Am I in scope for NIS2? Essential vs important entities explained

By ComplyBricks · Last reviewed Jul 12, 2026

Whether NIS2 applies to your organisation comes down to three questions: are you in a covered sector, do you meet the size threshold, and are you one of the entities covered regardless of size? Because NIS2 is transposed into national law, the definitive answer sits in your country's implementing legislation — but the directive's logic below is the framework every member state builds on.

The short version

NIS2 applies to "essential" and "important" entities that operate in specific sectors and meet a size threshold — plus a set of entities that are covered regardless of size. If none of those apply, NIS2 generally does not apply to you (subject to your national law, which can extend scope).

Step 1 — Are you in a covered sector?

NIS2 lists covered sectors across two annexes:

  • Annex I — sectors of high criticality: energy; transport; banking; financial market infrastructures; health; drinking water; waste water; digital infrastructure; ICT service management (B2B); public administration; space.
  • Annex II — other critical sectors: postal and courier services; waste management; manufacture and distribution of chemicals; production and distribution of food; manufacturing (such as medical devices, computers and electronics, machinery, motor vehicles); digital providers (online marketplaces, search engines, social networking platforms); research.

If your activities don't fall into these annexes, NIS2 generally won't apply — but check your national transposition, which can add sectors.

Step 2 — Do you meet the size threshold?

NIS2 uses a "size-cap" rule tied to the EU definition of enterprise size. As a rule of thumb, it applies to medium and large organisations — broadly those with at least 50 employees, or more than €10 million in annual turnover or balance-sheet total. Micro and small enterprises below those ceilings are generally out of scope by size alone.

Confirm the exact figures against your national law — they reference the EU's official enterprise-size definition.

Step 3 — Essential or important?

In-scope entities are classified into two tiers:

  • Essential entities: typically the larger organisations in the high-criticality (Annex I) sectors, plus specific entity types regardless of size. They face stricter, proactive supervision.
  • Important entities: the remaining in-scope organisations (for example, medium-sized Annex I entities and Annex II entities). They face lighter, mainly reactive supervision.

The core obligations — the Art. 21 risk-management measures and Art. 23 incident reporting — are broadly the same for both tiers. The difference is the intensity of supervision and enforcement.

Covered regardless of size

Some entities are in scope even below the size threshold. Indicative examples include:

  • providers of public electronic communications networks or services;
  • trust service providers;
  • top-level domain name registries and DNS service providers;
  • an entity that is the sole provider of a critical service in a member state;
  • certain public administration entities.

Treat this as indicative — verify the exact cases in the directive and your national transposition.

Still unsure?

For a quick indicative read, try the NIS2 scope checker — three questions, no sign-up.

Scope can be genuinely complex, especially near a size threshold or in a borderline sector, and national transpositions differ. If you're close to the line, confirm with your national competent authority or a qualified professional. Note that many member states also require in-scope entities to register.

Once you know you're in scope

The efficient next step is to build on a framework you may already run: see how NIS2 and ISO 27001 overlap, and how to comply with both at once.

References

  • NIS2 — Directive (EU) 2022/2555: Art. 2 (scope / size-cap), Art. 3 (essential vs important entities), Annexes I & II (sectors)
  • EU enterprise-size definition — Commission Recommendation 2003/361/EC

This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.

See how one control satisfies ISO 27001, NIS2 and GDPR at once.

Explore the live demo →