The European NIS-2 Directive: Does It Apply to You?

6 minute read | June.18.2024

The European Network and Information Security 2 Directive aims to mitigate threats to network and information systems and ensure the continuity of services in the event of cybersecurity incidents. Member States must pass national laws implementing the NIS-2 directive by October 2024.

Despite the looming deadline, uncertainty lingers about which companies must comply with the obligations of the directive. While the categories of companies affected by the material scope are more clearly defined, there is less certainty about the territorial scope, particularly with regard to manufacturing.

3 Things to Know About Who May Face NIS-2 Directive Compliance Obligations:

The directive applies to companies in sectors deemed critical.
The directive applies to companies that provide services or carry out activities in the EU – even if those companies are based outside the EU.
A company that produces part of a protected good outside the EU may face compliance obligations, depending on the specifics.

In More Detail

1. The directive applies to companies in sectors deemed critical.

The directive affects companies in digital infrastructure and other sectors with "high criticality," including:
- Internet node operators.
- DNS service providers.
- TLD name registries.
- Cloud computing service providers.
- Data center service providers.
- Providers of publicly accessible electronic communication services.
Companies in other critical sectors must comply, too, including digital service providers such as:
- Online search engines.
- Online marketplaces.
- Social networks.
Manufacturers of electrical equipment, data processing devices, medical devices and manufacturers in the machinery and automotive industries also face compliance obligations.
The determination whether a company has to comply with the NIS-2 directive is made by Annex I or Annex II of the directive. To further clarify the specific fields of business deemed critical by these Annexes, a company may want to consult a Eurostat list of industries in each sector.
As for size, the directive applies to public or private entities of the types listed in Annex I or II that are classified as medium-sized entities or bigger. Corporate groups generally are considered in their entirety when assessing size. Company associations may also be added, up to a certain degree. Thus, a small subsidiary belonging to a corporate group that provides services or performs activities covered by the directive is likely to also be included.

2. The directive applies to companies that provide services or carry out activities in the EU – even if those companies are based outside the EU.

What does it mean to provide services in the EU?
- The directive does not define the requirement of service provision in the EU, but Article 26(1)(a) gives an initial indication of how to understand this term.
- It mentions providers of public electronic communications networks and services that are not established in the EU but provide services in the EU. Examples include communication service providers offering instant messaging services to EU citizens or omnichannel services enabling B2B communication via email or SMS in the EU.
- The directive also says service provision can mean any activity that does not involve the trade (import and export) of goods and that constitutes a commercial, industrial, craft or professional activity. This means manufacturing industries do not fall under the term "service."
- Merely offering services in the EU is not sufficient to assume applicability of the directive—a company must actually perform services in the EU for the law to apply.
  - Example 1: A research institution outside the EU has an online study program that is offered to and used by European students. The research institution is covered by the directive.
  - Example 2: A social media provider in the United States makes its service available in the EU. European users access this service to share pictures. The social media provider is covered by the directive.
  - Example 3: An automotive manufacturer based in China sells vehicles manufactured in China to customers in the EU. The automotive manufacturer is not subject to the directive because car manufacturing is not a service, and the sale or delivery of vehicles does not fall within the material scope of the directive.
What does it mean to conduct activities in the EU?
- The directive does not define the term "conducting activities." The (draft) national laws published so far (in Hungary, Germany^[1], and Belgium) do not contain any clarifications. (Read our update on Germany's draft law.)
- It seems sensible to understand the conduct of activities as a catch-all term for activities not covered by the term "service."
- Conducting activities in the EU can include any commercial activity carried out in the EU, such as the distribution of goods. However, in the context of the directive, the relevant activity must also fall within the material scope of the directive. For example, manufacturing medical devices is covered by the material scope of the directive under Annex II No. 5(a). According to this wording, the relevant activity can only be seen in manufacturing, not in subsequent distribution. If the manufacturing is conducted outside the EU, the directive would not apply even if the manufactured goods are later distributed in the EU.

3. A company that produces part of a protected good outside the EU may face compliance obligations, depending on the specifics.

This particularly affects the production of vehicle parts outside the EU that are used for vehicle manufacturing in the EU.
For example, a manufacturer that produces vehicles in the UK and sells them in the EU falls within the material scope of the directive, but the directive does not apply because the manufacturing is conducted outside the EU.
Companies are likely not covered by the directive if they manufacture, outside the EU, items such as:
- Computer, electronic and optical products.
- Electronic components and boards.
- TLD name registries.
- Watches and clocks.
- Wiring devices, electric motors, generators and electrical equipment.
- Machinery, motor vehicles, trailers, ships and transport equipment.
However, this only applies if the entire production process takes place outside the EU. If part of the production takes place within the EU, this could lead to the application of the directive in individual cases. It is therefore worthwhile carrying out a detailed check of applicability.

If you have questions, reach out to our authors (Christian Schröder, Tobias Stephan, and Odey Hardan) or other members of the Orrick team.

^[1] The linked draft is dated 07 May 2024. It is expected there will be a new draft in the coming months.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Tobias Stephan Associate, Cyber, Privacy & Data Innovation, Technology & Innovation

Düsseldorf

See my bio

D:+49 211 3678 7610
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology & Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Tobias Stephan Associate

Düsseldorf

Being born a „digital native“, Tobias is fascinated by what technology has to offer. That’s why he chose to advise on how best to implement digitization while staying within the framework of the regulations we need in our society, something that has long become a sales argument customers value.

Tobias helps clients to navigate complex data protection issues and advises on the impact of the General Data Protection Regulation (GDPR), data processing and transfer agreements as well as a wide range of further data and privacy implications.

Prior to joining Orrick, Tobias worked as a research associate in the data protection practice of a multinational pharmaceutical company, in the IT and data protection team of a large German accountancy and business advisory firm, as well as the corporate practice of a "big 4" firm.

Dr. Odey Hardan Associate, Strategic Advisory & Government Enforcement (SAGE), Cyber, Privacy & Data Innovation

Düsseldorf

See my bio

D:+49 211 36 78 7 602
E: [email protected]

Practice:

Strategic Advisory & Government Enforcement (SAGE)
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Dr. Odey Hardan Associate

Düsseldorf

Prior to joining Orrick, Odey served as a research assistant to a distinguished chair focusing on European law, where he authored several academic papers. Throughout his doctoral studies, he delved deeply into the intricate realms of European, international, and data protection law.

Additionally, Odey contributed to significant legal opinions and gained practical experience by supporting the representation of the German Federal Government in pivotal cases before the Federal Constitutional Court, including the proceedings on the European Patent Convention, CETA and the EU-Singapore Free Trade Agreement.

Before starting his legal practice, he also worked as a research assistant for an international UK-headquartered law firm.

Related Areas

Cyber, Privacy & Data Innovation

Markets

Germany