NIS2 scope: is your organisation in scope?
The single most common NIS2 question is "does it apply to us?" This guide walks through the scope test — sector, size and the exceptions.
Two classes of entity
NIS2 splits in-scope organisations into essential entities and important entities. Both must meet the same core security obligations, but essential entities face proactive supervision, while important entities are supervised reactively (after an incident or evidence of non-compliance).
Covered sectors
The directive covers around 18 sectors, split across two annexes:
- High-criticality sectors (Annex I): energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, ICT service management, public administration and space.
- Other critical sectors (Annex II): postal and courier services, waste management, chemicals, food, manufacturing, digital providers and research.
The size threshold
As a general rule, NIS2 applies to medium-sized organisations and above in covered sectors — broadly those with at least 50 staff or €10 million in turnover. Large entities in high-criticality sectors are typically essential; medium ones and most Annex II entities are important.
How to check
- Identify whether your activities fall in an Annex I or II sector.
- Check whether you meet the size threshold, or an exception applies.
- Determine your class (essential or important).
- Confirm against your national transposition — the details vary by country.
If you are unsure, treat it as a "verify", not an "assume out". Being wrongly out of scope is a costly mistake.
FAQ
Related questions
What is the difference between essential and important entities?
Both must meet the same security and reporting obligations. The difference is supervision: essential entities face proactive oversight, while important entities are supervised reactively. Classification depends on sector and size.
Does NIS2 apply to small companies?
Generally NIS2 targets medium-sized organisations and above, but some entities are in scope regardless of size, and national rules can extend it. Smaller organisations should verify rather than assume they are exempt.
How do I know which sector I am in?
Compare your core activities against the sectors listed in NIS2 Annexes I and II. If your activities match, and you meet the size threshold, you are likely in scope.
Keep reading
More guides
-
The NIS2 security measures: Article 21 explained
Article 21 sets ten baseline risk-management measures every in-scope entity must implement. Here is what each one means.
Read guide -
NIS2 compliance checklist: a practical path to audit-ready
A step-by-step checklist to move from "are we in scope?" to an evidenced, audit-ready NIS2 programme.
Read guide