norppa.io
Guides

NIS2 Guide · 8 min

Who is in scope for NIS2? Essential vs important entities, sectors and size thresholds

NIS2 reaches far wider than the directive it replaced — but not to everyone. Whether it reaches you turns on three questions: what sector you're in, how big you are, and whether you fall under one of a handful of size-independent exceptions. This guide works through each test so you can place yourself — and then explains the quieter route in, the one that catches organisations no authority ever formally designated. The transposition deadline of 17 October 2024 has passed; Member States are now enforcing as they finish writing national law.

Key takeaways

  • NIS2 sorts the organisations it covers into essential and important entities, by sector (Annex I/II) and size.
  • You're generally in from 50 staff or €10M turnover/balance — plus a few exceptions that apply at any size.
  • Even undesignated, you can be pulled in: NIS2 customers push their obligations onto you through contracts.

Two categories: essential and important entities

NIS2 sorts the organisations it covers into two tiers. Both carry the same baseline of security and reporting duties — the tier doesn't change what you must do, only how closely you're watched and how large the fines can grow.

Essential entities

Large organisations in the highest-criticality sectors (Annex I), plus certain entities designated regardless of size. Subject to proactive (ex-ante) supervision: audits, inspections and information requests can occur without a prior incident.

Important entities

Most other in-scope organisations meeting the size threshold, including the Annex II sectors. Subject to reactive (ex-post) supervision: authorities act when there is evidence of non-compliance.

Which sectors are covered?

The covered sectors live in two annexes: Annex I for the sectors of highest criticality, Annex II for the other critical ones. If your core activity sits in either list and you clear the size threshold, you're very likely in.

Annex I — sectors of high criticality

  • Energy (electricity, oil, gas, district heating, hydrogen)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Health (providers, EU reference labs, pharmaceuticals, medical devices)
  • Drinking water and waste water
  • Digital infrastructure (DNS, TLD registries, data centres, cloud, CDNs, trust services, electronic communications)
  • ICT service management, B2B (managed service and managed security providers)
  • Public administration (central and regional)
  • Space

Annex II — other critical sectors

  • Postal and courier services
  • Waste management
  • Manufacture, production and distribution of chemicals
  • Production, processing and distribution of food
  • Manufacturing (medical devices, computers and electronics, machinery, motor vehicles, other transport equipment)
  • Digital providers (online marketplaces, search engines, social networking platforms)
  • Research organisations

The size threshold

Inside a covered sector, NIS2 generally bites only from a minimum size — the size-cap rule — and it weighs both headcount and money.

Large — generally 'essential' (Annex I)

At least 250 employees, or turnover above €50 million and balance-sheet total above €43 million. Large entities in Annex I sectors are typically classified as essential. Large entities in Annex II sectors remain important, not essential.

Medium-sized — generally 'important'

At least 50 employees, or annual turnover or balance-sheet total above €10 million. Reaching the medium-size threshold in a covered sector typically brings you in as an important entity.

Below the medium threshold, micro and small organisations are usually out of scope — unless a size-independent exception applies.

Size-independent exceptions — in scope regardless of size

Some entities are covered however small they are, because of the role they play rather than their headcount. Qualified trust service providers, top-level domain registries and DNS providers, providers of public electronic communications networks or services, and any organisation that is the sole provider of a service essential to a Member State's society or economy — all are in regardless of size.

Public administration bodies and organisations identified as critical under the Critical Entities Resilience (CER) Directive can also be in scope independently of size, and Member States may designate specific entities one by one. If you run critical infrastructure, or a service with no real substitute, check your national authority's designation list rather than leaning on the size test alone.

Not designated? You can still be pulled in through the supply chain

Even when NIS2 doesn't name you directly, it can still reach you — through the customers who are named. In-scope organisations have to manage the cybersecurity risk of their suppliers (Art. 21(2)(d)), and in practice that means your customers — banks, hospitals, energy companies, public bodies — will increasingly make evidence of your security posture a condition of doing business.

So the question is rarely just 'am I designated?' It's also 'do my customers fall under NIS2?' If they do, their obligations flow down to you through contracts, questionnaires and continuous monitoring — whether or not you're formally an essential or important entity yourself.

What being in scope means in practice

If you are in scope, the core obligations are:

  • Risk-management measures — the Art. 21 baseline: risk analysis, incident handling, business continuity, supply-chain security, encryption, access control and more.
  • Incident reporting — an early warning to your national CSIRT within 24 hours of a significant incident, a fuller notification within 72 hours, and a final report within one month (Art. 23).
  • Governance and accountability — management bodies must approve and oversee the measures and can be held liable; staff training is expected.
  • Registration — many entities must register with their national authority, providing contact and sector details.

Essential and important entities meet the same baseline; the tier mainly affects how they are supervised and the maximum penalties that apply — up to €10 million or 2% of total worldwide annual turnover (whichever is higher) for essential entities, and up to €7 million or 1.4% for important entities (Art. 34). Management bodies must approve the measures and can be held personally liable (Art. 20).

Source: Directive (EU) 2022/2555 (NIS2), Articles 2–3 and Annexes I–II — consult your national transposition law and supervisory authority for the binding details in your country.

How norppa.io helps

Once you know your suppliers are in scope — or that your customers expect NIS2-grade assurance — norppa.io gives you the continuous evidence both directions need. Every monitored supplier domain is checked across more than a hundred control points daily, with the time-sensitive ones re-run every six hours, and each finding is mapped to the NIS2 article it answers to as it's recorded.

Self-assessment questionnaires go to suppliers straight from the portal and sit alongside the technical risk profile, so process evidence and technical evidence live in one place — ready for a customer's due diligence or a supervisory audit.

See what NIS2-grade monitoring looks like

A sample supplier report — findings, NIS2 mapping and evidence — in about two minutes.

View sample report
See the sample dashboard

Related guides

NIS2 and the supply chain requirement — what it means in practice

NIS2 requires significant and important entities to assess their supply chain cyber risks. Supplier tiering, 4th-party risk, Art. 23 notification, and what auditors look for.

NIS2 Art. 21(2) — supplier security checklist

Checklist for procurement and security teams: what to ask, what evidence to collect, and how to respond when a supplier falls short. Includes suggested evidence documents.

Supplier cyber risk assessment: what automated NIS2 monitoring checks

All check categories explained: ransomware, dark web leaks, TLS/DNSSEC, cookie security, CVE/EPSS, sanctions, MX blacklists and SAQ. Finding lifecycle and NIS2 article mapping.

NIS2 supplier questionnaire (SAQ): what to ask, how to score it, and a free template

What to ask suppliers under Art. 21(2)(d), how to score answers and respond to gaps, why self-attestation needs verification, and a free copy-paste questionnaire template.

NIS2 vs DORA: how they differ, where they overlap, and which one applies to you

How the two EU regimes differ and overlap, why DORA is lex specialis for financial entities, which applies to you, and what both mean for third-party and supply-chain risk.

NIS2 and management responsibility: what boards and leadership must know

What NIS2 expects of the management body: approval and oversight duties, personal liability (Art. 20), training, board reporting KPIs, and the penalties under Art. 34.

NIS2 incident reporting: the 24- and 72-hour deadlines explained

What counts as a significant incident, the Article 23 timeline (24-hour early warning, 72-hour notification, one-month final report), and when a supplier's incident becomes your obligation.

ISO 27001 and NIS2: what your ISMS already covers — and the gaps it doesn't

If you hold ISO 27001, what carries over to NIS2 and what does not: statutory incident reporting, management liability, registration, and continuous supply-chain assurance — plus how to close the gap.