Table of Contents
Key takeaways
- Always start with a legal analysis for NIS2.
- The classification as an essential or important entity determines your entire process.
- Do not forget the consolidation requirement when calculating your size.
- Check whether you fall under less obvious NIS2 categories, as these are often overlooked. Think in particular of cloud services or managed services.
- Determine whether the implementing regulation applies to your organisation.
- Incorrect qualifications lead to wrong or unnecessary measures, missed deadlines and potentially heavier sanctions.
The NIS2 Directive is clear: organisations classified as “essential” or “important” must raise their cyber security to an (even) higher level. But before you plan technical measures or start an action plan, there is one step that absolutely must come first: a legal analysis of how the NIS2 Directive applies to your organisation.
We have seen it so often in practice: the IT service provider who promises to make your organisation “NIS2-compliant”, but experience shows that they prefer to ignore the legal aspect. Or that the legal analysis is incomplete or incorrect.
Without that (correct) legal analysis, however, you risk making incorrect assumptions about your obligations, deadlines and responsibilities. The result? Delays, double costs or even, in the worst case, sanctions. In this blog post, we explain why a legal analysis is important and how you can approach it.
Why a legal analysis is essential
The NIS2 Directive distinguishes between different types of entities, namely essential entities and important entities. Whether you are an essential or important entity depends on the size and activities of your organisation. This analysis is carried out at the level of each entity (within the group, if applicable).
The challenge? This classification can be complex.
Without a legal assessment, you will not know:
- The size of your organisation.
- Which NIS2 activities your organisation falls under.
- Which law applies to your organisation. After all, the NIS2 Directive must be transposed into national legislation, which can vary from country to country, so you need to know which NIS2 law applies to your organisation. It is even possible that several laws apply at the same time, in which case you must apply the strictest applicable NIS2 law.
- Whether you are required to carry out a mandatory conformity assessment and, if so, on which reference framework you will carry out (or have carried out) that assessment.
- When to take the right action. There is a transition period for implementing security measures, but what exactly you need to do and when depends on your classification.
- How you will be monitored. Your organisation’s classification determines whether you can be inspected preventively by the supervisory authority, or whether this is only possible after an incident or if there are other objective indicators that you are not complying with the NIS2 Act.
- What penalties you face for non-compliance. The maximum amount of the administrative fine depends on your classification. But it’s not just about fines. If you are an essential entity, even the CEO can be removed from office.
And if you start off on the wrong foot, you risk wasting resources.
Plan a legal pre-scan before you start any technical or organisational actions. Use a checklist based on the directive for this.
Essential or important? The underestimated impact of the importance of your qualification
The basis (and starting point) of any NIS2 approach lies in your qualification: are you an essential or important entity?
NIS2 scope calculation: do not forget to include your partners’ figures!
Many organisations make an initial mistake when determining their size, namely by not consolidating the figures as required. This concerns figures such as FTEs, annual balance sheet total and annual turnover. The European Commission stipulates that you must also include these figures from affiliated and partner organisations to a certain extent in the calculation (and this therefore also includes partner and subsidiary companies).
Without consolidating the correct figures, you may wrongly conclude that you are an “important” entity, when you should be considered “essential”. This has major consequences for the rest of your process and for the liability of the governing bodies.
NIS2 categories: more than you think
When people hear NIS2, they often immediately think of the most critical sectors such as healthcare or energy.
In reality, we see that there are also many less obvious NIS2 categories such as cloud service providers, managed service providers, and online platforms that can have an impact on your qualification.
Please note: one organisation can wear several hats. A hospital with an IT department that also provides digital services to other healthcare institutions (as a secondary activity) can also be classified as a managed service provider (MSP). For your classification, it does not matter whether it is a primary or secondary activity. Secondary activities also count in full.
Without this legal analysis, you will miss the full picture. This means there is a risk that you will overlook certain issues that are relevant.
So be sure to review all categories in the NIS2 annexes and assess whether you may fall under them. In practice, such an assessment often requires a very good understanding of exactly what your organisation does. However, most organisations lack this general overview, so it is necessary to investigate this, for example by talking to a few key people within the organisation.
The implementing regulation: applicable or not?
In addition to the NIS2 Directive, there is also an implementing regulation, which imposes additional technical and organisational measures on specific categories of NIS2 entities and determines when an incident is a “significant” incident that must be reported to the supervisory authority.
This implementing regulation applies, for example, to:
- Cloud service providers
- Managed service providers (MSPs) that provide (IT) services to other companies
- Digital services with a wide reach
At first glance, this regulation may not seem to apply to your organisation, for example because your organisation does not provide cloud services or managed services as its main activity. However, as soon as you offer cloud services or managed services to other organisations, you may still fall under its scope (such as the example of the hospital that provides IT services to other institutions). After all, it does not matter for the qualification under the NIS2 Directive that the cloud service or managed service is only a sub-activity.
Supervision and deadlines: What can you expect?
Essential entities are monitored by the supervisory authority both before and after the fact. They are required to have their compliance with the rules verified. The first important deadline for this is April 2026. In practice, this means that the supervisory authority may carry out checks even if no problems have yet arisen.
Important entities are only audited retrospectively, and only if something goes wrong. For example, after an incident or when there are signs that the rules are not being followed.
Anyone who incorrectly qualifies and registers as “important” but is actually “essential” risks not meeting the legal deadlines, with potentially serious consequences and delays.
Enforcement and fines: what if you have been incorrectly classified?
The potential penalties under the NIS2 Directive are severe.
For essential entities, the supervisory authority can impose not only administrative fines, but also administrative measures such as, in the worst case, even the (temporary) removal of the CEO.
For important entities, for example, a kind of crisis manager may also be appointed.
If your organisation has been incorrectly classified, for example due to an incorrect calculation of its size, you may still be treated as an “essential” entity without having met the correct requirements.
Turn your legal analysis into a substantiated file. If the CCB asks questions or if you are faced with an incident, you will be able to justify your classification.
Getting started: how to conduct a legal analysis for NIS2
Want to be legally ready for NIS2? Then follow these steps at a minimum:
Step 1: Gather basic information
- Articles of association of your organisation
- Structure of parent and subsidiary companies and information on participation (e.g. shares)
- Financial figures (annual turnover, balance sheet total, number of employees)
- Overview of services offered and sectors (based on actual practice and not just what is registered in the CBE)
Step 2: Determine your size and consolidate your figures if necessary
Use EC Recommendation 2003/361/EC. Include all affiliated organisations and partner organisations to the extent required by the EC Recommendation.
Step 3: Determine which NIS2 activity you fall under
Check whether you fall under one or more sector categories from the annexes to the NIS2 Directive. Be critical: indirect activities and sub-activities also count.
Step 4: Determine which jurisdiction applies
Based on your legal analysis, you may conclude that it is not the Belgian NIS2 law that applies, but another national NIS2 law, for example. Or several NIS2 laws at the same time. If so, determine how you will deal with this.
Step 5: Analyse your role in the chain and choose the right suppliers
Do you provide digital services to other organisations? If so, check whether you qualify as an MSP or cloud service provider. If you are a customer and fall under the NIS2 directive, ensure that you secure your supply chain. This means that you also need to consider how you select your suppliers, because if you select a supplier that is not NIS2 compliant, you will only make contract negotiations more difficult and time-consuming. There is a chance that you will experience delays or that you will agree to a suboptimal contract in terms of security guarantees, which could compromise your own NIS2 compliance.
Step 6: Document your qualification
Draw up an internal report with your conclusion and substantiated reasoning. Have this checked by a legal expert, even if your IT service provider claims to have taken the legal aspects into account. Trust is good, but verification is better.
Conclusion
If you want to implement NIS2 correctly, don’t start with technology. And don’t start with awareness campaigns or a supplier audit either. Does your IT service provider claim to take care of the legal aspects as well? Then ask critical questions yourself.
The only correct first step is a legal analysis. This determines (in a legally correct manner) the size of your organisation and the activities it carries out. This determines whether you are an essential or important entity.
Next, you determine which jurisdiction applies. This is particularly important for international organisations. Does a NIS2 law other than the Belgian one apply? Then analyse the situation in the country concerned. That country may not yet have transposed the NIS2 directive into national legislation. If so, consider how you will deal with this.
Once you know which jurisdiction applies, check whether and how you can obtain a presumption of compliance with local NIS2 legislation. In Belgium, this is done by obtaining an ISO27001 certificate (covering the entire organisation) or a CyberFundamentals certification. Different rules may apply in other countries.
Without this foundation, your NIS2 approach is built on quicksand.
