The Directive on Security of Network and Information Systems (NIS2) updates the original NIS 1 to improve cybersecurity across essential and important sectors in the EU, expanding its scope to more industries and introducing stricter requirements.

It addresses:

• Operators of Essential Services (OES) e.g. in the energy, banking, transport, digital infrastructure, ICT service management (B2B) sectors; and
• Operators of Important Services e.g. postal services, waste management, research, digital providers.

It applies to companies that:

• Meet the thresholds
• Have an establishment in the EU
• Are established outside the EU but are offering their services within the EU.

A Digital Service Provider is any legal person that offers a digital service.

• Online Marketplaces:  An online marketplace is a platform facilitating sales or contracts (e.g. app stores). The term does not include online services that function only as an intermediary to third-party services through which a contract can be ultimately concluded.
• Online Search Engines:  An online search engine allows website searches. Search functions that are limited to the content of a specific website, even if the function is provided by an external search engine, are not included in the NIS-Directive. Online services that compare the price of particular products or services from different traders, and then redirect the user to the preferred trader to purchase the product, are also not included.
• Providers of social networking platforms: A social networking platform that enables communication and content sharing among users across multiple devices.

• Internet Exchange Point providers: Networks for interconnection of autonomous systems.
• DNS service providers, excluding operators of root name servers: Service providers offering domain name resolution.
• TLD name registries: is an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD.
• Cloud computing service providers: Cloud computing services allow access to a scalable and elastic pool of shareable computing resources such as networks, servers or other infrastructure, storage, applications, and services. Three properties qualify a cloud computing service as a cloud service:
  • Scalable Resources
  • Elastic Pool of Resources
  • Shareable
• Different business models such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service) or SaaS (Software as a Service) are included in the NIS2.
• Data centre service providers: A data centre is a facility that houses IT and network equipment for data storage, processing, and transport, along with infrastructure for power distribution and environmental control.
• Content delivery network provider is a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers.
• Trust service providers: Offers electronical services for remuneration that includes the creation, verification, and validation of electronical signatures, seals, time stamps, registered delivery services, and related certificates; or creation, verification, and validation of certificates for website authentication; or the preservation of electronic signatures, seals, or related certificates.
• Providers of public electronic communications networks: Offers transmission systems, including infrastructure, switching, routing, and resources that convey signals via wire, radio, optical, or other electromagnetic means, such as satellite, internet, mobile, and cable networks. This includes systems used for radio, television, and broadcasting.
• Providers of publicly available electronic communications services: Is a service normally provided for remuneration via electronic communications networks, which encompasses, with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services, the following types of services:
  • internet access service
  • interpersonal communications service; and
  • services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting.

• Managed service provider: Provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely.
• Managed security provider: A provider that carries out or provides assistance for activities relating to cybersecurity risk management.

When determining whether a company offers their service within the EU, the important information is which markets the company is planning to offer its services to. In order to determine the intention, different factors are considered. The mere accessibility of either the entity's or an intermediary’s website or of an email address or other contact details, or the use of a language which is generally used in the region where the entity is established, is insufficient to ascertain such intention. Instead, factors such as the use of a language or a currency generally used in one or more Member States , and the possibility of ordering services in that other language, or the mentioning of customers or users who are in the Union may be an indicator that the entity is intending to offer their services within a region where it doesn’t have its main establishment.

If your company does not have an establishment in the EU but offers the mentioned digital services in these regions, you are generally obliged to appoint a NIS representative. However, the obligation to comply with the NIS2 and to appoint a representative does not apply to companies that do not exceed a certain company size. Excluded are:

• Small Enterprises, which are defined as enterprises which employ less than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed 10 million; and
• Microenterprises, which are defined as enterprises which employ less than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed 2 million

All in all, this means that if your company has less than 50 employees and the annual turnover and/or annual balance sheet total is less than 10 million, you do not have to appoint a representative.

When it comes to entities falling under the scope of the NIS2, the main obligations are the following:

• Cybersecurity risk-management measures: DSPs must identify and take appropriate and proportionate technical and organisational measures to manage risks posed to the security of network and information systems which they use in the context of offering their services within the EU.
   Reporting Obligation: Entities are required to follow specific reporting timelines in the event of a significant cybersecurity incident. The key obligations include:
• Early Warning: Report within 24 hours of becoming aware of a significant incident, indicating whether it may involve unlawful acts or have cross-border impact.
• Incident Notification: Submit a detailed incident notification within 72 hours, providing an initial assessment, severity, impact, and available indicators of compromise.
• Intermediate Report: Provide status updates upon request from the relevant authority or CSIRT.
• Final Report: Submit a detailed final report within one month, covering the incident description, root cause, mitigation measures, and potential cross-border impact.
• Representative:  Entities that are not established in the EU but offer certain services within the EU are required to appoint a representative who acts on behalf of the entity. These entities include:
  • DNS service providers
  • Top-level domain (TLD) registries
  • Entities providing domain name registration services
  • Cloud computing service providers
  • Data centre service providers
  • Content delivery network (CDN) providers
  • Managed service providers
  • Managed security service providers
  • Providers of online marketplaces
  • Online search engines
  • Social networking services platforms

Unlike the GDPR, which is a uniform law across all EU Member States, the NIS2 has been individually implemented by every Member State into national laws. The applicable national law for your company, qualifying as an essential or important company and exceeding the relevant thresholds:

• If your company has one or more establishments within the EU, then it is governed by the jurisdiction of the Member State where its main establishment is located (i.e. where your head office is);
• If your company is not established within the EU, but provides ICT services, digital infrastructure or digital services within the EU, you must appoint a representative in the a Member State where you offer your services. Your company will then be governed by the jurisdiction of that.

According to Art. 26 (3) of the NIS2-Directive (and most transpositions in national law), Digital Service Providers that:

• are not established in the EU; and
• offer certain digital services within the EU must designate a representative in the EU who is established in one of the Member States in which the services are being offered.

Since NIS2 law is an EU directive implemented differently by each Member State, penalties vary. However, the law lays down some fine frameworks for Member States for non-compliance with the requirement of implementing security measures and incident responses. Following the law, essential entities may be fined up to EUR 10 million or 2% of their total worldwide annual turnover. Important entities may face fines up to EUR 7 million or 1,4% of their total worldwide annual turnover.

The representative should be explicitly designated through a written mandate by the Providers of Digital Services Provider, Digital Infrastructures and ICT Service Managements. It should be possible for the relevant authorities or the Computer Security Incident Response Team (CSIRT) to contact the representative as the representative will act as a local contact point. The representative acts on behalf of the DSP Providers regarding the legal obligations under the NIS law, including incident reporting. The representative will have to comply with the local national laws of where they are established.

Prighter has an end-to-end digital onboarding process in which a Power of Attorney is generated and can be signed online or in paper. Prighter provides dedicated communication channels with the relevant data protection authorities.