risk management measures. It makes this categorisation on the basis of the criticality of their sectors or the type of service they provide, as well as their size.
A number of characteristics are set out in the Directive itself to be taken into account for this categorisation. In addition, it is determined that Member States must draw up by 17/04/2025 and update periodically every 2 years a list of essential and important entities, including entities providing domain name registration services. Self-registration mechanisms may be established.
Therefore, and to bring this brief post on the NIS2 to a close, both to learn more about this classification and to find out more about some specific aspects of its application, we will have to wait for the Directive to be transposed in Spain.
However, it is advisable that the entities that are obliged or that consider that they may be obliged, start to prepare themselves and take measures to comply with it.
Metricson can help you and advise you on any doubts you may have!
Article written by
Attorney – Privacy & IP
About Metricson
With offices in Barcelona, Madrid, Valencia and Seville and a significant international presence, Metricson is a pioneering firm in legal services for innovative and technology companies. Since its inception in 2009, it has advised more than 1,400 clients from 15 different countries, including startups, investors, large corporations, universities, institutions and governments.
If you would like to contact us, please do not hesitate to write to us at contacto@metricson.com. We look forward to talking to you!