norppa.io
Guides

NIS2 Guide · 8 min

Who is in scope for NIS2? Essential vs important entities, sectors and size thresholds

NIS2 applies far more broadly than the original NIS Directive — but not to everyone. Whether your organisation is in scope depends on three things: your sector, your size, and a handful of size-independent exceptions. This guide walks through each test so you can determine your status, and explains why being designated is not the only way the directive reaches you. The transposition deadline (17 October 2024) has passed and Member States are enforcing as they finalise national law.

Two categories: essential and important entities

NIS2 sorts in-scope organisations into two tiers. Both must meet the same baseline security and reporting obligations; the difference is supervision intensity and the maximum penalties that apply.

Essential entities

Large organisations in the highest-criticality sectors (Annex I), plus certain entities designated regardless of size. Subject to proactive (ex-ante) supervision: audits, inspections and information requests can occur without a prior incident.

Important entities

Most other in-scope organisations meeting the size threshold, including the Annex II sectors. Subject to reactive (ex-post) supervision: authorities act when there is evidence of non-compliance.

Which sectors are covered?

NIS2 lists covered sectors in two annexes. Annex I covers sectors of high criticality; Annex II covers other critical sectors. If your core activity falls in either list and you meet the size threshold, you are likely in scope.

Annex I — sectors of high criticality

  • Energy (electricity, oil, gas, district heating, hydrogen)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Health (providers, EU reference labs, pharmaceuticals, medical devices)
  • Drinking water and waste water
  • Digital infrastructure (DNS, TLD registries, data centres, cloud, CDNs, trust services, electronic communications)
  • ICT service management, B2B (managed service and managed security providers)
  • Public administration (central and regional)
  • Space

Annex II — other critical sectors

  • Postal and courier services
  • Waste management
  • Manufacture, production and distribution of chemicals
  • Production, processing and distribution of food
  • Manufacturing (medical devices, computers and electronics, machinery, motor vehicles, other transport equipment)
  • Digital providers (online marketplaces, search engines, social networking platforms)
  • Research organisations

The size threshold

Within a covered sector, NIS2 generally applies only from a minimum size — the 'size-cap' rule. Both headcount and financials are considered.

Large — generally 'essential' (Annex I)

At least 250 employees, or turnover above €50 million and balance-sheet total above €43 million. Large entities in Annex I sectors are typically classified as essential. Large entities in Annex II sectors remain important, not essential.

Medium-sized — generally 'important'

At least 50 employees, or annual turnover and balance-sheet total above €10 million. Reaching the medium-size threshold in a covered sector typically brings you in as an important entity.

Below the medium threshold, micro and small organisations are usually out of scope — unless a size-independent exception applies.

Size-independent exceptions — in scope regardless of size

Some entities are covered no matter how small they are, because of the role they play. These include qualified trust service providers, top-level domain name registries and DNS service providers, providers of public electronic communications networks or services, and entities that are the sole provider of a service essential to societal or economic activity in a Member State.

Public administration bodies and organisations identified as critical under the Critical Entities Resilience (CER) Directive can also be in scope independently of size, and Member States may designate specific entities individually. If you run critical infrastructure or a service with no substitute, check your national authority's designation list rather than relying on the size test alone.

Not designated? You can still be pulled in through the supply chain

Even if you are not directly in scope, NIS2 reaches you indirectly. In-scope organisations must manage the cybersecurity risk of their suppliers and service providers (Art. 21(2)(d)). In practice that means your customers — banks, hospitals, energy companies, public bodies — will increasingly require evidence of your security posture as a condition of doing business.

So the practical question is rarely just 'am I designated?' It is also 'do my customers fall under NIS2?' If they do, their obligations flow to you through contracts, questionnaires and continuous monitoring — whether or not you are formally an essential or important entity.

What being in scope means in practice

If you are in scope, the core obligations are:

  • Risk-management measures — the Art. 21 baseline: risk analysis, incident handling, business continuity, supply-chain security, encryption, access control and more.
  • Incident reporting — an early warning to your national CSIRT within 24 hours of a significant incident, a fuller notification within 72 hours, and a final report within one month (Art. 23).
  • Governance and accountability — management bodies must approve and oversee the measures and can be held liable; staff training is expected.
  • Registration — many entities must register with their national authority, providing contact and sector details.

Essential and important entities meet the same baseline; the tier mainly affects how they are supervised and the maximum penalties that apply.

Source: Directive (EU) 2022/2555 (NIS2), Articles 2–3 and Annexes I–II — consult your national transposition law and supervisory authority for the binding details in your country.

How norppa.io helps

Once you know your suppliers are in scope — or that your customers expect NIS2-grade assurance — norppa.io gives you the continuous evidence both directions need. Every monitored supplier domain is checked across 100+ control points daily, critical events every six hours, with findings mapped automatically to NIS2 articles.

Self-assessment questionnaires (SAQ) go to suppliers directly from norppa.io and combine with the technical risk profile, so process and technical evidence sit in one place — ready for your customers' due diligence or a supervisory audit.

See what NIS2-grade monitoring looks like

A sample supplier report — findings, NIS2 mapping and evidence — in two minutes.

View sample report

Related guides

NIS2 and the supply chain requirement — what it means in practice

NIS2 requires significant and important entities to assess their supply chain cyber risks. Supplier tiering, 4th-party risk, Art. 23 notification, and what auditors look for.

NIS2 Art. 21(2) — supplier security checklist

Checklist for procurement and security teams: what to ask, what evidence to collect, and how to respond when a supplier falls short. Includes suggested evidence documents.

Supplier cyber risk assessment: what automated NIS2 monitoring checks

All check categories explained: ransomware, dark web leaks, TLS/DNSSEC, cookie security, CVE/EPSS, sanctions, MX blacklists and SAQ. Finding lifecycle and NIS2 article mapping.

NIS2 supplier questionnaire (SAQ): what to ask, how to score it, and a free template

What to ask suppliers under Art. 21(2)(d), how to score answers and respond to gaps, why self-attestation needs verification, and a free copy-paste questionnaire template.

NIS2 vs DORA: how they differ, where they overlap, and which one applies to you

How the two EU regimes differ and overlap, why DORA is lex specialis for financial entities, which applies to you, and what both mean for third-party and supply-chain risk.