This article examines the criteria and thresholds applied under NIS2 for determining which entities are in scope and the extent of their obligations, with a particular focus on micro, small, and medium-sized enterprises (SMEs). We aim to highlight that an entity’s turnover / balance sheet and the number of people they employ are not the sole determining factors in this regard, as many entities which meet these thresholds may still fall within the scope of NIS2, or face additional obligations, where they have access to significant additional resources.

Relevant criteria

Broadly speaking, two criteria are used to determine whether an entity is within scope of NIS2, and the extent of their obligations:

• The sector within which the entity operates; and
• The size of the entity (with the important caveat that entities in certain sectors, such as, for example, trust service providers, will be in scope regardless of their size).

Based on these criteria, in-scope entities will be deemed either “essential” or “important” under NIS2.

NIS2 & SME thresholds

Entities in sectors of high criticality which qualify as large entities are generally classified as “essential” and medium-sized enterprises and those in other critical sectors are generally classified as “important”. Entities which qualify as small enterprises or microenterprises are generally excluded from the scope of NIS2 (with some exceptions).

SMEs are defined by reference to the Commission Recommendation of 6 May 2003 (the “Commission Recommendation”), which, read with NIS2, sets out the following thresholds:

• Large enterprise: at least 250 employees or exceeds €50 million in annual turnover and €43 million in annual balance sheet total.
• Medium-sized enterprise: fewer than 250 employees and an annual turnover not exceeding €50 million or an annual balance sheet total not exceeding €43 million.
• Small enterprise: fewer than 50 employees and an annual turnover or balance sheet total not exceeding €10 million.
• Microenterprise: fewer than 10 employees and an annual turnover or balance sheet total not exceeding €2 million.

However, even if an entity considered in isolation does not meet or exceed the thresholds for any particular category, that is not the end of the NIS2 threshold assessment. Entities can still be caught by the thresholds because the Commission Recommendation requires, in certain circumstances, that an entity factors the data of other entities within its corporate group into its own for purposes of calculating its number of employees and revenue.

This situation arises where entities are deemed to be “partner” or “linked” enterprises of another entity. Enterprises will be considered “partners” where one entity has a non-majority holding in the other (above 25%), and “linked” enterprises in the case of a majority holding. The implication in terms of the NIS2 threshold assessment is that a partner enterprise must add a proportion of its partner’s employee headcount and financial data to its own, while linked enterprises’ data must be fully consolidated.

Member State discretion

NIS2 does envisage Member States exercising some discretion when applying the above SME thresholds. In order to avoid entities being classified as “important” or “essential” where this would be disproportionate, recital 16 provides that Member States may take into account the degree of independence an entity enjoys from its partner or linked enterprises, particularly with regards to its network and information systems.

Having considered this, Member States may determine that the “partner” or “linked” enterprise under assessment does not qualify as a medium-sized or does not exceed the medium-sized threshold, if that enterprise would not have exceed those thresholds had only its own data had been taken into account.

Key takeaways

It is crucial for companies operating within the sectors covered by NIS2 to understand how SME thresholds are applied, as this may dictate whether they fall within the scope of NIS2 and whether they are “important” or “essential” entities. This may be particularly important for large multinational groups, where the consolidation of “partner” or “linked” entity data could result in smaller subsidiaries or affiliates being brought within scope.

Member States will have a degree of flexibility when applying these thresholds, though it remains to be seen how this will operate in practice, once NIS2 is fully transposed into Irish law.