NIS 2 Directive Article 2 – Scope

• Applicability to Public and Private Entities

• The NIS 2 Directive applies to public and private entities listed in Annex I or II.

• Qualifying entities must meet the criteria of medium-sized enterprises under Recommendation 2003/361/EC or exceed the specified thresholds.

• Exemptions from Article 3(4) Recommendation

• Article 3(4) of Recommendation 2003/361/EC does not apply to the NIS 2 Directive.

• Entities in Annex I or II are subject to the Directive regardless of size.

• Specific Cases of Applicability

• The Directive applies to entities providing services through public electronic communications networks, publicly available electronic communications services, trust service providers, top-level domain name registries, or domain name system service providers.

• The Directive also covers sole providers of critical services in a Member State.

• Entities with the potential for service disruption impacting public safety, security, health, systemic risk, or cross-border effects fall under its scope.

• Entities critical at the national or regional level in their sector or interdependent sectors are included.

• Central or regional public administrations providing essential services are subject to the Directive.

• Extension of Scope

• Entities identified as critical under Directive (EU) 2022/2557 and those offering domain name registration services are covered.

• Member States can extend the Directive to local public administration entities and educational institutions engaged in critical research.

• Respect for Member States Responsibilities

• The Directive acknowledges Member States responsibilities for national security, territorial integrity, and law and order.

• Exemptions are granted to public administration entities in national security, public security, defense, and law enforcement.

• Entities exclusively serving public administration in these areas are also exempt from specific provisions of the Directive.

In conclusion, the NIS 2 Directive Article 2 – Scope defines the entities and services that fall under its regulatory framework, aiming to ensure the security of critical infrastructure and digital services across the European Union. It sets out specific criteria for determining the entities subject to its requirements, emphasizing the importance of cybersecurity in modern-day digital operations.