NIS2: Essential entities vs Important entities, what’s the difference?

On Jan. 16, 2023, the second NIS Directive (EU 2022/2555) (known as NIS2) came into force to replace the NIS1 Directive.   By Oct. 17, 2024, the directive must be transposed into national law by the member states.    The Belgian Cybersecurity Center (CCB) recently published its draft proposal.

We’ve already written a blogpost on what are the key novelties in NIS2 vs NIS1 and which companies will be subject to NIS2.  In this blog post, we explore the difference between the two types of targeted companies NIS2: essential service operators (“essential entities”) and operators of important services (“important entities”).

A brief review of history: NIS1 targets operators of essential services (OEDs) and providers of digital services (DSPs).

The NIS regulation is the regulation on network and information systems.  The first regulation, now called NIS1, was adopted by the EU Parliament in July 2016 and came into force on May 10, 2018.  At the time, it was the world's first cybersecurity legislation.

The regulation was intended to address threats to network and information systems to improve the functioning of the digital economy.   Network and information systems play a vital role in society and their reliability and security are essential for economic and social activities. However, the size, frequency and impact of security incidents are increasing, and network and information systems can become the target of malicious actions.
 

Network and information security is primarily aimed at improving cybersecurity, but it is not in itself a cybersecurity law. It covers any "incident" that impacts a service when that impact has a significant disruptive effect. It also covers impacts that have "non-cyber" causes, for example, power outages or natural disasters such as floods.
 

It applied to two groups: operators of essential services (OES) (water, transportation and energy infrastructure) and digital service providers (DSP) (cloud computing (IaaS, PaaS, SaaS), online marketplace, online search engine).

The new classification of targeted companies in NIS 2:  essential entities and important services entities.

The NIS 2 thus eliminates the classification and distinction between operators of essential services - so-called "OES" - and providers of digital services - so-called "DSPs". Instead, the NIS 2 provides different rules for "essential entities" and "important entities".     DSPs have not disappeared from the list of target companies, but have been redistributed among the list of essential and important entities.

"Essential" entities were already defined in the NIS1, but some sectors were added in NIS2: 

• Energy (electricity, oil and gas, covering production, storage and transmission activities - hydrogen as added by NIS 2)
• Drinking water
• Wastewater (collection, disposal or treatment of municipal wastewater, domestic wastewater or industrial wastewater)
• Transportation (air, rail, water, road)
• Banking
• Financial markets
• Digital infrastructure (Internet nodes; DNS service providers; TLD name registries; cloud computing service providers; data center service providers; content delivery networks; trust service providers; providers of public electronic communication networks and public electronic communication services)
• ICT service management (managed service providers and managed security service providers)
• Governments (central, as well as regional, the latter only risk-based, but excluding defense or national security and law enforcement, as well as the judiciary, parliaments, and central banks)
• Healthcare (hospitals but under NIS now also includes reference laboratories, manufacturers of medical devices or pharmaceutical preparations and others)
• Space

New in NIS 2 is the introduction of "Important" entities, including the following sectors: 

• Postal and courier services
• Waste management and management
• Accounting firms
• Digital providers (online marketplaces, online search engines and social networking platforms)
• Research organisations (excluding education)
• Postal and courier services;
• Production and distribution of chemicals;
• Wholesale and industrial food production and processing;
• Manufacturing of:
  • Medical devices
  • Electrical equipment
  • Motor vehicles, trailers and semi-trailers.
  • Machinery and equipment

As we discussed in this blogpost, company size and turnover play a role, and some companies in "important" sectors may be considered "essential" by national authorities.   Some companies in segments that are not part of those targeted by NIS2 may still be considered important.

How are essential entities and important entities treated differently under NIS2?

The requirements are the same

A good overview of the 10 minimum requirements of NIS can be found here.  It is important to understand that these requirements apply in exactly the same way to both essential and important entities.  In other words, there is no lighter regime for important entities.

Only for essential entities, there’s supervision

Essential entities will have to comply with supervision requirements from the introduction of NIS2, while important entities will be subject to ex-post supervision, meaning that action will be taken if authorities receive evidence of non-compliance.   

Member states can determine what constitutes supervision. The NIS 2 directive provides the following options: 

• on-site inspections and off-site surveillance, including random checks;
• regular audits;
• targeted security audits based on risk assessments or risk-related available information;
• safety scans based on objective, non-discriminatory, fair and transparent risk assessment criteria;
• requests for information necessary to assess the cybersecurity measures adopted by the entity, including documented cybersecurity policies;
• requests for access to data, documents or information necessary for the performance of their supervisory tasks;
• requests for evidence of the implementation of the cybersecurity policy, such as the results of security audits conducted by a qualified auditor and the respective underlying evidence.

The fines for non-compliance are high, but even higher for essential entities

At the organizational level, non-compliance can lead to large fines imposed by regulatory agencies, as well as potential lawsuits resulting from data breaches caused by lack of compliance.  The fines in NIS 2 are as follows: 

• For essential entities: administrative fines of up to 10,000,000 euros or at least 2% of the total annual global turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher.
• For important entities: administrative fines of up to €7,000,000 or at least 1.4% of the total annual global turnover in the previous fiscal year of the company to which the key entity belongs, whichever is higher.

Conclusion

The impact of NIS2 for essential and important entities is not much different when it comes to implementing controls to comply, as they are the same for companies in the two categories.    

The operational effort to comply with NIS2 will be significantly higher for essential entities, because they are under constant supervision, while important entities only have to report on an ad-hoc basis.  However, supervisory requirements for essential entities and thus impact can vary considerably from country to country!

About Ceeyu and NIS 2

Ceey's SaaS platform and professional services are key components of compliance with the NIS 2 requirements with regard to managing and reporting vulnerabilities (through passive scanning - aka external attack surface management and or active scanning techniques, and penetration tests) and supply chain security risk management.