Compared to its previous version, the new NIS Directive eliminates the distinction between operators of essential services and digital service providers: entities would be classified based on their importance, and divided into two categories: essential and important entities, which will be subjected to different supervisory regimes.
It means that all sectors and organisations coming under NIS2 are of great importance to communities within EU member-states. It is understood that their disruption would cause serious harm to society if they were no longer able to execute their functions. Ultimately, the two categories were created to distinguish the fact that not all sectors impact society at the same scale in the event of an incident. Below, we explore the difference between the two groups — essential and important — and their impact on what changes NIS2 will bring about.
Essential or important?
The introduction of NIS2 will increase the regulatory scope of the original NIS Directive. Specifically, more organisations will have to start complying with the requirements. But what are these requirements, and how will they be enforced?
Duty of care and duty to report
All organisations covered by NIS2 — essential or important — will have to start complying with their duty of care. The Directive contains a list of types of measures that service providers must comply with as a minimum. These include risk assessment to check whether an organisation pays sufficient attention to information systems security, crisis management, and operational continuity in the event of a major cyber incident, and can ensure the security of their supply chain. Further, the duty of care includes ensuring the security of network and information systems, using cryptography and encryption, and having policies and procedures that assess the effectiveness of risk management measures. The reporting obligation will also apply to all organisations covered by NIS2. This reporting obligation will require affected organisations to notify their national authorities within 24 hours of becoming aware of an incident, followed by a 72-hour update and a final assessment one month after.
Both entities have the same duties and obligations; e.g., members of the management bodies of essential and important entities are required to follow training, and must take appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to the security of network and information systems. Entities use these for operations or the provision of services to prevent or minimise the impact of incidents on recipients of their or other services.
Essential organisations will also be required to have a proactive preparedness framework to evaluate the impact of mismanagement even without an incident. For the second category, important entities, compliance is expected reactively. This means that these organisations will only be checked for compliance with laws and requirements after an incident. Should it be concluded that insufficient action was taken and requirements were not met, the same sanctions apply to both types of entities.
It is important to note that by 17 April 2025, and every two years after that, the competent authorities shall notify the Commission and the Cooperation Group of the number of essential and important entities for each sector.