The revised EU directive on the security of network and information systems (NIS2) subjects essential and important entities to the same security risk management and reporting requirements. However, they differ based on supervision.

Essential entities are subject to a fully-fledged supervision (both ex ante and ex post), whereas important entities are only subject to ex post supervision.

The revised directive considers that essential entities (e.g. energy, telecoms, cloud) carry out activities which reflect a higher level of criticality.

As a rule, essential and important entities fall under the jurisdiction of the member states where they are established. However:
 

• telecoms operators fall under the jurisdiction of the member state in which they provide their services; and
• some cross-border digital providers (e.g. online marketplaces, online search engines), fall under the jurisdiction of the member state in which they have their main establishment in the EU

EU member states are responsible for designating the national competent authority that will oversee compliance with the NIS2.

The NIS2 Directive provides for a minimum list of means through which competent authorities may supervise essential and important entities. For example, authorities can, amongst others conduct on-site and off-site inspections, request access to information and documents.

Cullen International is releasing a series of reports on the different aspects of the newly revised directive on the security of network and information systems (NIS2). Our fourth of five reports outlines the supervisory and enforcement framework laid down by the NIS2 directive.

See also:
Part 1: Scope
Part 2: Common security risk management and reporting requirements
Part 3: Specific obligations for the telecoms, ICT supply chain and digital sectors

For more information and to access our NIS2 report series, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.