Key Takeaways
  • NIS2 significantly expands scope compared to the original NIS Directive, covering 18 sectors and an estimated 160,000+ entities across the EU.
  • Entity classification as Essential or Important is determined by two factors: the sector you operate in (Annex I vs Annex II) and your organisation's size (medium vs large).
  • The size-cap rule uses two thresholds: medium enterprises (50+ employees or EUR 10M+ turnover) and large enterprises (250+ employees or EUR 50M+ turnover).
  • Essential entities face proactive supervision and higher penalties (up to EUR 10 million or 2% of global turnover); Important entities face reactive supervision and lower penalties (up to EUR 7 million or 1.4% of global turnover).
  • Certain entities — including DNS providers, TLD registries, trust service providers, and public electronic communications providers — fall in scope regardless of size.

What NIS2 Scope Means and Why Classification Matters

The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated framework for achieving a high common level of cybersecurity across Member States. It replaces the original NIS Directive (2016/1148) and dramatically expands both the number of sectors covered and the number of organisations that must comply.

Understanding whether your organisation falls within NIS2 scope — and, if so, whether it is classified as an Essential entity or an Important entity — is the critical first step in compliance planning. This classification determines:

  • Your compliance obligations: Both categories must implement cybersecurity risk management measures and report significant incidents, but the specific expectations differ.
  • The supervision regime you face: Essential entities are subject to proactive, ex-ante supervision; Important entities are supervised reactively, ex-post.
  • The penalties for non-compliance: Essential entities face substantially higher administrative fines.
  • Management accountability: Both categories impose personal liability on management bodies, but enforcement intensity varies.
  • Registration and notification requirements: Timelines and processes differ between categories in some national transpositions.

Getting this classification wrong — whether by assuming you are out of scope when you are not, or by preparing for the wrong category — can result in regulatory action, reputational damage, and unnecessary expenditure. This guide walks you through the classification logic step by step.

NIS2 vs NIS1: Scale of Change

The original NIS Directive covered roughly 7 sectors and applied mainly to large operators of essential services. NIS2 expands to 18 sectors, introduces the size-cap rule to automatically capture medium and large enterprises, and removes the individual designation process that allowed Member States to narrowly define scope. The result is a tenfold increase in the number of entities in scope.

The Size-Cap Rule

NIS2 introduces a size-cap mechanism that replaces the discretionary designation approach used under the original NIS Directive. Under this rule, any entity operating in a covered sector that meets certain size thresholds is automatically within scope.

Size Thresholds Defined

NIS2 relies on the EU definition of small and medium-sized enterprises (Commission Recommendation 2003/361/EC):

Category Headcount Annual Turnover Balance Sheet Total
Micro enterprise < 10 employees ≤ EUR 2 million ≤ EUR 2 million
Small enterprise < 50 employees ≤ EUR 10 million ≤ EUR 10 million
Medium enterprise 50–249 employees ≤ EUR 50 million ≤ EUR 43 million
Large enterprise ≥ 250 employees > EUR 50 million > EUR 43 million

For NIS2 applicability, the key dividing line is between small and medium:

  • In scope: Entities with at least 50 employees or annual turnover/balance sheet exceeding EUR 10 million, operating in a covered sector.
  • Generally out of scope: Micro and small enterprises (fewer than 50 employees and turnover/balance sheet at or below EUR 10 million), unless they fall into a specific exception category.
Important: "Or" Not "And"

An entity exceeds the size cap if it meets either the headcount threshold or the financial threshold. A company with 30 employees but EUR 15 million in annual turnover is a medium enterprise and therefore in scope. Conversely, a company with 80 employees and EUR 5 million in turnover is also in scope because it exceeds the headcount threshold. Both criteria are assessed independently.

How to Calculate Headcount and Financials

When determining whether your organisation meets the size-cap thresholds, consider the following:

  • Headcount: Count full-time equivalent (FTE) employees, including part-time staff calculated proportionally. This includes all staff employed by the legal entity, not just those in cybersecurity or IT roles.
  • Linked and partner enterprises: Under EU SME rules, if your organisation is linked to other enterprises (e.g., through ownership of 25% or more of capital or voting rights), you may need to aggregate headcount and financials across linked entities. This is particularly relevant for subsidiaries of larger groups.
  • Turnover: Use the most recent approved annual accounts. For newer entities without a full year of accounts, a bona fide estimate based on the current financial year is acceptable.

Practical example: A SaaS company based in Berlin has 45 employees but EUR 12 million in annual turnover. Despite being below the headcount threshold, the company exceeds the turnover threshold and is therefore classified as a medium enterprise. If it provides cloud computing services (an Annex I sector), it falls within NIS2 scope as an Essential entity.

Essential Entities: Annex I Sectors (High Criticality)

Annex I of the NIS2 Directive lists sectors of high criticality. Large enterprises operating in these sectors are classified as Essential entities. Medium enterprises in these sectors are generally classified as Important entities, unless a Member State designates them as Essential or they fall into an automatic classification category.

The 11 Annex I Sectors

1. Energy

  • Electricity: Electricity undertakings, distribution system operators, transmission system operators, electricity producers, nominated electricity market operators, market participants providing aggregation, demand response, or energy storage
  • District heating and cooling: Operators of district heating or cooling
  • Oil: Operators of oil pipelines, operators of oil production, refining, and treatment facilities, central stockholding entities
  • Gas: Supply undertakings, distribution system operators, transmission system operators, storage system operators, LNG system operators
  • Hydrogen: Operators of hydrogen production, storage, and transmission

2. Transport

  • Air: Air carriers, airport managing bodies, traffic management control operators (EATMN)
  • Rail: Infrastructure managers, railway undertakings
  • Water: Inland, sea, and coastal passenger/freight water transport companies, managing bodies of ports, operators of vessel traffic services
  • Road: Road authorities responsible for traffic management control, operators of intelligent transport systems

3. Banking

  • Credit institutions as defined in Regulation (EU) No 575/2013

4. Financial Market Infrastructures

  • Operators of trading venues
  • Central counterparties (CCPs)

5. Health

  • Healthcare providers (hospitals, clinics, laboratories)
  • EU reference laboratories
  • Entities carrying out research and development activities of medicinal products
  • Entities manufacturing basic pharmaceutical products and preparations
  • Entities manufacturing medical devices considered as critical during a public health emergency

6. Drinking Water

  • Suppliers and distributors of water intended for human consumption, excluding those for which distribution is a non-essential part of their general activity

7. Waste Water

  • Undertakings collecting, disposing, or treating urban waste water, domestic waste water, or industrial waste water

8. Digital Infrastructure

  • Internet Exchange Point (IXP) providers
  • DNS service providers
  • TLD name registries
  • Cloud computing service providers
  • Data centre service providers
  • Content delivery network providers
  • Trust service providers
  • Providers of public electronic communications networks
  • Providers of publicly available electronic communications services

9. ICT Service Management (Business-to-Business)

  • Managed service providers (MSPs)
  • Managed security service providers (MSSPs)

10. Public Administration

  • Central government entities
  • Regional government entities (as defined by Member States based on risk-based assessment)

11. Space

  • Operators of ground-based infrastructure owned, managed, and operated by Member States or by private parties that support the provision of space-based services
Digital Infrastructure: Broadly Scoped

The digital infrastructure sector under Annex I is particularly expansive. Cloud computing, data centres, CDN providers, and managed service providers are now explicitly in scope. If your organisation provides any form of digital infrastructure service to third parties, you should carefully assess whether you fall into this category. Many technology companies that were out of scope under NIS1 are now captured by NIS2.

Important Entities: Annex II Sectors (Other Critical Sectors)

Annex II of the NIS2 Directive lists other critical sectors. Medium and large enterprises operating in these sectors are classified as Important entities unless a Member State chooses to designate them as Essential.

The 7 Annex II Sectors

1. Postal and Courier Services

  • Providers of postal services, including providers of courier services

2. Waste Management

  • Undertakings carrying out waste management (collection, transport, treatment, and disposal), excluding those for which waste management is not their principal economic activity

3. Manufacture, Production, and Distribution of Chemicals

  • Undertakings carrying out the manufacture, production, or distribution of chemical substances and articles (NACE Rev. 2 Section C, Division 20)

4. Food Production, Processing, and Distribution

  • Food businesses engaged in wholesale distribution, industrial production, or processing

5. Manufacturing

  • Medical devices: Manufacturers of medical devices and in vitro diagnostic medical devices
  • Computer, electronic, and optical products: NACE Rev. 2 Section C, Division 26
  • Electrical equipment: NACE Rev. 2 Section C, Division 27
  • Machinery and equipment n.e.c.: NACE Rev. 2 Section C, Division 28
  • Motor vehicles, trailers, and semi-trailers: NACE Rev. 2 Section C, Division 29
  • Other transport equipment: NACE Rev. 2 Section C, Division 30

6. Digital Providers

  • Online marketplace providers
  • Online search engine providers
  • Social networking services platform providers

7. Research

  • Research organisations (entities whose primary goal is to carry out applied research or experimental development with a view to exploiting results for commercial purposes), excluding higher education institutions

Practical example: A German logistics company with 120 employees and EUR 25 million turnover that provides courier services across the EU is an Important entity under Annex II (postal and courier services). It must implement cybersecurity risk management measures and report significant incidents, but will face reactive supervision rather than proactive oversight.

Entities Automatically Classified Regardless of Size

Whilst the size-cap rule generally excludes micro and small enterprises, Article 2(2) of NIS2 identifies several categories of entities that fall within scope regardless of their size:

  • Trust service providers: Both qualified and non-qualified trust service providers under eIDAS
  • DNS service providers: Any entity providing DNS resolution services to Internet end users or other entities
  • TLD name registries: Entities responsible for the administration of a top-level domain name
  • Providers of public electronic communications networks or services: Including small telecoms operators
  • Public administration entities: Central government entities of Member States
  • Sole provider entities: Where an entity is the sole provider of a service in a Member State that is essential for the maintenance of critical societal or economic activities
  • Entities whose disruption could have significant impact: Where the service disruption could have a significant impact on public safety, public security, or public health
  • Entities whose disruption could cause systemic risk: Where disruption could induce significant systemic risks, in particular for sectors where such disruption could have a cross-border impact
  • Entities identified as critical due to specific national importance: Based on their importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State
  • Entities identified under the CER Directive: Entities identified as critical entities under Directive (EU) 2022/2557 (Critical Entities Resilience Directive)
Small Entities, Big Obligations

A small DNS hosting provider with just 10 employees is in scope under NIS2 because DNS service providers are automatically included regardless of size. Similarly, a startup providing qualified electronic signatures with 15 employees falls within scope as a trust service provider. Size does not provide a safe harbour for these specific entity types.

Classification Decision Flowchart

Use this step-by-step logic to determine your NIS2 classification:

Step-by-Step Classification Logic

Step 1: Sector Check
Does your organisation operate in any sector listed in NIS2 Annex I or Annex II?
No: You are outside NIS2 scope. Stop here.
Yes: Proceed to Step 2.

Step 2: Automatic Inclusion Check
Is your organisation a DNS provider, TLD registry, trust service provider, public electronic communications provider, or otherwise automatically included (see Article 2(2))?
Yes: You are in scope regardless of size. If you are in an Annex I sector, you are likely an Essential entity. Proceed to Step 4 for confirmation.
No: Proceed to Step 3.

Step 3: Size-Cap Check
Does your organisation have at least 50 employees or annual turnover/balance sheet exceeding EUR 10 million?
No: You are a micro or small enterprise and generally outside scope. Stop here (but check whether your Member State has applied additional designations).
Yes: You are within NIS2 scope. Proceed to Step 4.

Step 4: Essential or Important?
Are you a large enterprise (250+ employees or EUR 50M+ turnover) in an Annex I sector?
Yes: You are an Essential entity.
No: Are you a medium enterprise in an Annex I sector or a medium/large enterprise in an Annex II sector?
Yes: You are an Important entity (unless your Member State has designated you as Essential).
No: Check with your national competent authority for specific designations.

Practical example: A hospital group in the Netherlands with 500 employees and EUR 80 million in turnover operates in the health sector (Annex I). It is a large enterprise in a high-criticality sector, so it is classified as an Essential entity. A medical device manufacturer in the same country with 75 employees and EUR 20 million in turnover operates in manufacturing (Annex II). It is a medium enterprise in an other-critical sector, so it is classified as an Important entity.

What Essential vs Important Means in Practice

Whilst both Essential and Important entities must comply with the core NIS2 requirements — cybersecurity risk management measures (Article 21) and incident reporting obligations (Article 23) — the practical implications of each classification differ significantly.

Supervision Regime

Essential entities are subject to an ex-ante (proactive) supervision regime. This means competent authorities may:

  • Conduct regular and targeted audits, including on-site inspections and off-site remote supervision
  • Request evidence of compliance at any time
  • Perform ad hoc audits triggered by significant incidents or credible information about non-compliance
  • Issue binding instructions requiring the entity to take specific actions to remedy deficiencies
  • Require entities to undergo security audits by a qualified independent body

Important entities are subject to an ex-post (reactive) supervision regime. Authorities will generally investigate only when:

  • Evidence of non-compliance is brought to their attention (e.g., through incident reports, third-party complaints, or media reports)
  • Specific indicators of risk or concern emerge
  • The entity has been involved in a significant cybersecurity incident

Incident Reporting

Both categories share the same multi-stage incident reporting process:

  • Early warning: Within 24 hours of becoming aware of a significant incident
  • Incident notification: Within 72 hours, including an initial assessment of severity, impact, and indicators of compromise
  • Final report: Within one month, providing a detailed description of the incident, root cause analysis, mitigation measures, and cross-border impact

Penalties

NIS2 establishes minimum penalty thresholds that Member States must implement. National transpositions may set penalties higher than these minimums but not lower.

Essential entities: Administrative fines of up to EUR 10 million or 2% of total worldwide annual turnover (whichever is higher).

Important entities: Administrative fines of up to EUR 7 million or 1.4% of total worldwide annual turnover (whichever is higher).

Management Accountability

Both categories impose management body accountability (Article 20). Management bodies of both Essential and Important entities must:

  • Approve the cybersecurity risk management measures
  • Oversee their implementation
  • Undergo cybersecurity training
  • Be held liable for infringements

For Essential entities, competent authorities have additional powers to temporarily prohibit natural persons responsible for management functions from exercising their duties if they fail to comply with orders to remedy deficiencies.

Essential vs Important: Side-by-Side Comparison

Aspect Essential Entity Important Entity
Sectors Annex I (high criticality): energy, transport, banking, health, digital infrastructure, etc. Annex II (other critical): postal, waste management, chemicals, food, manufacturing, digital providers, research
Typical size Large enterprises (≥ 250 employees or > EUR 50M turnover) in Annex I sectors Medium enterprises (50–249 employees or EUR 10M–50M turnover) in any covered sector, or large enterprises in Annex II sectors
Supervision Proactive (ex-ante): regular audits, inspections, compliance requests at any time Reactive (ex-post): investigations triggered by evidence of non-compliance or incidents
Maximum penalties EUR 10 million or 2% of global annual turnover (whichever is higher) EUR 7 million or 1.4% of global annual turnover (whichever is higher)
Incident reporting Early warning within 24h, notification within 72h, final report within 1 month Same: early warning within 24h, notification within 72h, final report within 1 month
Risk management measures Full Article 21 requirements Full Article 21 requirements (same obligations)
Management accountability Must approve and oversee measures; personal liability; authorities may suspend individuals Must approve and oversee measures; personal liability
Registration Must register with competent authority; provide entity details, IP ranges, and contact information Must register with competent authority; same requirements
Supply chain obligations Must address supply chain cybersecurity risks in risk management measures Same supply chain obligations

Micro and Small Enterprise Exemptions

As noted above, the NIS2 size-cap rule generally excludes micro and small enterprises from scope. However, this exemption is not absolute, and organisations should not assume they are exempt without careful analysis.

When the Exemption Applies

You are likely exempt if all of the following are true:

  • Your organisation has fewer than 50 employees
  • Your annual turnover is at or below EUR 10 million
  • Your balance sheet total is at or below EUR 10 million
  • You are not in a category of automatic inclusion (DNS, TLD, trust services, telecoms, etc.)
  • Your Member State has not specifically designated you as Essential or Important

When the Exemption Does Not Apply

Even if you are below the size thresholds, the exemption does not protect you if:

  • You are a trust service provider (qualified or non-qualified)
  • You are a DNS service provider
  • You are a TLD name registry
  • You provide a public electronic communications network or service
  • You are a central government entity
  • You are the sole provider of a service essential for critical societal or economic activities in a Member State
  • Your service disruption could cause significant systemic risk, particularly with cross-border impact
  • You have been identified as critical under the CER Directive
  • Your Member State has designated you as Essential or Important based on your specific importance

Practical example: A small cybersecurity company with 25 employees and EUR 4 million turnover provides managed security services (MSSP) to several large enterprises. Under the general size-cap rule, it would be exempt. However, if the national competent authority determines that disruption to this MSSP could have a significant impact on its clients' security posture and designates it under Article 2(2)(d), the company would be in scope despite its small size. Organisations should monitor national transposition measures closely.

Multi-Country Operations

Organisations operating across multiple EU Member States face additional complexity in NIS2 compliance. The Directive addresses jurisdictional questions in several ways:

Primary Jurisdiction

As a general rule, an entity falls under the jurisdiction of the Member State in which it is established (Article 26(1)). For entities established in multiple Member States, each establishment may fall under the jurisdiction of the respective Member State.

Special Rules for Digital Infrastructure and Digital Providers

For certain types of entities, NIS2 specifies a single jurisdiction regardless of where they operate:

  • DNS service providers, TLD registries, cloud computing providers, data centre providers, CDN providers, managed service providers, managed security service providers: Jurisdiction of the Member State where the main establishment is located (i.e., the place of the entity's head office or the place where the decisions on cybersecurity risk management measures are taken)
  • Online marketplaces, online search engines, social networking services: Jurisdiction of the Member State where the main establishment is located
  • Public electronic communications networks or services: Jurisdiction of the Member State where they provide their services

Coordination Between Member States

Where an entity provides services in multiple Member States but has its main establishment in only one, the competent authority of the Member State of main establishment has primary supervisory responsibility. However, competent authorities in other Member States where the entity provides services may request the primary authority to take supervisory or enforcement actions.

Practical example: A cloud computing company headquartered in Ireland with data centres in Germany, France, and the Netherlands falls primarily under Irish jurisdiction for NIS2 purposes. However, if a significant incident affects users in Germany, the German competent authority may coordinate with the Irish authority on investigation and response.

EU Representative Requirement

Entities not established in the EU but providing services within the EU that fall within NIS2 scope must designate an EU representative in one of the Member States where their services are offered. This is particularly relevant for non-EU cloud providers, CDN providers, and digital platform operators serving EU customers.

Common Classification Mistakes

Based on our experience working with organisations on NIS2 readiness, these are the most frequent classification errors we encounter:

1. Assuming "We Are Too Small"

Many organisations assume the size-cap exemption applies to them without checking whether they fall into an automatic inclusion category. DNS hosting providers, trust service providers, and small telecoms operators are commonly caught out by this assumption.

2. Ignoring Linked Enterprise Aggregation

A subsidiary with 30 employees may appear to be a small enterprise, but if its parent company owns 50% or more, the subsidiary may need to aggregate headcount and financials with the parent and other linked enterprises. This can push the subsidiary above the size thresholds. This is one of the most technically complex aspects of NIS2 scope determination.

3. Misidentifying the Sector

Some organisations operate across multiple sectors. For example, a conglomerate that operates both transport services (Annex I) and food distribution (Annex II) may have different parts of the business falling into different classification categories. Each activity must be assessed separately.

4. Confusing NIS2 with NIS1 Scope

Organisations that were not in scope under the original NIS Directive may assume they remain unaffected. NIS2 dramatically expands scope — particularly for managed service providers, cloud computing providers, data centres, waste management, food production, manufacturing, and public administration. Previous exclusion under NIS1 does not indicate exclusion under NIS2.

5. Relying on the Directive Text Alone

NIS2 is a directive, not a regulation. Each Member State must transpose it into national law, and transpositions can include stricter requirements, additional sectors, or lower size thresholds. Organisations must check their specific national transposition — relying solely on the Directive text may lead to an incomplete assessment.

6. Overlooking Medium Enterprise Classification in Annex I

A common misunderstanding is that all entities in Annex I sectors are Essential. In fact, medium enterprises in Annex I sectors are typically classified as Important entities, not Essential. Only large enterprises in Annex I sectors (or those with automatic inclusion) are classified as Essential. This distinction matters for understanding your supervision regime and penalty exposure.

7. Failing to Consider Cross-Border Impact

Even if your organisation is small, if your services have cross-border impact — for instance, a small IXP operator peering networks across multiple countries — a Member State may designate you as in scope based on systemic risk considerations.

Frequently Asked Questions

How do I know if my organisation falls under NIS2 scope?

Your organisation is in scope if it operates in a sector listed in NIS2 Annex I or Annex II and meets the size threshold (medium-sized or larger: at least 50 employees or EUR 10 million annual turnover). Certain entities such as DNS providers, TLD registries, trust service providers, and sole providers of critical services are in scope regardless of size. Use the decision flowchart in this guide to work through the classification logic step by step.

What is the difference between an Essential and an Important entity under NIS2?

Essential entities are large organisations operating in high-criticality sectors (NIS2 Annex I), subject to proactive ex-ante supervision and penalties up to EUR 10 million or 2% of global annual turnover. Important entities are medium or large organisations in other critical sectors (NIS2 Annex II), subject to reactive ex-post supervision and penalties up to EUR 7 million or 1.4% of global annual turnover. Both categories share the same core cybersecurity risk management and incident reporting obligations.

Are small enterprises exempt from NIS2?

Generally yes — micro and small enterprises (fewer than 50 employees and under EUR 10 million annual turnover) are excluded from NIS2 scope. However, there are important exceptions: trust service providers, DNS service providers, TLD name registries, public electronic communications networks or services, sole providers of essential services, and entities whose disruption could cause significant systemic risk are in scope regardless of size. Member States may also designate additional entities.

When must organisations comply with NIS2?

The NIS2 Directive (Directive (EU) 2022/2555) entered into force on 16 January 2023. EU Member States had until 17 October 2024 to transpose it into national law. Organisations within scope are expected to comply with their national transposition measures from that date onward, though transposition timelines and readiness have varied by country. Organisations should check the status of transposition in their specific Member State.

Does NIS2 apply to organisations outside the EU?

NIS2 primarily applies to entities established in the EU. However, non-EU entities that provide services within the EU — such as DNS providers, cloud computing services, data centre services, content delivery networks, managed service providers, online marketplaces, search engines, or social networking platforms — are also in scope and must designate an EU representative in one of the Member States where their services are offered.

NIS2 Cybersecurity EU Regulation