Compared to its previous version, the new NIS Directive eliminates the distinction between operators of essential services and digital service providers: entities would be classified based on their importance, and divided into two categories: essential and important entities, which will be subjected to different supervisory regimes.
It means that all sectors and organisations coming under NIS2 are of great importance to communities within EU member-states. It is understood that their disruption would cause serious harm to society if they were no longer able to execute their functions. Ultimately, the two categories were created to distinguish the fact that not all sectors impact society at the same scale in the event of an incident. Below, we explore the difference between the two groups — essential and important — and their impact on what changes NIS2 will bring about.
Essential or important?
The introduction of NIS2 will increase the regulatory scope of the original NIS Directive. Specifically, more organisations will have to start complying with the requirements. But what are these requirements, and how will they be enforced?
Duty of care and duty to report
All organisations covered by NIS2 — essential or important — will have to start complying with their duty of care. The Directive contains a list of types of measures that service providers must comply with as a minimum. These include risk assessment to check whether an organisation pays sufficient attention to information systems security, crisis management, and operational continuity in the event of a major cyber incident, and can ensure the security of their supply chain. Further, the duty of care includes ensuring the security of network and information systems, using cryptography and encryption, and having policies and procedures that assess the effectiveness of risk management measures. The reporting obligation will also apply to all organisations covered by NIS2. This reporting obligation will require affected organisations to notify their national authorities within 24 hours of becoming aware of an incident, followed by a 72-hour update and a final assessment one month after.
Monitoring
Both entities have the same duties and obligations; e.g., members of the management bodies of essential and important entities are required to follow training, and must take appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to the security of network and information systems. Entities use these for operations or the provision of services to prevent or minimise the impact of incidents on recipients of their or other services.
Essential organisations will also be required to have a proactive preparedness framework to evaluate the impact of mismanagement even without an incident. For the second category, important entities, compliance is expected reactively. This means that these organisations will only be checked for compliance with laws and requirements after an incident. Should it be concluded that insufficient action was taken and requirements were not met, the same sanctions apply to both types of entities.
It is important to note that by 17 April 2025, and every two years after that, the competent authorities shall notify the Commission and the Cooperation Group of the number of essential and important entities for each sector.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.