Important Entity (NIS2)

NIS2 Directive

Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union — known as NIS2 — entered into force on 16 January 2023, with member states required to transpose it into national law by 17 October 2024. It replaces the original NIS Directive (2016/1148) and represents a dramatic expansion in scope, bringing thousands of additional organisations across Europe under mandatory cybersecurity requirements for the first time. NIS2 covers 18 sectors divided into two annexes. Annex I contains highly critical sectors including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Annex II contains other critical sectors including postal and courier services, waste management, chemicals, food production, manufacturing, digital providers, and research organisations. Within these sectors, organisations are classified as essential entities or important entities depending on their size and criticality, with different supervisory regimes and penalty ceilings applying to each tier. The core obligations in Article 21 require all in-scope organisations to implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. These measures must cover ten minimum areas: risk analysis and information system security policies; incident handling; business continuity and crisis management; supply chain security; network and information system acquisition and development; policies and procedures to assess cybersecurity risk management measures; basic cyber hygiene practices and training; cryptography and encryption policies; human resources security and access control policies; and the use of multi-factor authentication and secure communication systems. For an EU SME operating in a covered sector, NIS2 compliance means conducting a scope assessment, implementing the Article 21 measures, registering with your national competent authority, and establishing the processes needed to submit incident notifications within the required timeframes. Management bodies — boards and senior executives — bear personal responsibility for approving and overseeing cybersecurity measures, and can be held personally liable for non-compliance. Fines for essential entities can reach €10 million or 2% of global annual turnover; for important entities, €7 million or 1.4%. See the NIS2 compliance guide at eurocomply.app/regulations/nis2

Essential Entity (NIS2)

Essential entity is a classification under NIS2 Directive Article 3 that identifies organisations facing the most stringent cybersecurity supervision and the highest financial penalties. An organisation is classified as an essential entity if it operates in a sector listed in Annex I of the Directive — the highly critical sectors — and meets the threshold for a large enterprise, defined in EU law as having 250 or more employees or an annual turnover exceeding €50 million with a balance sheet exceeding €43 million. Certain categories of organisations are classified as essential regardless of size: qualified trust service providers, top-level domain name registries, DNS service providers, public electronic communications networks, operators of critical infrastructure identified by member states, and public administration bodies at central level. Essential entities are subject to proactive, ex-ante supervision by their national competent authority. This means regulators do not wait for an incident before examining compliance — they can conduct audits, request evidence of security measures, and carry out on-site inspections on a scheduled basis or at any time they have reason to believe non-compliance exists. Competent authorities can also require essential entities to submit to security audits carried out by qualified independent bodies. The Article 21 security obligations that essential entities must implement cover ten domains: risk analysis and security policies; incident handling; business continuity, backup management, and disaster recovery; supply chain security including security in relationships with direct suppliers and service providers; network and information system security in acquisition, development, and maintenance; policies and procedures to assess effectiveness of cybersecurity measures; basic cyber hygiene practices and cybersecurity training; policies on the use of cryptography and, where appropriate, encryption; human resources security, access control policies, and asset management; and the use of multi-factor authentication, continuous authentication solutions, and secure communications. For an EU SME that qualifies as an essential entity — even if not yet aware of the classification — the stakes are high. Fines for essential entities in breach of NIS2 obligations can reach €10 million or 2% of global annual worldwide annual turnover, whichever is higher. Management boards bear personal oversight responsibility. See the NIS2 compliance guide at eurocomply.app/regulations/nis2

Incident Reporting (NIS2)

Incident reporting is one of the core operational obligations in NIS2 Directive Article 23, requiring essential and important entities to notify the competent national authority and their national CSIRT — Computer Security Incident Response Team — when they experience a significant cybersecurity incident. The obligation applies from the moment the organisation becomes aware that an incident has occurred, triggering a three-stage notification timeline that is among the most demanding in EU regulatory law. The first stage is an early warning, which must be submitted within 24 hours of becoming aware of the significant incident. The early warning must indicate, without substantive analysis required at this stage, whether the incident is suspected to be caused by unlawful or malicious acts and whether it is likely to have cross-border impact. The second stage is the incident notification, due within 72 hours of awareness, which must provide an initial assessment of the incident including its severity, impact, and indicators of compromise. The third stage is a final report, due within one month of the incident notification, which must contain a detailed description of the incident, its root cause, mitigating measures taken and ongoing, and any cross-border impact. A significant incident is defined as one that has caused or is capable of causing severe operational disruption to the services provided or financial losses to the entity concerned, or that has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. The NIS2 Directive deliberately uses broad, impact-based thresholds rather than specific technical criteria to capture a wide range of events including ransomware, supply chain compromises, and data breaches affecting system availability. For an EU SME operating as an essential or important entity, having a pre-built incident response playbook is not optional — it is a compliance prerequisite. The 24-hour early warning timeline in particular requires organisations to have pre-established relationships with their CSIRT, internal escalation paths, and pre-approved notification templates ready to deploy before an incident occurs. Failure to report a significant incident within the required timelines, or providing incomplete notifications, can result in fines of up to €10 million (essential entities) or €7 million (important entities) independent of any penalty for the underlying incident itself. See the NIS2 compliance guide at eurocomply.app/regulations/nis2