1. How can I determine if my company is subject to the NIS 2 Directive?
Conduct a comprehensive analysis to determine if your company meets the criteria set by NIS 2. Consider the following:
- Sector of Activity: Check if you operate in a sector designated as essential, such as energy, transport, health, or financial services.
- Company Size: Evaluate based on employee count, annual turnover, and balance sheet size.
- Impact and Criticality: Determine if your services have significant impact on public security or economic stability.
2. What actions should we take if we conclude that our company is not subject to NIS 2?
- Draft a Compliance Assessment Report: Create a formal document outlining why your company does not meet the NIS 2 criteria.
- Secure Internal Approval: Ensure the Board of Directors formally endorses the assessment.
3. Which documents should be prepared to support our exclusion?
- Assessment Report: A comprehensive analysis explaining the criteria and your conclusions.
- Management Meeting Minutes: Document the Board’s approval of the assessment.
- Review Plan: Schedule periodic reassessment to ensure ongoing alignment with regulatory updates.
4. Should we consult an external expert?
It is recommended but not required. Consulting an expert in cybersecurity and compliance can confirm the accuracy of your evaluation.
5. What if our circumstances change?
If your company grows or regulatory changes occur, re-evaluate your status. Notify relevant authorities if you then fall under NIS 2.
