The revised EU directive on the security of network and information systems (NIS2) subjects essential and important entities to the same security risk management and reporting requirements. However, they differ based on supervision.
Essential entities are subject to a fully-fledged supervision (both ex ante and ex post), whereas important entities are only subject to ex post supervision.
The revised directive considers that essential entities (e.g. energy, telecoms, cloud) carry out activities which reflect a higher level of criticality.
As a rule, essential and important entities fall under the jurisdiction of the member states where they are established. However:
- telecoms operators fall under the jurisdiction of the member state in which they provide their services; and
- some cross-border digital providers (e.g. online marketplaces, online search engines), fall under the jurisdiction of the member state in which they have their main establishment in the EU
EU member states are responsible for designating the national competent authority that will oversee compliance with the NIS2.
The NIS2 Directive provides for a minimum list of means through which competent authorities may supervise essential and important entities. For example, authorities can, amongst others conduct on-site and off-site inspections, request access to information and documents.
Cullen International is releasing a series of reports on the different aspects of the newly revised directive on the security of network and information systems (NIS2). Our fourth of five reports outlines the supervisory and enforcement framework laid down by the NIS2 directive.
See also:
Part 1: Scope
Part 2: Common security risk management and reporting requirements
Part 3: Specific obligations for the telecoms, ICT supply chain and digital sectors
For more information and to access our NIS2 report series, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.
more news
27 August 25
5G developments and other regulatory news in the Middle East and North Africa
Our latest MENA Telecoms Update details the most significant regulatory developments taking place in the region between 30 April and 11 August 2025.
14 August 25
Fighting online piracy in Brazil
The latest edition of Cullen International's Fighting Online Piracy benchmark shows that Brazil’s audiovisual sector regulator Ancine and its telecoms regulator Anatel have agreed in writing to collaborate in the fight against the online piracy of media content.
11 August 25
Getting tough on TV advertising in LATAM
The new edition of Cullen International’s benchmark on TV advertising restrictions to protect public health or minors notes developments in Argentina and Brazil.