The NIS Directive applies to various private entities deemed "essential," who are subject to security standards set and enforced by a regulator. The process of formulating the list of entities subject to this regulation was hotly debated. A discussion (https://www.theregister.com/2016/01/07/the_network_and_information_security_directive_who_is_in_and_who_is_out/) of the final outcome is available. What do you think should have been the factors for inclusion in this list? What are the advantages and drawbacks of broadening or limiting the list? In responding to this question, consider also the European Commission's "FAQ - Revision of the Network and Information Security Directive." (https://digital-strategy.ec.europa.eu/en/library/revised-directive-security-network-and-information-systems-nis2)

1. GDPR, Recitals 83, 85-87; Articles 32-34 2. NIS Directive, Recital 48; Articles 1-6, 16, 20 3. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act), Recitals 1-9, 16-17, 19-22, 24, 74; Articles 1, 3-12, 38, 46, 49, 58. 4. Voigt and Von dem Bussche, pp. 38-43 5. Cybersecurity Strategy of the European Union