Patroklos PatroklouNIS2 classifies in-scope organisations as either essential entities or important entities, based on (1) the sector listed in Annex I or Annex II of the directive and (2) the size of the organisation under the EU SME definition. Essential entities face ex-ante supervision and a higher fine ceiling (up to EUR 10 million or 2% of global turnover); important entities face ex-post supervision and a lower ceiling (EUR 7 million or 1.4%). A handful of sub-threshold exceptions are in scope regardless of size — primarily DNS providers, top-level domain name registries, qualified trust service providers, and providers of public electronic communications networks. This guide walks through the two filters and provides a decision flow to classify your organisation correctly the first time.
For the broader NIS2 walkthrough see our NIS2 compliance guide.
Filter 1: Sector — Annex I (essential) vs Annex II (important)
NIS2 covers 18 sectors split across two annexes. Annex I sectors are considered “high criticality”; Annex II are “other critical sectors”. Sector alone does not make you essential — it interacts with the size filter — but it sets the baseline category.
Annex I — high-criticality (essential) sectors
| Sector | Examples of in-scope entities |
|---|---|
| Energy | Electricity (TSOs, DSOs, generators, suppliers, nominated electricity market operators), district heating/cooling, oil (transmission/storage/production), gas, hydrogen |
| Transport | Air (carriers, airports, ATM), rail (infrastructure managers, railway undertakings), water (cargo, passenger, port authorities), road (road authorities, ITS operators) |
| Banking | Credit institutions |
| Financial market infrastructure | Trading venue operators, central counterparties |
| Health | Healthcare providers, EU reference labs, R&D of medicinal products, manufacture of basic pharmaceuticals, manufacture of critical medical devices |
| Drinking water | Suppliers and distributors |
| Wastewater | Collection, disposal, or treatment of urban/domestic/industrial wastewater (where it is an essential part of the entity’s activity) |
| Digital infrastructure | IXPs, DNS providers, TLD registries, cloud providers, data centre operators, CDN operators, trust service providers, public electronic communications networks/services |
| ICT service management (B2B) | Managed Service Providers, Managed Security Service Providers |
| Public administration | Central, regional (transposition-dependent — member states may include local) |
| Space | Operators of ground-based infrastructure supporting space-based services |
Annex II — other critical (important) sectors
| Sector | Examples of in-scope entities |
|---|---|
| Postal and courier services | Postal service providers, courier and express delivery |
| Waste management | Waste collection, transport, treatment (where principal activity) |
| Manufacture, production and distribution of chemicals | Manufacture and distribution of chemicals |
| Production, processing and distribution of food | Wholesale food distribution, industrial food production and processing |
| Manufacturing | Medical devices, in vitro diagnostics, computer/electronic/optical products, electrical equipment, machinery, motor vehicles, other transport equipment |
| Digital providers | Online marketplaces, online search engines, social networking platforms |
| Research | Research organisations |
Filter 2: Size — the EU SME definition
NIS2 uses Recommendation 2003/361/EC. Three brackets matter:
| Size | Headcount | Annual turnover OR balance sheet total |
|---|---|---|
| Micro | < 10 | ≤ EUR 2 million |
| Small | < 50 | ≤ EUR 10 million |
| Medium | < 250 | ≤ EUR 50 million / ≤ EUR 43 million balance sheet |
| Large | ≥ 250 OR turnover > EUR 50m | — |
The general rule:
- Micro and small entities: out of scope unless a sub-threshold exception applies (see below).
- Medium entities (50–249 headcount or EUR 10–50m turnover) in Annex I or Annex II sectors: in scope as important entities.
- Large entities (250+ headcount or > EUR 50m turnover) in Annex I sectors: in scope as essential entities.
- Large entities in Annex II sectors: in scope as important entities (not essential).
Linked enterprises and partner enterprises rules from Recommendation 2003/361/EC apply — a small subsidiary of a large group is generally counted at group level.
Sub-threshold exceptions: in scope regardless of size
Some entities are considered critical enough that the size filter does not apply. These are in scope at any size, including micro and small:
- DNS service providers
- Top-level domain (TLD) name registries
- Trust service providers (qualified and non-qualified)
- Providers of public electronic communications networks
- Providers of publicly available electronic communications services
- Entities providing domain name registration services (when designated)
- Certain public administration bodies of central government (and regional, depending on member state)
- Sole providers in a member state of a service essential for the maintenance of critical societal or economic activities
- Entities whose disruption could have a significant impact on public safety, security, or public health
National transposition may add further sub-threshold inclusions (for example SCADA operators below the size threshold in some member states).
Decision flow — am I in scope, and at what level?
Step 1. Sector check.
- Is your principal activity listed in Annex I? Continue at “essential” baseline.
- Listed in Annex II? Continue at “important” baseline.
- Not listed? Check sub-threshold exceptions. If none apply, you are out of scope.
Step 2. Size check.
- Are you a large enterprise (≥ 250 employees OR > EUR 50m turnover) including linked/partner enterprise consolidation?
- Annex I sector → essential entity.
- Annex II sector → important entity.
- Are you medium (50–249 OR EUR 10–50m)?
- Any in-scope sector → important entity.
- Are you small or micro?
- Do any sub-threshold exceptions apply? → important or essential depending on the specific exception.
- Otherwise → out of scope.
Step 3. Member-state overlays. Some transpositions extend the scope (notably to local government, smaller energy operators, additional critical infrastructure). Check your national CSIRT or competent authority for transposition-specific inclusions. See our NIS2 country transposition tracker for known deviations.
Common borderline cases
| Case | Verdict | Why |
|---|---|---|
| 80-employee EU SaaS provider hosting a CRM for retail clients | Out of scope by default | “ICT service management” in Annex I applies to MSPs and MSSPs, not vanilla SaaS. A generic CRM SaaS is not an MSP unless contractually responsible for managing the client’s IT/security operations |
| 30-employee EU healthcare clinic | Out of scope (size) | Below medium threshold; healthcare providers are subject to size filter. Member-state transposition may add it |
| 5-person DNS provider | In scope (sub-threshold exception) | DNS providers are in scope regardless of size |
| Large multinational manufacturer (1,500 staff) of medical devices | Important entity | Annex II sector (manufacture of medical devices) — large size → important, not essential |
| Mid-size (180 staff) EU power-generation company | Essential entity | Annex I energy sector + medium size threshold met — but size puts it in “important” by default; check national transposition, which often promotes energy generators to essential regardless |
| EU subsidiary (30 staff) of US tech group (10,000 staff globally) | Headcount counted at group level | Recommendation 2003/361/EC linked-enterprises rule — likely large by consolidation |
| EU online marketplace, 60 staff | Important entity | Annex II digital provider + medium size |
| EU research organisation, 200 staff | Important entity | Annex II research sector + medium size |
| Public administration body, central government | In scope at any size in most member states | Article 2 + transposition |
What changes by category
| Aspect | Essential | Important |
|---|---|---|
| Supervision model | Ex-ante (proactive audits, on-site inspections) | Ex-post (reactive, following incidents or complaints) |
| Maximum fine | EUR 10 million OR 2% global turnover | EUR 7 million OR 1.4% global turnover |
| Management sanctions | Temporary disqualification possible | Disqualification not provided for, but other sanctions apply |
| Cybersecurity measures | All ten Article 21 measures | All ten Article 21 measures (same list) |
| Reporting timeline | Same 24/72/one-month cascade | Same 24/72/one-month cascade |
| Registration / declaration | Required with competent authority | Required with competent authority |
The same Article 21 measures and Article 23 reporting cascade apply to both — the differences are how the regulator supervises you and how it penalises non-compliance.
How Enactia helps with scoping
Enactia ships with a NIS2 scoping questionnaire that walks you through the sector, size, and exception filters and produces a documented scoping memo with the rationale — the artefact your competent authority will ask for. The same scoping output drives the control catalogue, so the moment you classify as essential or important, the platform pre-populates the right tier of Article 21 evidence requirements. Book a demo now to walk through the scoping questionnaire against your own organisation.
Frequently asked questions
What is the size threshold for NIS2?
Medium-size or larger entities are in scope: 50+ employees or annual turnover/balance sheet total above EUR 10 million. Below that, only entities falling under sub-threshold exceptions are in scope.
Are SaaS providers in scope of NIS2?
Not by default. NIS2’s “ICT service management” sector targets managed service providers (MSPs) and managed security service providers (MSSPs), not generic SaaS. A SaaS provider may still be in scope if it provides services to in-scope entities and is contractually responsible for the customer’s IT or security operations (which would qualify it as an MSP).
Are subsidiaries counted alone or at group level?
The EU SME definition (Recommendation 2003/361/EC) consolidates linked and partner enterprises. A small EU subsidiary of a large multinational group is typically counted at group level and is therefore large.
Does NIS2 apply to public administration?
Yes for central government in most member states; regional government is included where the member state transposition has extended scope to it. Local government inclusion varies.
What happens if I am uncertain whether I am in scope?
The safest course is to document your scoping rationale and to engage the national CSIRT or competent authority informally. Most national authorities have published guidance and contact channels for borderline-case clarification.
Not sure which category you fall into? Book a demo now and we will run the scoping questionnaire against your sector, size, and group structure in a single 30-minute call.
