Essential and Important Entities

Member States (MS)

Changes compared to Directive NIS(1)

The new Directive eliminates the distinction between operators of essential services and digital service providers. Entities are now classified based on their importance and divided into two categories: essential and important entities, which are subject to a different supervisory regime.

The scope of application has been extended, with the following sectors added to the list of critical sectors:

• Wastewater and waste management
• Digital infrastructures
• ICT service management
• Public administration
• Space
• Postal and courier services
• Production, manufacture and distribution of chemical products
• Production, processing and distribution of food products
• Manufacturing industry
• Digital service providers
• Research organisations

All medium and large companies in the sectors provided for are included in the scope. There is also the possibility for each MS to identify smaller entities with a high security risk profile which should be covered by the new Directive.

The Cyber Crisis Liaison Organisation Network (CyCLONe) is established to promote cooperation between national authorities responsible for cyber crisis management. This network will enable coordinated collaboration through information sharing and situational awareness based on tools and support provided by the European Network and Information Security Agency (ENISA).

In the exercise of their supervisory functions regarding essential entities, MS should ensure competent authorities are empowered to subject such entities to, namely:

• On-site inspections and remote supervision, including random checks carried out by qualified professionals
• Regular and specific safety audits carried out by an independent body or competent authority
• Ad hoc audits, including in cases justified by a significant incident or infringement of the Directive
• Security checks based on objective, non-discriminatory, fair and transparent risk assessment criteria, if necessary in co-operation with the entity concerned.

Measures and Documents to Implement

There are 10 key elements all companies must address or implement as part of the applicable measures:

• Policies on risk analysis and information systems security
• Incident handling
• Business continuity, such as backup management and disaster recovery, and crisis management
• Supply chain security, including security related aspects concerning the relationship between each entity and its direct suppliers or service providers
• Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
• Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
• Basic cyber-hygiene practices and cybersecurity training
• Policies and procedures regarding the use of cryptography and, where appropriate, encryption
• Human resources security, access control policies and asset management 
• The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communications systems within the entity, where appropriate.

MS must:

• Adopt a national cybersecurity strategy
• Designate national Computer Security Incident Response Teams (CSIRTs)
• Designate a competent national cybersecurity authority
• Designate a single point of contact (SPOC) to ensure cross-border cooperation between the MS authorities.

MS have until 17^th October 2024 to transpose the Directive.

Incident Reporting

• The Directive establishes the obligation to report incidents, both nationally and internationally, for companies that provide services in the most relevant sectors. These entities must formally register with ENISA.
• Affected companies have 24 hours from when they become aware of an incident to submit an early warning to the CSIRT or competent national authority. The early warning must be followed by an incident notification within 72 hours of becoming aware of the incident and a final report no later than one month later.
• Each MS must ensure entities report the appropriate information in order to enable the competent authority to determine the possible cross-border impact of the incident.
• MS should also ensure that the competent authority forwards the notification to the CSIRT.

Sanctions

• Essential entities can be subject to administrative fines of a maximum of at least EUR 10 000 000 or of a maximum of at least 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher.
• Important entities can be subject to administrative fines of a maximum of at least EUR 7 000 000 or of a maximum of at least 1,4 % of the total worldwide annual turnover in the preceding financial year of the undertaking to which the important entity belongs, whichever is higher.

–