NIS2 Directive — Scope Determination

Document owner: Predrag Tasevski (CEO/Founder)
Status: Internal determination — living document, reviewed on regulatory or company-size changes
Last reviewed: 2026-07-10
Disclaimer: This is an internal compliance determination prepared by Unicis Tech OÜ for its own product and organisation. It is not legal advice. It should be reviewed by qualified external counsel, and where relevant confirmed with the Estonian Information System Authority (RIA), before being relied upon in a contractual, regulatory, or dispute context.

1. Purpose

Directive (EU) 2022/2555 (NIS2) requires “essential” and “important” entities in listed sectors to implement cybersecurity risk-management measures and report significant incidents. This document records whether, and to what extent, Unicis Tech OÜ falls within NIS2 scope as a direct regulated entity, what obligations follow indirectly as a supplier to NIS2-regulated customers, and the trigger points that would change this determination.

2. Regulatory Basis

3. Scope Assessment

3.1 Sector test

The Unicis SaaS platform (platform.unicis.tech) is a cloud-hosted, browser-accessed software service. “Cloud computing service” under the EU's harmonised definition (Recital 33) is broad enough to capture SaaS, not only IaaS/PaaS.

Conclusion: sector test is met. Unicis sits within Annex I, Digital Infrastructure, “cloud computing service providers.”

3.2 Size test

Threshold Requirement Unicis Tech OÜ
Essential entity ≥250 employees or >€50M turnover/balance sheet Not met
Important entity ≥50 employees or >€10M turnover/balance sheet Not met
Size-independent category N/A (cloud computing providers excluded from this list) Not applicable

Unicis Tech OÜ's team consists of a small founder-led group plus part-time contractors engaged per project (technical development, EU-project/stakeholder management, marketing). This is well under both the micro-enterprise ceiling (10 employees / €2M) and the small-enterprise ceiling (50 employees / €10M) used by the size-cap rule.

Conclusion: size test is not met. Unicis Tech OÜ is not currently a directly regulated “important” or “essential” entity under NIS2, in Estonia or elsewhere in the EU.

4. Indirect Obligations (Supply-Chain Pressure)

Direct non-applicability does not mean no practical obligation. Article 21(2)(d) requires every NIS2-obligated entity to manage cybersecurity risk in its supply chain, including “security-related aspects concerning the relationships between each entity and its suppliers.” Since a substantial share of Unicis's own customer base consists of EU SMEs that are NIS2-obligated (important or essential entities in their own sectors), those customers are expected to:

This is already partially addressed via the existing Vendor Questionnaires page (which covers Unicis's assessment of *its own* vendors) and the TPSRM page. The inbound direction — responding to customer NIS2-driven security questionnaires about Unicis itself — should draw on this document plus Section 5 below.

5. Article 21(2) Minimum Measures — Voluntary Adoption & Gap Check

Even without formal designation, Unicis adopts the Article 21(2) minimum measures voluntarily, both to satisfy indirect customer pressure (Section 4) and because the product's own value proposition depends on credible security practice (“dogfooding”). Status is cross-checked against the existing MVSP Implementation Overview.

# Article 21(2) Measure Status Where evidenced
a Risk analysis & information system security policies Covered MVSP Business Controls; Unicis Cybersecurity Controls module
b Incident handling Covered IRIS incident management; MVSP “Incident handling” row
c Business continuity, backup, disaster recovery, crisis management Covered Weekly encrypted backups, annual restore tests (MVSP Operational Controls)
d Supply chain security Partial Vendor Questionnaires + TPSRM cover outbound vendor risk; inbound (responding to customer NIS2 questionnaires) not yet formalised as a repeatable process
e Security in system acquisition, development, maintenance incl. vulnerability handling/disclosure Covered SDLC page; Grype/SBOM scanning workflow; `security.txt` intake tracked in IRIS
f Policies to assess effectiveness of risk-management measures Partial Annual MVSP self-assessment exists; no explicit NIS2-Article-21-mapped internal audit yet
g Basic cyber hygiene & cybersecurity training Covered Unicis Awareness Module; OWASP Top 10 dev training
h Cryptography and encryption policies Covered AES-256 at rest, TLS 1.3 in transit (MVSP Application Design Controls)
i HR security, access control, asset management Covered RBAC + SSO + MFA, quarterly access reviews (MVSP Operational Controls)
j MFA / continuous authentication, secured voice/video/text and emergency comms Covered MFA enforced via SSO (TOTP/YubiKey); Jitsi/Element for internal comms

Open items: formalise (d) an inbound customer-questionnaire response process, and (f) an explicit internal audit cycle mapped to Article 21 line items rather than relying solely on the MVSP annual self-assessment.

6. Incident Reporting Ladder (if ever in scope)

Should Unicis Tech OÜ cross the size threshold (Section 7), Estonia's implementation applies the standard NIS2 ladder via RIA/CERT-EE:

Governance: a management body member (or the full board, if none is designated) must formally approve and oversee the risk-management measures and can be held personally liable for material failures — Estonia's implementation is explicit on this point.

7. Review Triggers

This determination should be re-assessed when any of the following occur:

8. References