With the new cybersecurity rules, companies in several critical sectors will have to meet certain requirements. The rules generally apply to companies:
- In sectors listed in annexes 1 or 2 in the directive, and which
- Have 50 or more employees, or have an
- Annual revenue and balance total exceeding 10 million EUR
The annexes include essential and important companies in sectors like energy, transport, banking, financial market infrastructure, health, drinking water, and digital infrastructure. Sectors like post and courier services, waste management, chemicals, food, manufacturing, digital services, and research are also included.
Exceptions apply, and some companies may be covered regardless of sector, size, or turnover. This is the case, for example, for trust service providers and top-level domain name registrars.
The rules mean that companies must analyse their business activities to assess whether the rules apply. Companies may be subject to the rules regardless of whether the activity triggering them is a core or ancillary activity.
The new rules trigger stricter supervision and, among other things, fines of up to 2 % of the annual turnover, depending on whether the company is classified as essential or important.
iuno's opinion
Companies are required to register with the competent authority no later than 1 October 2025. Most companies are already well underway in assessing whether the new rules apply to them. Some companies may risk becoming subject to more than one responsible authority. The plan is for the supervising authorities to coordinate their activities once the deadline for registering has passed.
iuno recommends that companies begin preparing for the registration requirement well in advance. Several internal considerations must be made, which may take time to complete, and there might be a requirement to register in more than one EU country.
[Act on measures for securing a high level of cybersecurity (NIS 2 Act) of 29 March 2025]