Docply Browse kits
NIS-2

Who Must Comply with NIS-2? Essential vs Important Entities Explained

Who Must Comply with NIS-2? Essential vs Important Entities Explained
By Alessandro Stella · · 12 min read

The first question every organisation asks about NIS-2 is the same: does it apply to us? The second question, immediately after: if it does, are we essential or important? The two answers determine almost everything else — the depth of obligations, the level of supervision, the ceiling on fines, and the urgency of the implementation calendar.

This guide walks through the scope of NIS-2 and the classification logic in concrete terms. By the end, you should be able to determine your organisation’s status with reasonable confidence and know what to do next based on the outcome. For the full implementation context, see the pillar guide on NIS-2 compliance; this article zooms in specifically on scope and classification.

The two-part test: sector + size

NIS-2 applies to entities that meet two cumulative criteria:

  1. Sector: the entity operates in one of the 18 sectors listed in Annex I or Annex II of Directive (EU) 2022/2555.
  2. Size: the entity meets at least the medium enterprise threshold under Commission Recommendation 2003/361/EC.

Both conditions must be satisfied. An organisation in a covered sector but below the size threshold is generally out of scope. An organisation above the size threshold but operating outside the 18 sectors is also out of scope. The intersection is what matters.

There are exceptions in both directions — certain entity types are in scope regardless of size, and Member States can designate specific entities into scope on national grounds — but the two-part test is where every analysis starts.

The 18 sectors: Annex I and Annex II

NIS-2 covers 18 sectors split across two annexes that signal the level of criticality. The split is not just bureaucratic: it determines the default classification (essential vs important) for entities that meet the size threshold.

Annex I — Sectors of high criticality (11 sectors)

These are the sectors the EU considers most vital to the functioning of society and the economy. A serious incident here has cascading effects beyond the affected entity.

Annex II — Other critical sectors (7 sectors)

These sectors are critical but operate at one remove from the immediate functioning of essential services. The default classification for medium and large entities here is important, not essential.

Two notes worth flagging. First, the digital infrastructure sector under Annex I is broader than people expect. Cloud computing, data centres, CDN providers, DNS providers, MSPs, and trust service providers are all explicitly in scope, often regardless of size. If you provide any form of digital infrastructure service, assess this category carefully — this is where many technology companies that were out of NIS-1 scope find themselves captured by NIS-2. Second, “Manufacturing” under Annex II is broad but selective: it captures specific industrial subsectors (medical devices, electronics, machinery, vehicles) but does not capture all manufacturing. If your manufacturing activity is not in the listed subsectors, you are likely out of scope.

The size threshold

NIS-2 uses the standard EU SME definition from Commission Recommendation 2003/361/EC. There are two relevant thresholds:

The criteria are alternatives, not cumulative — meeting any one of them is enough to qualify at that level. Below the medium threshold (under 50 employees and under €10 million on both turnover and balance sheet), you are a small or micro enterprise and generally out of scope.

The thresholds apply at the level of the autonomous enterprise, not the individual establishment. A 30-person Italian subsidiary of a 5,000-person German parent is generally assessed at group level — you do not slip under the threshold by looking only at the local entity.

The classification logic: essential vs important

Once you have confirmed sector + size, the classification follows a defined logic.

You are an essential entity if:

You are an important entity if:

In plain words: large + Annex I = essential; large in Annex II or medium anywhere = important; specific entity types are essential regardless of size.

The size-cap exceptions: in scope regardless of size

A small group of entity types are in scope of NIS-2 regardless of how small they are. The Directive recognises that even a tiny entity can hold systemic importance in these specific roles:

If you fall into any of these categories, the size threshold does not apply. A two-person trust service provider is fully in scope.

A decision tree to find your status

The logic above can be mapped to a five-step decision flow:

  1. Are you in one of the 18 Annex I or II sectors?

    • No → out of scope under sector test (but check supply chain implications below)
    • Yes → continue

  2. Are you in any of the size-independent categories? (qualified trust service provider, TLD registry, DNS provider, public electronic communications provider, public administration, etc.)

    • Yes → in scope, classify as essential
    • No → continue

  3. Do you meet the medium enterprise threshold? (50+ employees, or €10M+ turnover, or €10M+ balance sheet)

    • No → out of scope
    • Yes → continue

  4. Are you a large enterprise in an Annex I sector? (250+ employees, or €50M+ turnover, or €43M+ balance sheet)

    • Yes → essential entity
    • No → continue

  5. Are you a medium enterprise (Annex I or Annex II) or a large enterprise in Annex II?

    • Yes → important entity

A featured visual flowchart accompanies this article when you reach the live blog page; the prose version above is the same logic in text form.

What changes between essential and important

Both categories must implement all ten Article 21 risk-management measures. The differences are in supervision, enforcement and penalty ceilings:

DimensionEssential entitiesImportant entities
Supervisory modelEx-ante (proactive)Ex-post (reactive, on indication)
InspectionsAuthority can audit and inspect at any timeAuthority intervenes when there is evidence of non-compliance
Documentation requestsCan be required at any timeTriggered by specific events
Maximum fine€10 million OR 2% of global annual turnover, whichever is higher€7 million OR 1.4% of global annual turnover, whichever is higher
Personal liability of management bodyYes (Article 32(6))Yes (Article 32(6))

The substantive obligations are largely the same. The enforcement posture is the meaningful difference. Essential entities should expect to be inspected; important entities should expect to be inspected if something goes wrong.

For the detailed breakdown of fines, supervisory measures and the early enforcement actions across Member States, see NIS-2 penalties and enforcement.

Common misclassifications to avoid

After two years of advising organisations through NIS-2 scoping, four classification errors recur often enough to be worth flagging.

Error 1: assuming “we are not IT, so we are out”. NIS-2 is sector-based, not technology-based. A food production company with 200 employees and €30M turnover is in scope as an important entity even if its IT footprint is modest. The criterion is what you do, not how digital you are.

Error 2: under-counting employees by looking only at the local entity. The size threshold applies to the autonomous enterprise. If you are part of a larger group (parent, subsidiaries, partner enterprises, linked enterprises under Article 3 of Recommendation 2003/361/EC), the headcount and turnover are calculated at group level. Many organisations think they are out of scope at 40 local employees and discover at audit they were always in scope at 350 group-wide.

Error 3: missing the digital infrastructure subsectors. Cloud providers, data centres, CDN operators, MSPs, MSSPs and DNS providers are explicitly in Annex I — and several of these categories are size-independent. Tech companies frequently underestimate their position here and self-classify as out of scope when they are not.

Error 4: assuming Annex II = lower stakes. Important entities still face fines up to €7M or 1.4% of turnover, the same Article 21 obligations, the same Article 23 reporting timeline, and the same management body liability. The supervisory posture is reactive, not absent.

What about supply chain entities below the threshold?

A frequently asked question: my organisation is too small to be in scope, but I sell to in-scope entities. Do I have NIS-2 obligations?

Directly: no. NIS-2 imposes obligations on the in-scope entity, not on the supplier.

Indirectly: yes, materially. Article 21(2)(d) requires in-scope entities to manage supply chain security — risk assessment of direct suppliers, contractual security clauses, continuous monitoring. Your customers will start asking for security questionnaires, evidence of controls, and contractual commitments to security obligations. The requirement reaches you through procurement, not through the regulator. Smaller suppliers are frequently the path of least resistance for attackers, and Article 21 reflects this.

If you sell to in-scope entities, expect: a wave of vendor security assessments during 2026, contractual security addenda being added to renewals, and pressure to provide evidence of basic security hygiene. The work is real even when the obligation is indirect.

What to do once you have your classification

Three different actions, depending on the outcome.

If you are essential. Register on your national platform immediately if you have not already. Brief the management body — they have personal liability under Article 32(6). Schedule the gap assessment and start the implementation calendar. Expect inspection sooner rather than later. The 14-16 week implementation path described in the pillar guide applies, with priority on the controls regulators look at first.

If you are important. Register on your national platform. Run the gap assessment. Implement the ten Article 21 measures. The supervisory posture is reactive, which means you have more runway — but only if nothing goes wrong. An incident or a customer complaint can trigger inspection at any moment, and at that point the runway is gone. Treat important entity status as essential entity status with extra time, not as a softer regime.

If you are out of scope. Document the analysis: which sector test you fail, which size threshold you do not meet, the date of the assessment. Keep it on file. Re-run the analysis annually, or sooner if your organisation grows or restructures. If you sell to in-scope entities, prepare for the supply chain pressure described above — even out-of-scope organisations benefit from a defensible security baseline when their customers start asking.

For the day-by-day implementation breakdown, see the 60-day implementation timeline.

How Docply fits in

The Docply NIS-2 Total Kit is built to support both essential and important entities — the documentation set is the same, with annotations where obligations diverge by classification (most notably around supervisory expectations and reporting frequency). The 77 documents cover the full scope of Article 21 measures, the Article 23 reporting cascade, and the governance documentation required under Article 20.

Three sample documents are downloadable from the NIS-2 Total Kit page if you want to assess the quality before committing. The kit includes a project launch decision template, a scope statement template, and a governance model template — the first three documents you produce in any NIS-2 programme, regardless of classification.

Get the complete NIS-2 documentation kit. 77 audit-ready documents covering all eight bundles, applicable to both essential and important entities. Lifetime updates included. See the NIS-2 Total Kit →

Sources and further reading

Last updated: 18 May 2026.