Are you sure that NIS2 does not apply to your company?

Even secondary or complementary activities can affect whether you are subject to regulation.

Firms that believe that they are not affected by NIS2 should carefully analyse not only their core business activities but also their non-core or ancillary activities. 

Regulation may apply not only to the primary sector of their business, but also to related activities that interfere with the regulated areas. For example, firms primarily focused on logistics, manufacturing or retail may be regulated if some of their activities involve critical infrastructure elements or otherwise fall within regulated sectors.

Below you can find 15 examples of activities through which companies can be indirectly regulated: 

  • Can they fall under NIS2?

         Yes, if the charging station also serves external users.

  • Why?
    • EV charging infrastructure operators are subject to regulation if they provide a public service or are part of critical energy infrastructure.
    • A company operating an internal charging network for its own fleet is not subject to regulation.
    • However, if it provides charging to external users (e.g. partner carriers or the general public), it may be considered a regulated entity.
  • Can they fall under NIS2?

            Yes, if they supply electricity to the grid in significant volumes.

  • Why?
    • The NIS2 Directive regulates the energy sector, including electricity generators.
    • If an organisation only uses solar energy for its own consumption, it is not subject to regulation.
    • However, if it supplies significant surpluses to the distribution network, it may be considered part of the energy infrastructure and subject to NIS2 requirements.
  • Can they fall under NIS2? 

            Yes, if they are handling waste of major importance for the protection of public health and the environment.

  • Why?
    • The NIS2 regulates areas where disturbance could cause serious environmental or health impacts.
    • Companies operating hazardous waste storage, treatment or disposal facilities may be regulated if their infrastructure plays a key role in environmental protection.
  • Can they fall under NIS2? 

            Yes, as long as they support critical supply infrastructure.

  • Why?
    • Logistics services that ensure the distribution of key commodities such as medicines, medical equipment or food can be considered critical infrastructure.
    • If an organisation operates its own fleet for general purposes, it is not subject to regulation.
    • However, if its vehicles provide strategically important supplies, it may fall under NIS2.
  • Can they fall under NIS2? 

            Yes, if their operation is critical to the functioning of the wider infrastructure.

  • Why?
    • The water sector is one of the areas regulated by the NIS2.
    • Companies with in-house treatment plants are not subject to regulation if they only treat their own wastewater.
    • However, if their treatment plant provides wastewater treatment for more than one entity or if its failure may have a significant environmental impact, they may be subject to regulation.
  • Can they fall under NIS2? 

            Yes, if they operate an inter-company energy network supplying multiple entities.

  • Why?
    • The energy sector is a key element of NIS2 regulation.
    • If an organization manages the distribution network for an industrial area, corporate campus or other large site, it may be considered a critical part of the distribution infrastructure and subject to regulation.
    • Companies that draw electricity only for their own operations will avoid regulation, but entities with internal distribution networks may already be subject to cybersecurity requirements.
  • Can they fall under NIS2? 

            Yes, if their services are critical to the healthcare infrastructure.

  • Why?
    • The NIS2 Directive covers healthcare services and related supply chains.
    • Companies that distribute biological material may be considered critical actors if their failure threatens the availability of healthcare.
  • Can they fall under NIS2? 

            Yes, if they provide cybersecurity as a service.

  • Why?
    • The NIS2 Directive covers providers of critical digital services, including cybersecurity operations.
    • If a company manages an in-house SOC for itself only, it is not subject to regulation.
    • However, if it provides cybersecurity services to other organizations, such as external monitoring and incident response, it may be considered a regulated entity.
  • Can they fall under NIS2? 

            Yes, if they provide telecommunications services to other entities.

  • Why?
    • The telecommunications sector is one of the key sectors covered by the NIS2 Directive.
    • If an organisation operates its own data or fibre network and provides its services to external partners (e.g. tenants in an industrial estate), it can be considered an electronic communications provider.
    • The regulation does not apply to organisations that use the network exclusively internally.
  • Can they fall under NIS2? 

            Yes, if they provide cloud services to other entities.

  • Why?
    • NIS2 regulates digital service providers, including cloud computing, hosting centres and data storage.
    • If an organisation manages an internal cloud for its own use only, it is not subject to regulation.
    • However, if it provides cloud or hosting infrastructure to other companies or entities (e.g. affiliates, partners, customers), it may be considered a regulated entity.
  • Can they fall under NIS2? 

            Yes, if they supply critical infrastructure software.

  • Why?
    • Developers of software that manages critical industrial operations may fall under the NIS2 regulation.
    • If their products support the management of power plants, water facilities, transport systems or other regulated infrastructure, they may be considered a key supplier.
    • Companies developing software for their own use only will not usually fall under the regulation.
  • Can they fall under NIS2? 

            Yes, if they provide gas for multiple entities.

  • Why?
    • Natural gas distribution is part of the energy infrastructure covered by NIS2.
    • If an organisation manages an internal gas network that supplies other businesses or tenants on an industrial estate, it may be considered a regulated entity.
    • The use of gas solely for own production is not usually subject to regulation.
  • Can they fall under NIS2? 

            Yes, if they provide transport services to other entities.

  • Why?
    • The transport sector is regulated when its infrastructure serves as a critical node for the transport of goods or people.
    • If an organisation manages its own rail siding or logistics terminal that serves external customers or partners, it may be regulated.
    • Internal transport infrastructure, used only for its own use, is usually not subject to regulation.
  • Can they fall under NIS2? 

            Yes, if it protects critical infrastructure.

  • Why?
    • The protection of critical facilities (e.g. data centres, power plants, airports) falls under the requirements of cyber and physical security.
    • If a security agency provides protection for these facilities, it may be considered a strategic contractor and subject to the NIS2 requirements.
  • Can they fall under NIS2? 

            Yes, if they have a key role in the healthcare supply chain.

  • Why?
    • The pharmaceutical sector is covered by NIS2 because disruptions in the supply of medicines can have a major impact on public health.
    • If an organisation distributes or stores medicines within a critical supply chain, it may be considered a regulated entity.

Main contact persons

Tomáš Kubíček

Tomáš Kubíček

Partner, Digital Services • Advisory
View bio
Martin Hořický

Martin Hořický

Partner • Digital Services
View bio

NIS2 and the Cybersecurity Act 
Strengthening cyber security in Europe

Find out more