Who Must Comply with NIS2? Scope, Sectors, and Size Thresholds

Last verified: March 2026. References Directive (EU) 2022/2555 (NIS2), Annexes I and II. Member State transpositions may add sectors or adjust thresholds — always verify against your national law.

The most common question organisations ask when NIS2 first lands on their radar is deceptively simple: does this apply to us? The answer depends on two things — what sector you operate in, and how large your organisation is. Get both right, and you’ll know not only whether NIS2 applies but also which compliance regime you fall under and what the stakes are if you don’t act.

This guide gives you the complete picture: every sector covered by NIS2, every size threshold, the exceptions that apply regardless of size, and a structured self-assessment to reach a definitive answer for your organisation.

1. NIS2 Scope at a Glance

NIS2 (Directive (EU) 2022/2555) is the EU’s main cybersecurity law, enforceable since 18 October 2024. It applies to organisations that meet two cumulative criteria:

1. Sector criterion: the organisation operates in one of the 18 sectors listed in Annex I (Essential Entities) or Annex II (Important Entities).
2. Size criterion: the organisation qualifies as at least a medium-sized enterprise (50+ employees or €10M+ annual turnover and balance sheet total).

Both criteria must be met — with one significant exception: certain entity types fall under NIS2 regardless of size (see Section 5).

Dimension	Essential Entities (Annex I)	Important Entities (Annex II)
Number of sectors	11 sectors	7 sectors
Typical size	Large (250+ employees) in Annex I sectors; some medium-sized entities also qualify	Medium (50–249 employees) in either annex; large entities in Annex II sectors
Supervisory approach	Proactive (ex ante): audits, inspections, and compliance checks before any incident	Reactive (ex post): supervision triggered by non-compliance evidence or an incident
Maximum fine	€10 million or 2% of global annual turnover (whichever is higher)	€7 million or 1.4% of global annual turnover (whichever is higher)

Scale of impact: NIS2 is estimated to bring roughly 160,000 entities across the EU into scope — approximately ten times more than its predecessor NIS1. If your organisation operates in any of the 18 sectors and employs 50 or more people, there is a strong chance you are affected.

2. Essential Entities — Annex I Sectors

Annex I covers 11 sectors considered critical to EU society and the economy. Organisations operating in these sectors with 250+ employees (or €50M+ turnover) are automatically classified as essential entities. Medium-sized organisations (50–249 employees or €10–50M turnover) in Annex I sectors are classified as important entities, unless a Member State designates them as essential.

1. Energy

The energy sector covers the full value chain of power and fuel supply:

• Electricity: operators of electricity generation facilities (above thresholds), transmission system operators (TSOs), distribution system operators (DSOs), electricity supply undertakings, and aggregators, demand response providers, and energy storage operators with a threshold output.
• District heating and cooling: operators of district heating or district cooling networks.
• Oil: operators of oil transmission pipelines, oil production, refining and processing facilities, storage and transmission, and central oil stockholding entities.
• Gas: supply undertakings, distribution system operators, transmission system operators, storage system operators, LNG system operators, and natural gas undertakings.
• Hydrogen: producers, distributors, and suppliers of hydrogen — a sector added under NIS2 that did not exist in NIS1.

2. Transport

Transport covers all major modes:

• Air: air carriers used for commercial purposes, airport managing bodies, and air traffic management and control operators (including Functional Airspace Block service providers).
• Rail: infrastructure managers and railway undertakings (including operators of service facilities).
• Water: inland waterway, sea and coastal passenger and freight water transport companies, port authorities, and vessel traffic management operators.
• Road: road authorities responsible for traffic management (excluding public entities for which network and information system security is not the primary activity), and operators of Intelligent Transport Systems (ITS).

3. Banking

Credit institutions as defined in Article 4(1)(1) of Regulation (EU) No 575/2013 — in practice, banks and other licensed deposit-taking institutions operating in the EU.

4. Financial Market Infrastructure

Operators of trading venues as defined in Directive 2014/65/EU (MiFID II), and central counterparties (CCPs) as defined in Regulation (EU) No 648/2012 (EMIR). These are the exchanges, clearing houses, and post-trade infrastructure entities that underpin financial market stability.

5. Health

Healthcare is one of the most significantly expanded sectors under NIS2:

• Healthcare providers: hospitals, clinics, and other entities providing healthcare as defined in Directive 2011/24/EU.
• EU reference laboratories: laboratories designated as EU reference laboratories under Regulation (EU) 2022/2371 on cross-border health threats.
• Research and development: entities conducting research and development of medicinal products as defined in Directive 2001/83/EC.
• Pharmaceutical manufacturers: entities manufacturing basic pharmaceutical products and preparations (NACE sector C21).
• Medical device manufacturers: manufacturers of medical devices considered critical during a public health emergency (devices on the union list established under Commission Implementing Regulation (EU) 2022/1107).

6. Drinking Water

Suppliers and distributors of water intended for human consumption as defined in Directive (EU) 2020/2184, excluding distributors for which distribution of water is only a non-major part of their general activity.

7. Waste Water

Undertakings collecting, disposing of, or treating urban waste water, domestic waste water, or industrial waste water as defined in Directive 91/271/EEC — excluding undertakings for which waste water collection, disposal, or treatment is only a non-major part of their activity.

8. Digital Infrastructure

This is one of the most expansive sectors, covering the foundational layer of the digital economy:

• Internet exchange points (IXPs): facilities providing physical network interconnection between autonomous systems.
• DNS service providers: providers of DNS resolution services (not operators of root servers, but resolvers and authoritative DNS providers whose services are used by third parties).
• TLD name registries: managers of top-level domain registries (e.g., country code TLDs, or generic TLDs).
• Cloud computing service providers: providers of cloud computing services.
• Data centre service providers: providers of data centre services.
• Content delivery networks (CDNs): providers of content delivery network services.
• Trust service providers: qualified and non-qualified trust service providers as defined in Regulation (EU) No 910/2014 (eIDAS) — these are always in scope regardless of size (see Section 5).
• Public electronic communications networks: providers of public communications networks or publicly available electronic communications services as defined in Directive (EU) 2018/1972 (European Electronic Communications Code) — also subject to size-independent rules for certain categories.

9. ICT Service Management (Business-to-Business)

A category unique to NIS2, covering entities that provide ICT services to other businesses:

• Managed service providers (MSPs): entities providing IT services (infrastructure management, application management, security monitoring, etc.) on an outsourced basis to business customers.
• Managed security service providers (MSSPs): entities providing managed cybersecurity services, including threat detection, security operations centre (SOC) functions, and incident response.

MSPs and MSSPs were not covered under NIS1. Their inclusion under NIS2 reflects the supply chain risks that became starkly apparent after incidents like SolarWinds (2020), where attackers used a trusted MSP to compromise thousands of downstream organisations.

10. Public Administration

Central government entities and regional government entities meeting the size criteria. Member States may exclude specific public administration entities from NIS2 scope on grounds of national security, public security, or defence — but the baseline obligation applies to most public authorities above the size threshold. Local government entities are not automatically included under NIS2, though Member States may extend coverage.

11. Space

Operators of ground-based infrastructure supporting space-based services where the disruption of that service would have a significant impact on other NIS2-covered sectors. This covers satellite ground stations, mission control centres, and operators of Earth observation, navigation, and communication satellite services.

3. Important Entities — Annex II Sectors

Annex II covers 7 sectors that are economically important but generally considered to carry slightly lower systemic risk than Annex I entities. Organisations in these sectors with 50+ employees or €10M+ turnover are classified as important entities. Large organisations (250+ employees or €50M+ turnover) in Annex II sectors may be designated as essential by Member States in some cases.

1. Postal and Courier Services

Postal service providers as defined in Directive 97/67/EC, including universal service providers and courier operators handling domestic and cross-border delivery of parcels, packages, and express mail. Major courier firms (DHL, FedEx, UPS, DPD equivalents) operating in the EU fall into this category.

2. Waste Management

Undertakings carrying out waste management as defined in Directive 2008/98/EC — covering collection, transport, treatment, and disposal of waste (excluding undertakings for which waste management is only a non-major activity). Landfill operators, waste-to-energy plants, and hazardous waste handlers are typical examples.

3. Manufacture, Production and Distribution of Chemicals

Undertakings carrying out chemical manufacturing, production, and distribution as defined in Regulation (EC) No 1907/2006 (REACH). This covers bulk chemicals, specialty chemicals, agrochemicals, and chemical distributors above the size threshold.

4. Production, Processing and Distribution of Food

Food businesses as defined in Regulation (EC) No 178/2002, limited to large enterprises and medium-sized enterprises engaged in food production, processing, and distribution. Large supermarket chains, food manufacturers, and major distributors are the primary targets — not individual restaurants or small food retailers.

5. Manufacturing

NIS2 includes five specific manufacturing sub-sectors:

• Medical devices and in vitro diagnostic medical devices (excluding those in the Annex I critical device list): manufacturers subject to Regulation (EU) 2017/745 or 2017/746.
• Computers, electronic and optical products (NACE sector C26): semiconductor manufacturers, computer OEMs, and electronics component producers.
• Electrical equipment (NACE sector C27): manufacturers of motors, generators, transformers, switchgear, and consumer electronics.
• Machinery and equipment not elsewhere classified (NACE sector C28): industrial machinery, agricultural equipment, and tooling manufacturers.
• Motor vehicles, trailers and semi-trailers (NACE sector C29): automotive manufacturers and major Tier 1 automotive suppliers.
• Other transport equipment (NACE sector C30): aerospace manufacturers, shipbuilders, railway rolling stock manufacturers, and military vehicle producers.

6. Digital Providers

Three specific categories of digital service providers:

• Online marketplaces: platforms enabling businesses or consumers to conclude sales contracts with other businesses or consumers, including major e-commerce platforms.
• Online search engines: services enabling users to search websites — primarily large search engines serving significant user bases within the EU.
• Social networking service platforms: platforms enabling users to share information, content, and messages with other users — major social media platforms operating in the EU.

Note: digital providers that were in scope under NIS1 (online marketplaces, search engines, cloud computing) have been reclassified. Cloud computing has moved to Annex I (essential entities), while online marketplaces and search engines remain in Annex II.

7. Research Organisations

Entities whose primary goal is to conduct applied research or experimental development and which commercially exploit the results of that research — including publicly funded research institutes, university spin-outs conducting commercial research, and private research and development organisations. Pure academic institutions that do not commercialise research may fall outside this category depending on Member State interpretation.

4. Size Thresholds: Medium and Large Enterprises

Size thresholds under NIS2 follow the EU’s standard enterprise size definitions from Commission Recommendation 2003/361/EC. The threshold determines whether your organisation is in scope at all, and also helps determine whether you are classified as essential or important.

Category	Staff Headcount	Annual Turnover	Annual Balance Sheet Total	NIS2 Role
Micro enterprise	Fewer than 10	≤€2 million	≤€2 million	Generally out of scope
Small enterprise	10–49	≤€10 million	≤€10 million	Generally out of scope
Medium enterprise	50–249	≤€50 million	≤€43 million	In scope (Annex I or II sector required)
Large enterprise	250+	>€50 million	>€43 million	In scope (Annex I or II sector required)

How to apply the thresholds: The size criteria are applied using the “OR” logic for headcount versus turnover — you only need to exceed one of the two financial thresholds (turnover or balance sheet), alongside the headcount threshold, to qualify. Specifically:

• A medium enterprise must have: 50+ staff, AND (turnover >€10M OR balance sheet >€10M).
• A large enterprise must have: 250+ staff, OR turnover >€50M.

Group structures: If your organisation is a subsidiary within a larger corporate group, the size assessment uses the consolidated figures of the group — not just your local entity’s headcount and turnover. A 30-person subsidiary of a 1,000-person parent company may be in scope even though the subsidiary alone would not meet the threshold. This is a frequently overlooked aspect of NIS2 applicability.

National additions: Member States may designate additional entities — including small enterprises — as essential or important where they assess that the disruption of that entity’s services would have a significant impact. Germany’s NIS2UmsuCG, for example, includes certain critical infrastructure operators below the standard size threshold.

5. Always in Scope Regardless of Size

NIS2 explicitly carves out several entity types that must comply regardless of whether they meet the medium enterprise size threshold. These organisations are in scope even if they have fewer than 50 employees and less than €10 million in annual turnover.

Entity Type	Why Size-Independent?	Classification
TLD name registries	Manage entire country code or generic top-level domains; disruption affects all downstream users	Essential entity
DNS service providers	Core internet infrastructure; single-point-of-failure risk even for small operators	Essential entity
Qualified trust service providers	Issue qualified digital certificates and signatures underpinning EU legal and financial processes	Essential entity
Non-qualified trust service providers	Provide digital identity and authentication infrastructure to third parties	Important entity
Providers of public electronic communications networks	Operate the physical and logical infrastructure of the internet in the EU	Essential entity (if large or designated); Important entity (if medium)
Sole providers in a Member State	If an entity is the only provider of an Annex I or II service in a Member State, its disruption has unavoidable systemic impact regardless of size	May be designated essential or important
Entities with systemic cross-border impact	Disruption would have significant cascading effects across two or more Member States	May be designated essential or important

Practical implication: If your organisation provides DNS resolution, operates a TLD registry, issues eIDAS-qualified certificates, or runs a public telecoms network of any size, NIS2 applies to you from day one. The size threshold is irrelevant.

6. How to Determine if Your Organisation Is in Scope: 5-Step Self-Assessment

Work through the following five steps in order. At each decision point, the outcome either confirms scope, rules it out, or moves you to the next step.

Step 1: Check Your Primary Sector

Does your organisation’s primary activity fall within one of the 18 NIS2 sectors?

• Review the Annex I sectors (Section 2 above): energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space.
• Review the Annex II sectors (Section 3 above): postal services, waste management, chemicals, food production/processing/distribution, manufacturing (5 sub-sectors), digital providers, research organisations.

If NO: NIS2 does not apply to your organisation as a direct obligation. However, you may still face NIS2 requirements indirectly: if your customers are essential or important entities, they are required under Article 21(2)(d) to assess the security of their suppliers’ networks — which means your security posture will increasingly be scrutinised through supply chain audits and contractual requirements.

If YES: Proceed to Step 2.

Step 2: Check if You Are Size-Independent

Does your organisation fall into one of the size-independent categories listed in Section 5?

• TLD registry, DNS resolver, qualified trust service provider, public telecoms network provider, or sole provider of an in-scope service in a Member State.

If YES: NIS2 applies regardless of size. Proceed to Step 4 to determine your classification.

If NO: Proceed to Step 3.

Step 3: Apply the Size Threshold

Does your organisation meet the medium enterprise criteria?

• 50+ staff headcount, AND
• Annual turnover >€10M OR annual balance sheet total >€10M

Important: If you are part of a corporate group, use the group’s consolidated figures, not just your own entity’s figures.

If NO: You are generally out of scope. Check whether your Member State has designated additional categories of small entities (some national transpositions extend NIS2 to specific small operators of critical infrastructure).

If YES: NIS2 applies. Proceed to Step 4.

Step 4: Determine Your Classification (Essential or Important)

Your classification determines your supervisory regime and maximum penalty exposure.

Essential entity — you are likely essential if you meet any of the following:

• You are a large enterprise (250+ employees or €50M+ turnover) operating in an Annex I sector.
• You are a qualified trust service provider, TLD registry, or DNS service provider (regardless of size).
• Your Member State has specifically designated you as essential (e.g., because you are a sole provider or have systemic cross-border impact).

Important entity — you are likely important if:

• You are a medium enterprise (50–249 employees) in an Annex I sector.
• You are a medium or large enterprise in an Annex II sector.
• You are a non-qualified trust service provider or a public electronic communications provider below large enterprise threshold.

Note: the final classification decision rests with your national competent authority. Member States were required to establish a register of essential and important entities by 17 April 2025. In some countries, organisations must self-register; in others, authorities compile the list proactively. Check your national transposition law and competent authority guidance.

Step 5: Verify with Your National Transposition Law

NIS2 is a directive, not a regulation — meaning each EU Member State has transposed it into national law, potentially with additional sectors, lower size thresholds, or extended obligations. Before finalising your scope determination:

• Identify which national law implements NIS2 in your country (e.g., NIS2UmsuCG in Germany, the Network and Information Security (Measures for a High Common Level of Cybersecurity) Regulations in Ireland, the Cybersecurity Act in Belgium).
• Check whether your national competent authority has published a self-registration portal or applicability guidance.
• If you operate in multiple EU Member States, assess scope in each jurisdiction separately — you may have obligations in several countries simultaneously.

7. What If You Are In Scope? Next Steps

Confirming that NIS2 applies is the starting point, not the finish line. Here is what to do next:

1. Confirm your registration obligations. Most Member States require in-scope entities to register with their national competent authority. Failure to register is itself a compliance failure. Check your national authority’s portal — registration deadlines vary by country.
2. Conduct a gap assessment. Use the NIS2 compliance checklist to evaluate your current cybersecurity posture against the 10 Article 21 measures. Identify which measures you already meet (or partially meet) and where the gaps are.
3. Understand your obligations in detail. Review the 10 NIS2 cybersecurity requirements to understand exactly what is required under Article 21. If your organisation is a digital infrastructure or ICT service entity covered by the Commission Implementing Regulation (CIR 2024/2690), you have additional, more technically detailed obligations.
4. Brief your management body. Article 20 requires your management body to approve NIS2 risk management measures, oversee their implementation, and undergo cybersecurity training. Management body members can be held personally liable for infringements. Bring this to the board agenda now, not after a breach.
5. Establish incident reporting procedures. Article 23 requires a significant incident early warning within 24 hours. If you don’t already have a tested incident detection and escalation process, this is your most urgent operational gap. Review the NIS2 Directive overview for the full 24h/72h/1-month reporting timeline.
6. Assess your penalty exposure. Understanding the NIS2 penalty regime — including management liability under Article 20 — is essential for securing budget and organisational buy-in for the compliance programme.

8. Frequently Asked Questions

Does NIS2 apply to micro enterprises?

Generally, no. NIS2 applies from the medium enterprise threshold (50+ employees and €10M+ turnover or balance sheet). Micro and small enterprises are out of scope — with the specific exceptions for size-independent entity types (DNS providers, TLD registries, qualified trust service providers, and certain public telecoms providers). Some Member States have extended coverage in their national laws.

Does NIS2 apply to non-EU companies?

Yes, if they provide covered services within the EU. NIS2 scope is determined by where services are delivered, not where the organisation is headquartered. Non-EU entities in scope must designate an EU representative under Article 26, and that representative can be held liable for non-compliance.

Can a company be both an essential and an important entity?

No — the classifications are mutually exclusive. If an organisation’s activities span multiple sectors, the higher classification (essential) applies. This means the stricter supervisory regime and the higher penalty ceiling (€10M / 2%) apply to the entire entity.

Who decides if I am in scope?

Your national competent authority (NCA) has the final say. Most Member States require in-scope organisations to self-register; the NCA then confirms or adjusts the classification. Failure to self-register where required is itself a compliance breach. If you are uncertain, review your national NCA’s guidance — or obtain qualified legal advice from a practitioner familiar with your Member State’s transposition.

This article provides general information only and does not constitute legal or regulatory advice. NIS2 obligations vary by jurisdiction based on national transposition laws. Consult a qualified legal or compliance professional for advice specific to your organisation.

Sources

1. “Directive (EU) 2022/2555 — Official Text, Annexes I and II” — EUR-Lex, Full text
2. “Cybersecurity of network and information systems (NIS2) — Summary” — EUR-Lex, Summary
3. “NIS2 Directive: securing network and information systems” — European Commission, Policy page
4. “SME Definition — Commission Recommendation 2003/361/EC” — European Commission, SME definition