NIS2 Addressees and Responsible Entities

Legal Framework

The scope and classification of entities responsible for compliance under the Network and Information Security 2 Directive (NIS2) are primarily governed by Articles 3 and 4 NIS2, which define the categories of "essential entities" and "important entities." Recital 15 NIS2 provides the rationale for this two-tier classification, stipulating that entities must be categorized based on their criticality for the sector or type of service provided, as well as their size. This classification determines the stringency of cybersecurity risk management measures and incident reporting obligations that apply.

Practical Application

The authoritative commentary from Tekst & Commentaar, while focused on the GDPR, underscores a fundamental legal principle relevant to NIS2's application: the importance of clear and unambiguous identification of obligated parties. Applied to NIS2, this principle means Member States must precisely transpose the sector-based criteria of Annexes I and II into national law to designate essential and important entities. The commentary's emphasis on avoiding situations where entities have no real choice aligns with NIS2's goal of ensuring that all designated entities are definitively within scope and understand their obligations. Furthermore, Recital 24 NIS2 highlights the need for coordination where sector-specific Union law imposes equivalent reporting duties, requiring that incident notifications are routed to the competent authorities under NIS2 (such as CSIRTs or single points of contact) to ensure consistent handling. This prevents regulatory gaps or overlaps for entities operating under multiple regimes.

Key Considerations

• Proactive Self-Assessment: Entities in sectors listed in NIS2 Annexes I (essential) and II (important) must proactively assess their classification based on national transposition laws, considering factors like size, turnover, and service criticality, as per Recital 15.
• Coordination of Reporting Obligations: For entities already subject to sector-specific Union legislation (e.g., in finance or transport), internal procedures must ensure that incident reporting complies with the specific channel mandated by NIS2 authorities, as referenced in Recital 24, to avoid non-compliance due to misdirected reports.