In the future, only those organizations operating in high-risk or critical-risk sectors will qualify as obliged entities that either fall within the category of medium-sized enterprises or independently (based on their own headcount and financial data) reach the threshold of 50 employees or an annual turnover of EUR 10 million.
Organizations that do not meet these thresholds, i.e. those that were previously classified as obliged entities solely due to consolidation, will fall outside the scope of the Cybersecurity Act. As a practical consequence of the amendment, a significant number of micro-enterprises and consolidated groups that were previously covered but do not meet the thresholds applicable to medium-sized enterprises will now be released, thereby reducing the administrative burden associated with compliance obligations.