Under Directive (EU) 2016/1148, Member States were responsible for identifying the entities which met the criteria to qualify as operators of essential services. In order to eliminate the wide divergences among Member States in that regard and ensure legal certainty as regards the cybersecurity risk-management measures and reporting obligations for all relevant entities, a uniform criterion should be established that determines the entities falling within the scope of this Directive. That criterion should consist of the application of a size-cap rule, whereby all entities which qualify as medium-sized enterprises under Article 2 of the Annex to Commission Recommendation 2003/361/EC(5), or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article, and which operate within the sectors and provide the types of service or carry out the activities covered by this Directive fall within its scope. Member States should also provide for certain small enterprises and microenterprises, as defined in Article 2(2) and (3) of that Annex, which fulfil specific criteria that indicate a key role for society, the economy or for particular sectors or types of service to fall within the scope of this Directive.
NIS2 Recital EN
Recital 7
Related across sources
Guidance Guidelines 9/2022 on personal data breach notification under GDPR News EFF Testifies to Congress on Protecting Americans’ Rights from Government AI News CNIL (France) - SAN-2025-015 Guidance Guidelines 05/2020 on consent under Regulation 2016/679 Guidance Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement News Complaint: Amazon doesn’t allow baseline TLS security