Understanding NIS2 Applicability
The NIS2 Directive applies to a significantly broader range of organizations compared to its predecessor. Approximately 160,000 entities across the EU now fall within scope, compared to just 450 under the original NIS Directive.
Size Requirements
Your company must meet specific size thresholds to be subject to NIS2:
Medium-Sized Enterprises
- At least 50 employees, OR
- Annual turnover of at least €10 million
Large Enterprises
- More than 250 employees, OR
- Annual turnover exceeding €50 million
Small and micro-enterprises (fewer than 50 employees and less than €10 million turnover) are generally exempt, with specific exceptions for certain critical providers.
Sector Requirements
NIS2 applies to organizations operating in 18 critical sectors, divided into two categories:
Essential Entities (High-Critical Sectors)
Energy
- Electricity, oil, gas, hydrogen
- District heating and cooling
Transport
- Air, rail, water, and road transport operators
Banking and Financial Market Infrastructures
Healthcare
- Hospitals and medical device manufacturers
- Pharmaceutical companies
Drinking Water
- Supply and distribution
Wastewater
- Collection and treatment
Digital Infrastructure
- Internet exchange points (IXPs)
- Domain name system (DNS) service providers
- Top-level domain (TLD) registries
- Cloud computing service providers
- Data centers
ICT Service Management
- Managed service providers (MSPs)
- Managed security service providers (MSSPs)
Public Administration
- Central and regional government entities
Space
- Space sector operators
Important Entities (Other Critical Sectors)
Postal and Courier Services
Waste Management
Manufacturing
- Medical devices
- Electronics
- Machinery
- Motor vehicles
Chemicals
- Production and distribution
Food
- Production, processing, and distribution
Digital Providers
- Online marketplaces (platforms with more than 45 million users)
- Online search engines
- Social networking service platforms
Research Organizations
Geographic Scope
NIS2 applies if your organization is:
-
Established in the EU
- Your main establishment is located in an EU member state
- Your cybersecurity decision-making occurs primarily in the EU
- Your highest number of employees work in the EU
-
Not established in the EU but providing services within the EU
- You offer services to customers in EU member states
- You must designate an EU representative
- You must comply with NIS2 requirements for those services
Classification: Essential vs. Important
The distinction between essential and important entities affects oversight intensity and penalty severity:
Essential Entity Characteristics
- Large enterprises (250+ employees or €50M+ turnover)
- Operating in high-critical sectors (energy, transport, banking, healthcare, etc.)
- Subject to proactive supervision and audits
- Higher penalties for non-compliance
Important Entity Characteristics
- Medium-sized enterprises (50+ employees or €10M+ turnover)
- Operating in essential sectors OR all sizes in important sectors
- Subject to reactive supervision (typically after incidents)
- Lower (but still significant) penalties
Supply Chain Considerations
Even if your organization doesn't directly fall under NIS2, you may be affected if:
- You're a supplier to NIS2-covered entities
- You provide critical services or products to covered organizations
- Your security practices will be assessed as part of supply chain requirements
Organizations subject to NIS2 must assess and manage cybersecurity risks throughout their supply chain, which means suppliers may need to demonstrate adequate security measures.
Public Administration Exception
All public administration entities at the central government level are automatically considered essential entities, regardless of size. Regional public administration entities follow the same size-based criteria as other sectors.
Practical Steps to Determine Applicability
-
Check Your Size
- Count total employees across all locations
- Calculate annual turnover from the previous fiscal year
-
Identify Your Sector
- Match your primary business activities to the 18 NIS2 sectors
- Consider whether you operate in multiple sectors
-
Assess Your Geographic Presence
- Determine where your main establishment is located
- Identify which EU member states you serve
-
Evaluate Your Supply Chain Role
- List customers who may be NIS2 entities
- Assess whether you provide critical services or products
-
Consult National Implementation
- Check your member state's specific transposition of NIS2
- Some countries may apply stricter or broader criteria
What If You're Unsure?
If you're uncertain whether NIS2 applies to your organization:
- Consult with your national competent authority
- Engage legal or compliance advisors specializing in NIS2
- Review your member state's official guidance documents
- Consider that it's safer to prepare for compliance than to risk non-compliance
Member State Variations
While NIS2 provides an EU-wide framework, individual member states transpose the directive into national law. This can result in:
- Slight variations in sector definitions
- Additional requirements beyond the minimum
- Different national competent authorities
- Specific national reporting mechanisms
Always check your specific member state's implementation for precise requirements.
If your organization is a medium or large enterprise operating in one of the 18 critical sectors and has a presence in or serves customers in the EU, you likely need to comply with NIS2. The directive's broad scope means many organizations that weren't previously subject to cybersecurity regulations now face mandatory requirements.
Early assessment of your applicability status allows you to plan appropriately for compliance by the October 2026 deadline. Even if you're not directly covered, understanding NIS2 can help you anticipate supplier requirements and market expectations around cybersecurity practices.
