Affected Sectors

Under the EU’s NIS 2 Directive, there are 18 sectors classified as critical for cybersecurityCybersecurity ‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) 'cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats; - Definition according Article 2, point (1), of Regulation (EU) 2019/881; and resilience. These sectors are divided into essential and important categories

Learn More

Essential Sectors

The Essential Sectors under the EU NIS 2 Directive are critical to national security and societal functions. They include energy, transport, banking, healthcare, digital infrastructure, and public administration, among others. These sectors are vital for ensuring the continuity and safety of essential services that underpin daily life and economic stability.

Energy

Transport

Banking (Extending DORA’s requirements)

Financial Market Infrastructures (Extending DORA’s requirements)

Health

Drinking Water

Waste Water

Digital Infrastructure

Public Administration

Space

The Regulation (EU) 2023/2450 supplements Directive (EU) 2022/2557 and establishes a non-exhaustive list of essential services within the European Union. The regulation aims to enhance the resilience of critical entities by providing a framework for identifying and protecting services vital to societal functions and economic activities. This regulation outlines the specific sectors and subsectors deemed essential, ensuring that Member States have a clear reference for safeguarding these critical infrastructures against potential threats and disruptions. By doing so, the regulation contributes to the overall security and stability of the EU’s internal market, ensuring that essential services remain operational and resilient in the face of various challenges.

Important Sectors

The Important Sectors under the EU NIS 2 Directive support essential societal and economic functions, ensuring the continuity of services like waste management, food production, manufacturing, and digital infrastructure, which are vital for public safety, economic stability, and everyday life.

Postal and Courier Services

Waste Management

Chemical Industry

Food Production, Processing, and Distribution

Manufacturing

Digital Providers

Research

Production and Distribution of Essential Medicines and Medical Devices

The Impact on MSPs and IT Companies as Digital Providers

Managed Service Providers (MSPs) and IT companies, classified as Digital Providers under the EU NIS 2 Directive, face significant new responsibilities. They are now required to enhance their cybersecurity measures and ensure compliance with stricter regulations. This includes implementing robust security practices, conducting regular riskRisk Means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) assessments, and reporting incidents promptly.

The directive also significantly increases the accountability of these companies, making them directly liable for any failures or lapses in their services that lead to cybersecurity breaches in their clients’ systems. This shift demands a much higher level of vigilance, transparency, resilience, and proactive security management across all operations.

MSPs and IT companies must also invest in advanced technologies and training to meet the directive’s requirements. This may include adopting sophisticated monitoring tools, improving incidentIncident Means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) response capabilities, and ensuring that their staff is well-versed in the latest cybersecurity practices. Failure to comply can result in substantial fines and damage to their reputation.

These companies must prepare for increased scrutiny from regulators and clients. The directive mandates that they maintain transparency in their operations and security protocols, which could lead to more frequent audits and assessments. This necessitates a comprehensive approach to cybersecurity that aligns with the stringent standards set by the NIS 2 Directive.

Get NIS 2 Supply Chain Risk Checklist

Download our free NIS2 Supply Chain Risk Checklist to ensure your organization meets the latest cybersecurity compliance standards effortlessly.

Downolad for free

Directive on measures for a high common level of cybersecurity across the Union (NIS 2)

Directive on the Resilience of Critical Entities (CER)

Digital Operational Resilience Act (DORA)

Proposal for the new Cyber Resilience Act (CRA)

List of essential services

EU Agency for Cybersecurity

The European Data Act

European laws and regulations in the context of cybersecurity