NIS 2 Directive, Proposal 16.12.2020

The NIS 2 Directive, Scope

Article 2, NIS 2 Directive (Proposal 16.12.2020).


1. This Directive applies to public and private entities of a type referred to as essential entities in Annex I and as important entities in Annex II. This Directive does not apply to entities that qualify as micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC.

2. However, regardless of their size, this Directive also applies to entities referred to in Annexes I and II, where:

(a) the services are provided by one of the following entities:

(i) public electronic communications networks or publicly available electronic communications services referred to in point 8 of Annex I;

(ii) trust service providers referred to point 8 of Annex I;

(iii) top–level domain name registries and domain name system (DNS) service providers referred to in point 8 of Annex I;

(b) the entity is a public administration entity as defined in point 23 of Article 4;

(c) the entity is the sole provider of a service in a Member State;

(d) a potential disruption of the service provided by the entity could have an impact on public safety, public security or public health;

(e) a potential disruption of the service provided by the entity could induce systemic risks, in particular for the sectors where such disruption could have a cross-border impact;

(f) the entity is critical because of its specific importance at regional or national level for the particular sector or type of service, or for other interdependent sectors in the Member State;

(g) the entity is identified as a critical entity pursuant to Directive (EU) XXXX/XXXX of the European Parliament and of the Council 29 [Resilience of Critical Entities Directive], or as an entity equivalent to a critical entity pursuant to Article 7 of that Directive.

Member States shall establish a list of entities identified pursuant to points (b) to (f) and submit it to the Commission by [6 months after the transposition deadline]. Member States shall review the list, on a regular basis, and at least every two years thereafter and, where appropriate, update it.

3. This Directive is without prejudice to the competences of Member States concerning the maintenance of public security, defence and national security in compliance with Union law.

4. This Directive applies without prejudice to Council Directive 2008/114/EC 30 and Directives 2011/93/EU 31 and 2013/40/EU 32 of the European Parliament and of the Council.

5. Without prejudice to Article 346 TFEU, information that is confidential pursuant to Union and national rules, such as rules on business confidentiality, shall be exchanged with the Commission and other relevant authorities only where that exchange is necessary for the application of this Directive. The information exchanged shall be limited to that which is relevant and proportionate to the purpose of that exchange. The exchange of information shall preserve the confidentiality of that information and protect the security and commercial interests of essential or important entities.

6. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply.

Note: This is not the final text of the NIS 2 Directive. This is the text of the NIS 2 Directive Proposal of 16.12.2020.