NIS2 Directive: does it really affect you?

You've heard about the NIS2 directive. Perhaps your CIO or legal department mentioned it in a meeting. But in practical terms, does it affect your organization? And if so, what does it really mean for you? This article gives you the criteria you need to check to find out, in clear, jargon-free language, taking into account the actual situation in France.

What NIS2 is, and what it is not

NIS2 is a European directive published on December 14, 2022 (EU Directive 2022/2555), with a clear objective: to sustainably raise the level of cybersecurity for organizations that are critical to the European economy and society.

Contrary to popular belief, it does not list technical solutions to be deployed. It imposes something much more fundamental: the ability to demonstrate that cyber risks are truly identified, managed, and controlled at the executive level.

NIS2 marks a significant break with its predecessor (NIS1). Whereas NIS1 targeted specific services, NIS2 targets entire entities. In concrete terms: if your organization is qualified, your entire relevant information system falls within the scope, not just a single isolated service.

⚠️ Important point for French companies

The European directive has been published and its principles established. However, France has not yet finalized its national transposition (the draft law on cyber resilience is currently being adopted). This means two things:

• The substantive obligations defined by the European text apply: they do not depend on national transposition.
• The practical details —competent authority, notification process, supervision arrangements— are still being finalized.

ANSSI has published a preliminary security framework, but this does not yet have the force of law. The best approach for French organizations is to align themselves with the European framework today, explicitly documenting the assumptions made about national procedures.

‍

How NIS2 determines who is affected: a combination of three criteria

NIS2 qualification is not based on a single criterion. It is the result of a combination of three elements: size, sector, and actual role in the ecosystem. The final qualification is determined by the competent national authority, but the basic criteria are set at the European level.

Criterion 1: Size

The first filter is size. The directive explicitly refers to the European definition of SMEs (Recommendation 2003/361/EC). The correct rule is as follows:

An organization is potentially affected if it employs ≥ 50 people AND its annual revenue OR total balance sheet is ≥ €10 million.

It is not an "either/or" between employees and revenue. It is an "and": both conditions must be met in order to reach the size threshold.

Concrete example: A company with 60 employees, €8 million in revenue, and €7 million in total assets does not exceed the size threshold. A company with 60 employees and €12 million in revenue does exceed it.

Below these thresholds, an organization is in principle outside the scope, but there are important exceptions to this rule (see below).

Important point for groups: size is assessed at the level of the legal entity, not at the consolidated level. A subsidiary may be subject to the rules even if the group is not, depending on its own workforce and figures. However, shared services, IT interconnections, and centralized governance may effectively broaden the scope.

‍

Criterion 2: Industry sector

The second filter is sector-specific. Even if you exceed the size thresholds, you are only affected if you operate in a sector listed in the directive (Annexes I and II).

Essential entities (EE): sectors whose unavailability would have a major systemic impact:

• Energy (electricity, gas, oil, hydrogen)
• Transportation (air, rail, sea, road)
• Banking sector and financial market infrastructure
• Healthcare (hospitals, laboratories, pharmaceutical R&D)
• Drinking water and wastewater
• Critical digital infrastructure (DNS, IXP, cloud, data centers, electronic communications networks)
• Central public administration

Significant entities (SEs): key sectors with a real but lesser systemic impact:

• Digital services (search engines, online marketplaces, social networks)
• Critical industrial manufacturing (medical devices, IT products, automotive, chemicals)
• Postal and delivery services
• Waste management
• Search

Key reminder: The classification between essential and important entities is not solely sector-based. It depends on the sector (Annex I = essential by default), size, and national decisions. The final classification is determined by the competent national authority, not by the organization itself.

Important note: Actual activity takes precedence over legal classification or NAF code. A company that considers itself to be "outside the sector" may well be subject to taxation depending on what it actually produces or does.

‍

Criterion 3: Categories included regardless of size

This is the criterion that is most often overlooked: certain categories of organizations are covered by NIS2 regardless of their size ( Article 2, §2 and §3 of the directive).

These include:

• DNS service providers
• Top-level domain name registries (TLDs)
• Qualified trusted service providers
• Certain critical infrastructure identified as such by the State
• Entities explicitly designated by a national authority

For these categories, the size criterion does not apply. A micro-enterprise providing critical DNS services may be fully subject to NIS2.

‍

Criterion 4: Role in the ecosystem

Beyond size and sector, NIS2 takes into account the actual role of an organization in the ecosystem. The directive targets entities whose disruption could have a significant impact on the provision of an essential service.

An organization that is usually outside the scope may be included if it:

• Is explicitly designated as a critical entity by a national authority
• Presents a systemic dependency in the chain of a critical or important actor
• Plays a role for which there is no alternative in the short term

Important nuance: Unlike size or sector, role in the ecosystem is an operational interpretation, not a legal criterion that can be directly enforced by the organization. It applies primarily through designation by the competent authorities.

‍

A focus on IT service providers, MSPs, cloud providers, and MSSPs

Digital service providers occupy a special place in NIS2, and many underestimate their exposure.

These actors may be directly subject to the directive, not only as providers of affected customers. This includes, in particular: cloud service providers, data center operators, managed service providers (MSPs), managed security service providers (MSSPs), and DNS service providers.

For these entities, the directive is supplemented by a directly applicable European implementing regulation (without waiting for national transposition), which describes specific operational expectations tailored to multi-client and pooled services. This text applies immediately, regardless of the transposition status of each Member State.

Double exposure: These service providers are both potentially subject to regulation as entities and subject to increased contractual requirements from their clients who are themselves subject to regulation.

‍

What falls under European law / what depends on national transposition

‍

‍

What distinguishes essential entities from significant entities: supervisory regimes

The distinction between essential entities (EE) and important entities (IE) does not only apply to sectors. It determines the applicable supervisory regime, with significant differences:

‍

What being an EE means in practical terms: the authorities can inspect your organization even if there has been no incident. Evidence of cyber management must therefore be available at all times, not just in a crisis situation.

‍

What NIS2 can penalize

A frequently used phrase deserves clarification: NIS2 does not only penalize the lack of justification for choices. It primarily penalizes the lack of appropriate cyber risk management measures.

The directive provides for:

• Significant administrative penalties (depending on the category of entity)
• Personal responsibility of managers
• The possibility of temporarily prohibiting responsible individuals from practicing

That said, the ability to justify choices in a proportionate and documented manner remains key: an organization that has made informed, traceable decisions consistent with its actual risks is much better positioned than an organization that has accumulated controls without a clear rationale.

‍

The two mistakes to avoid

Field experience shows two symmetrical shortcomings:

Underqualification:

• Believing you are exempt because you are a "service provider" without checking
• Focusing on the legal title rather than the actual activity
• Forget that certain categories (DNS, trust, critical infrastructure) are affected regardless of size.
• Ignoring client dependencies and IT interconnections

Overqualification:

• Classify any company above the thresholds as a "large group"
• Applying heavy-handed measures unrelated to the actual risks
• Anticipating national requirements that have not yet been finalized as if they were already established

‍

The 4-step method to determine your situation

1. Check the thresholds using the exact wording: ≥ 50 employees AND (turnover ≥ €10 million OR balance sheet total ≥ €10 million), at the level of thelegal entity.
2. Check whether you are in a category that is included regardless of size (DNS, trusted services, national designation)‍
3. Analyze your actual sector of activity: not your NAF code, but what youactually produce or do.
4. Clearly document your conclusion: whether you are concerned or not, with the reasoning that leads to it.

‍

What this means if you are affected

If your organization is subject to these requirements, the obligations cover four main areas defined by the European text:

• Governance (Article 20): Management approves, oversees, and is responsible forsecurity measures.
• Risk management (Article 21): structured, documented, proportionate, and regularlyreviewed
• Incident management and notification (Article 23): ability to detect, respond, and notify in atimely manner
• Continuity: operational resilience designed, prepared, and tested for critical services

Each block involves concrete evidence, not mere statements of principle. As an essential or important entity, you must be able to present them at any time, without waiting for an incident to occur.

👉 Not sure where your organization stands with NIS2? Take our free NIS2 self-assessment and get an initial assessment of your exposure and priorities.

‍