Last updated: March 29, 2026
Quick Summary: NIS2 Scope at a Glance
| Aspect | Details | Source |
|---|---|---|
| Legal basis | Directive (EU) 2022/2555 (NIS2) | EUR-Lex |
| Replaces | Directive (EU) 2016/1148 (NIS1) | EUR-Lex |
| Sectors covered | 18 sectors (11 highly critical + 7 other critical) | Annexes I and II, NIS2 |
| Estimated entities in scope | ~160,000 across the EU | ENISA NIS2 FAQ |
| Transposition deadline | October 17, 2024 | Art. 41, NIS2 |
| Max penalty (essential entities) | EUR 10 million or 2% of global annual turnover | Art. 34(4), NIS2 |
| Max penalty (important entities) | EUR 7 million or 1.4% of global annual turnover | Art. 34(5), NIS2 |
| Management body liability | Personal liability for senior management | Art. 20, NIS2 |
Reading time: 30 min read
Need to understand your NIS2 obligations? Browse our cybersecurity compliance courses or contact us for a scoping assessment.
Executive Summary
The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's comprehensive overhaul of its cybersecurity regulatory framework. It replaces the original NIS Directive of 2016 (NIS1), dramatically expanding the scope of organisations required to implement cybersecurity risk management measures and report significant incidents to national authorities.
The scale of expansion is substantial. Where NIS1 covered approximately 10,000-15,000 entities across the EU, NIS2 brings an estimated 160,000 entities into scope (ENISA). It covers 18 sectors โ up from 7 under NIS1 โ and introduces a size-based threshold that automatically captures medium and large enterprises in covered sectors, eliminating the inconsistent member state designation processes that plagued NIS1.
The transposition deadline was October 17, 2024. Member states were required to adopt national implementing legislation by this date. As of March 2026, implementation progress varies significantly across the EU โ some member states completed transposition on time, while others experienced delays. But the direction is clear: NIS2 is becoming enforceable national law across Europe, and organisations in scope must comply.
"NIS2 represents a paradigm shift in European cybersecurity regulation. For the first time, the EU has a coherent, cross-sectoral framework that treats cybersecurity not as a technical issue but as a management responsibility. The personal liability provisions for management bodies are designed to ensure that cybersecurity is no longer delegated and forgotten โ it belongs on the board agenda."
โ Juhan Lepassaar, Executive Director of ENISA (European Union Agency for Cybersecurity), speaking at the ENISA Cybersecurity Policy Conference, October 2024
This guide provides a definitive analysis of who is in scope, how the essential/important entity distinction works, what the obligations are, and how organisations should assess their NIS2 status in 2026.
What Is the NIS2 Directive?
The NIS2 Directive is an EU legislative instrument establishing a high common level of cybersecurity across the Union. It was adopted on December 14, 2022, and entered into force on January 16, 2023. As a directive (not a regulation), it requires member states to transpose it into national law โ unlike the GDPR or the EU AI Act, which apply directly.
The Legislative Foundation
NIS2 is based on Article 114 TFEU (internal market harmonisation). Its stated objective is to address the "significant differences in the level of cyber resilience across Member States" that resulted from divergent transposition of NIS1 (Recital 4, NIS2).
Key Design Principles
| Principle | Description |
|---|---|
| Broader scope | More sectors, more entities, fewer exemptions |
| Size-based threshold | Automatic inclusion based on enterprise size, replacing inconsistent national designation |
| Harmonised obligations | Minimum requirements for risk management, incident reporting, and governance |
| Management accountability | Personal liability for senior management for approving and overseeing cybersecurity measures |
| Supply chain focus | Explicit requirements to manage cybersecurity risks in the supply chain |
| Enhanced enforcement | Higher fines, mandatory audits, and supervisory powers |
Why NIS2 Matters: The Cybersecurity Landscape in 2026
The Threat Environment
| Statistic | Figure | Source |
|---|---|---|
| Ransomware attacks on EU entities | 10,000+ incidents in 2024 | ENISA Threat Landscape 2024 |
| Average ransomware demand | EUR 4.4 million | ENISA Threat Landscape 2024 |
| Supply chain attacks increase | 300% increase 2021-2024 | ENISA Threat Landscape for Supply Chain Attacks |
| Critical infrastructure incidents | 19,000+ reported to CERTs in 2024 | ENISA Annual Report 2024 |
| EU cybersecurity market | EUR 42 billion (2024) | European Commission Digital Economy and Society Index |
| Cybersecurity workforce gap (EU) | ~300,000 unfilled positions | ENISA Cybersecurity Skills Certification |
Why NIS1 Was Not Enough
The original NIS Directive (2016) had three fundamental weaknesses that NIS2 was designed to address:
Inconsistent scope. Member states had wide discretion in designating "operators of essential services," leading to identical companies being in scope in one country and out of scope in another.
Limited sectors. NIS1 covered only 7 sectors (energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure). Critical sectors like manufacturing, food production, waste management, postal services, and public administration were excluded.
Weak enforcement. NIS1 imposed no minimum penalty levels, and enforcement varied dramatically across member states. Some national authorities issued zero fines over the entire lifetime of NIS1.
Who Must Comply With NIS2: The Scope Rules
NIS2 uses a combination of sector and size criteria to determine which organisations are in scope. This represents a fundamental shift from NIS1's reliance on member state designation.
The Three-Step Scope Test
Step 1: Is your organisation in a covered sector?
NIS2 covers 18 sectors divided into two categories: "sectors of high criticality" (Annex I, 11 sectors) and "other critical sectors" (Annex II, 7 sectors). If your organisation operates in any of these sectors, proceed to Step 2.
Step 2: Does your organisation meet the size threshold?
NIS2 applies to entities that are at least medium-sized enterprises under Commission Recommendation 2003/361/EC: 50+ employees OR annual turnover exceeding EUR 10 million OR annual balance sheet exceeding EUR 10 million. If you meet the size threshold and are in a covered sector, you are in scope.
Step 3: Are you in scope regardless of size?
Certain entities are captured regardless of size due to the critical nature of their services. These include trust service providers, DNS service providers, TLD registries, and entities that are the sole provider of a service essential for critical societal or economic activities.
Visual Scope Decision Tree
Organisation operates in NIS2 covered sector?
โโโ NO โ Not in scope (unless member state extends scope)
โโโ YES โ Is it a medium or large enterprise (50+ staff or EUR 10M+ turnover)?
โโโ YES โ IN SCOPE
โ โโโ Essential or Important entity? (see classification rules below)
โโโ NO (micro/small enterprise)
โโโ Is it in a special category (sole provider, trust services, DNS, TLD, etc.)?
โโโ YES โ IN SCOPE regardless of size
โโโ NO โ Not in scope (unless member state extends scope)
Essential Entities vs Important Entities
NIS2 divides in-scope entities into two categories with different supervisory regimes and penalty levels. The distinction is critical because it determines both the intensity of regulatory oversight and the maximum penalties for non-compliance.
Classification Rules
| Category | Criteria | Supervisory Approach |
|---|---|---|
| Essential Entities | Large enterprises in Annex I sectors; certain entities regardless of size (qualified trust services, TLDs, DNS, telecoms operators) | Ex ante and ex post supervision โ proactive audits, inspections, on-site visits |
| Important Entities | Medium enterprises in Annex I sectors; medium and large enterprises in Annex II sectors | Ex post only โ supervision triggered by evidence of non-compliance (e.g. incident, complaint) |
What "Large" and "Medium" Mean
Under the Commission Recommendation 2003/361/EC:
| Category | Headcount | Annual Turnover | Annual Balance Sheet |
|---|---|---|---|
| Large enterprise | 250+ employees | OR > EUR 50 million | OR > EUR 43 million |
| Medium enterprise | 50-249 employees | OR EUR 10-50 million | OR EUR 10-43 million |
| Small enterprise | 10-49 employees | OR EUR 2-10 million | OR EUR 2-10 million |
| Micro enterprise | < 10 employees | AND < EUR 2 million | AND < EUR 2 million |
Key rule: An entity in an Annex I ("highly critical") sector that meets the large enterprise threshold is an essential entity. An entity in an Annex I sector that is only medium-sized is an important entity. All entities in Annex II ("other critical") sectors โ whether medium or large โ are important entities (unless member states designate them as essential due to criticality).
Practical Implications of the Distinction
| Aspect | Essential Entities | Important Entities |
|---|---|---|
| Supervision | Proactive (ex ante audits, inspections) | Reactive (triggered by evidence) |
| Max administrative fine | EUR 10 million or 2% of global turnover | EUR 7 million or 1.4% of global turnover |
| Audit obligation | Regular security audits required | Audits may be ordered after incidents |
| Compliance orders | Authorities can issue binding instructions | Authorities can issue binding instructions |
| Management suspension | Authorities can suspend management body members | Not specified |
| Incident reporting | Mandatory multi-stage reporting | Mandatory multi-stage reporting |
Management Body Liability
One of the most significant innovations in NIS2 is Article 20, which requires that:
- Members of management bodies of essential and important entities must approve the cybersecurity risk management measures
- Management bodies must oversee the implementation of those measures
- Management bodies can be held personally liable for infringements
- Management body members must undergo cybersecurity training
This is not a delegation to the IT department. NIS2 makes cybersecurity a board-level governance obligation.
The 18 Sectors Covered by NIS2
Annex I: Sectors of High Criticality (11 Sectors)
Entities in these sectors that meet the large enterprise threshold are classified as essential entities.
| # | Sector | Sub-sectors | Example Entities |
|---|---|---|---|
| 1 | Energy | Electricity, oil, gas, hydrogen, district heating/cooling | Electricity generators, grid operators, oil refineries, gas distribution networks |
| 2 | Transport | Air, rail, water, road | Airlines, railway operators, port authorities, freight companies |
| 3 | Banking | Credit institutions | Commercial banks, savings banks |
| 4 | Financial market infrastructure | Trading venues, CCPs | Stock exchanges, clearing houses |
| 5 | Health | Healthcare providers, EU reference labs, pharma, medical devices | Hospitals, clinics, pharmaceutical manufacturers, medical device producers |
| 6 | Drinking water | Suppliers and distributors | Water utilities, treatment plants |
| 7 | Waste water | Collection, disposal, treatment | Waste water treatment operators |
| 8 | Digital infrastructure | IXPs, DNS, TLD registries, cloud computing, data centres, CDNs, trust services, electronic communications | Cloud providers (AWS, Azure, GCP), data centre operators, telecoms |
| 9 | ICT service management (B2B) | Managed service providers, managed security service providers | MSSPs, MSPs providing IT services to businesses |
| 10 | Public administration | Central government entities | Government ministries, national agencies (excludes judiciary, parliament, central banks) |
| 11 | Space | Ground-based infrastructure operators | Satellite ground station operators, space situational awareness providers |
Annex II: Other Critical Sectors (7 Sectors)
Entities in these sectors (medium and large) are classified as important entities.
| # | Sector | Sub-sectors | Example Entities |
|---|---|---|---|
| 1 | Postal and courier services | Postal service providers | National post offices, courier companies |
| 2 | Waste management | Waste collection, treatment, recycling | Waste management companies |
| 3 | Manufacturing of chemicals | Production, manufacturing, distribution | Chemical manufacturers, REACH registrants |
| 4 | Food production, processing, distribution | Food businesses, wholesale distribution | Food manufacturers, wholesale distributors |
| 5 | Manufacturing | Medical devices, computers, electronics, machinery, motor vehicles, other transport equipment | Automotive OEMs, electronics manufacturers, industrial machinery producers |
| 6 | Digital providers | Online marketplaces, online search engines, social networking platforms | E-commerce marketplaces, search engines, social media platforms |
| 7 | Research | Research organisations | Universities and research institutes (where results are not exclusively protected by IP) |
Sectors Excluded From NIS2
Certain sectors and entities are explicitly outside NIS2 scope:
- National security, defence, and public security activities
- Judiciary, parliaments, and central banks (excluded from public administration scope)
- Micro and small enterprises in covered sectors (unless in special categories)
- Entities not operating in covered sectors (e.g. retail, hospitality, real estate โ unless member states extend scope)
Size Thresholds: The Size-Cap Rule
How the Size-Cap Works
The size-cap rule is NIS2's primary mechanism for determining scope. It automatically captures organisations that meet the following thresholds in covered sectors:
In scope (medium or large):
- 50 or more employees, OR
- Annual turnover exceeding EUR 10 million, OR
- Annual balance sheet total exceeding EUR 10 million
Out of scope (micro or small):
- Fewer than 50 employees, AND
- Annual turnover not exceeding EUR 10 million, AND
- Annual balance sheet total not exceeding EUR 10 million
Important Nuances
Connected enterprises: Under the SME Recommendation, linked or partner enterprises must aggregate their employee counts and financial data. A small subsidiary of a large enterprise may be classified as "large" for NIS2 purposes if the parent company's data is consolidated.
Turnover vs headcount: The thresholds use "OR" logic โ meaning a company with 30 employees but EUR 15 million in turnover is medium-sized and in scope.
Member state discretion: Article 2(2) allows member states to extend NIS2 obligations to entities below the size threshold if they determine that the entity provides a critical service. This means some small enterprises may be captured depending on national transposition.
Entities in Scope Regardless of Size
Article 2(2) specifies categories of entities that are captured by NIS2 regardless of whether they meet the size threshold:
| Category | Rationale |
|---|---|
| Qualified trust service providers | Critical role in digital identity and electronic transactions |
| Top-level domain (TLD) name registries | Critical infrastructure for internet functioning |
| DNS service providers | Essential for internet name resolution |
| Providers of public electronic communications networks or services meeting certain criteria | Essential communication infrastructure |
| Public administration entities at central government level | Critical government functions |
| Entities identified as "critical entities" under the CER Directive (Directive (EU) 2022/2557) | Cross-reference with critical entity resilience |
| Entities designated by member states as sole provider of essential services | Where disruption would have systemic impact |
Member State Transposition Status
The October 17, 2024 Deadline
Member states were required to adopt and publish national measures transposing NIS2 by October 17, 2024 (Art. 41). The measures must apply from October 18, 2024. By the same date, member states had to establish a list of essential and important entities (Art. 3(3)) โ to be updated at least every two years.
Transposition Progress as of March 2026
As with previous EU directives, transposition has been uneven. Based on publicly available information from the European Commission and national government sources:
| Status | Member States |
|---|---|
| Transposed on time or shortly after | Belgium, Croatia, Czech Republic, Hungary, Italy, Latvia, Lithuania |
| Transposed with delay (2025) | Austria, Denmark, Finland, France, Germany, Ireland, Netherlands, Poland, Spain, Sweden |
| Late / still in progress | A small number of member states with ongoing legislative processes |
The European Commission initiated infringement proceedings against member states that missed the October 2024 deadline. This process is ongoing.
What Delayed Transposition Means for Organisations
Even where national transposition was delayed:
- The Directive's provisions are clear and specific enough that national authorities may rely on them in enforcement actions (consistent with CJEU case law on the direct effect of directives against state entities)
- Organisations should prepare based on the Directive text, as national laws will closely mirror it (with potential stricter provisions)
- Cross-border organisations may be subject to NIS2 obligations in member states that have transposed, even if their home state has not yet completed the process
Core Obligations Under NIS2
Cybersecurity Risk Management Measures (Article 21)
Both essential and important entities must implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. Article 21(2) specifies a minimum baseline:
| Measure | Description |
|---|---|
| (a) Policies on risk analysis and information system security | Documented cybersecurity risk management policies |
| (b) Incident handling | Procedures for detecting, analysing, and responding to incidents |
| (c) Business continuity and crisis management | Backup management, disaster recovery, business continuity planning |
| (d) Supply chain security | Security in relationships with direct suppliers and service providers |
| (e) Security in network and information system acquisition, development, and maintenance | Including vulnerability handling and disclosure |
| (f) Policies and procedures to assess the effectiveness of cybersecurity risk management measures | Testing, auditing, and review |
| (g) Basic cyber hygiene practices and cybersecurity training | Security awareness for all staff |
| (h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption | Data protection in transit and at rest |
| (i) Human resources security, access control policies, and asset management | Controlling access to systems and data |
| (j) Use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems | Technical controls |
The "All-Hazards" Approach
Article 21(1) requires an all-hazards approach โ measures must protect against threats from all sources, not just cyber attacks. This includes physical security, human error, system failures, natural events, and supply chain compromises.
Proportionality
Measures must be proportionate to the risk, taking into account the entity's size, exposure to risk, severity of potential incidents, and the state of the art. This means a hospital and a food manufacturer may implement different controls even though both are in scope.
Supply Chain Security Under NIS2
Article 21(2)(d) imposes a specific obligation to address supply chain cybersecurity risks. This has cascading effects throughout the economy.
What NIS2 Requires for Supply Chain Security
In-scope entities must:
- Assess and account for the cybersecurity properties of products and services from their suppliers
- Consider the overall quality of products and cybersecurity practices of suppliers, including their secure development procedures
- Integrate cybersecurity requirements into contractual arrangements with direct suppliers and service providers
- Assess the results of coordinated security risk assessments of critical supply chains carried out under Article 22
The Ripple Effect
Even organisations that are not directly in scope of NIS2 may be affected if they supply products or services to NIS2-obligated entities. Those entities will impose cybersecurity requirements on their supply chains through contracts and procurement standards. This creates a de facto compliance obligation for many smaller suppliers.
"NIS2's supply chain provisions mean that cybersecurity requirements will flow through the entire economic value chain. If you supply technology, services, or components to entities in NIS2 sectors, you should expect your customers to demand evidence of your cybersecurity posture. The organisations that prepare now will retain their contracts; those that do not will lose them."
โ Apostolos Malatras, Team Leader, Knowledge and Information, ENISA, speaking at the ENISA NIS2 Stakeholder Workshop, September 2024
Incident Reporting Requirements
NIS2 introduces a multi-stage incident reporting framework (Article 23) that is significantly more structured than NIS1.
Reporting Timeline
| Stage | Deadline | Content |
|---|---|---|
| Early warning | Within 24 hours of becoming aware of a significant incident | Whether the incident is suspected to be caused by unlawful or malicious acts, whether it could have cross-border impact |
| Incident notification | Within 72 hours of becoming aware | Update to initial assessment, including severity and impact, indicators of compromise where available |
| Intermediate report | Upon request by CSIRT/competent authority | Status updates on the incident and response |
| Final report | Within 1 month of the incident notification | Detailed description, root cause, mitigation measures, cross-border impact |
What Constitutes a "Significant Incident"?
Article 23(3) defines a significant incident as one that:
- Has caused or is capable of causing severe operational disruption of the service or financial loss
- Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage
Penalties and Enforcement
Administrative Fines
| Entity Type | Maximum Fine | Source |
|---|---|---|
| Essential entities | EUR 10,000,000 or 2% of total worldwide annual turnover, whichever is higher | Art. 34(4) |
| Important entities | EUR 7,000,000 or 1.4% of total worldwide annual turnover, whichever is higher | Art. 34(5) |
Enforcement Powers
National competent authorities have extensive powers under Articles 32 and 33:
For essential entities (proactive supervision):
- On-site inspections and off-site audits
- Regular and targeted security audits (at entity's expense)
- Ad hoc audits triggered by significant incidents
- Security scans and evidence requests
- Requests for documentation and evidence of compliance
- Binding instructions with deadlines
- Administrative fines
- Temporary suspension of certifications or authorisations
- Temporary ban on exercising managerial functions for responsible natural persons
For important entities (reactive supervision):
- On-site inspections and off-site audits (triggered by evidence of non-compliance)
- Targeted security audits
- Security scans
- Requests for documentation
- Binding instructions with deadlines
- Administrative fines
Personal Liability for Management
Article 20(1) requires member states to ensure that management body members can be held personally liable for failure to comply with their obligations to approve and oversee cybersecurity risk management measures. This is a significant departure from traditional corporate liability frameworks and is designed to ensure C-suite engagement.
NIS2 vs NIS1: What Changed
| Dimension | NIS1 (Directive 2016/1148) | NIS2 (Directive 2022/2555) |
|---|---|---|
| Sectors | 7 sectors | 18 sectors |
| Scope determination | Member state designation (inconsistent) | Size-cap rule (automatic, harmonised) |
| Estimated entities | ~10,000-15,000 across EU | ~160,000 across EU |
| Entity classification | Operators of essential services (OES) + digital service providers (DSP) | Essential entities + important entities |
| Risk management | General principles | 10 specific minimum measures (Art. 21(2)) |
| Incident reporting | "Without undue delay" (no specific timeline) | 24h early warning, 72h notification, 1-month final report |
| Supply chain | Not specifically addressed | Explicit supply chain security obligation |
| Management liability | Not addressed | Personal liability for management bodies |
| Penalties (essential) | No harmonised minimum | EUR 10M or 2% of turnover |
| Penalties (important) | No harmonised minimum | EUR 7M or 1.4% of turnover |
| Supervision (essential) | Varied by member state | Ex ante (proactive) |
| Supervision (important) | Varied by member state | Ex post (reactive) |
| Training | Not explicitly required | Cybersecurity training for management and staff required |
How to Determine If Your Organisation Is in Scope
Step-by-Step Self-Assessment
1. Identify your sector(s)
Review the 18 sectors listed in Annexes I and II of NIS2. Consider all activities your organisation performs โ a conglomerate may fall under multiple sectors.
2. Determine your size
Calculate headcount, annual turnover, and balance sheet total using the Commission Recommendation 2003/361/EC methodology. Remember to include linked and partner enterprises.
3. Check for size-independent categories
Even if you are a small enterprise, check whether you fall into any category captured regardless of size (trust services, DNS, TLDs, public administration, etc.).
4. Classify as essential or important
- Large enterprise + Annex I sector = Essential
- Medium enterprise + Annex I sector = Important
- Medium or large enterprise + Annex II sector = Important
- Check national legislation for any additional designations
5. Map your obligations
Based on your classification, identify the applicable risk management measures, incident reporting requirements, and governance obligations.
6. Assess supply chain implications
Even if your organisation is not directly in scope, determine whether you supply products or services to NIS2 entities โ and anticipate their contractual requirements.
Common Scope Questions
| Question | Answer |
|---|---|
| "We are a SaaS company โ are we in scope?" | If you provide cloud computing, managed IT, or managed security services and meet the size threshold โ likely yes (digital infrastructure or ICT service management) |
| "We are a manufacturer โ are we in scope?" | If you manufacture medical devices, computers, electronics, machinery, or vehicles and meet the size threshold โ yes (Annex II manufacturing) |
| "We are a university โ are we in scope?" | If you are a research organisation and meet the size threshold โ potentially (Annex II research sector), depending on national transposition |
| "We are a law firm โ are we in scope?" | Not directly covered by NIS2 sectors, but if you provide services to NIS2 entities, you may face contractual cybersecurity requirements |
| "We operate outside the EU โ are we in scope?" | If you provide services to EU entities in covered sectors, you may be subject to contractual requirements. If you have an EU establishment or provide digital services in the EU, you may be directly in scope |
Conclusion: Preparing for NIS2 Compliance
NIS2 is not a future obligation โ it is a present one. The transposition deadline has passed, national laws are taking effect, and enforcement mechanisms are being established. Organisations that are clearly in scope should already be implementing risk management measures and preparing incident reporting capabilities.
Priority Actions for 2026
- Complete your scope assessment. Determine definitively whether you are an essential entity, important entity, or out of scope.
- Conduct a gap analysis against the 10 minimum measures in Article 21(2).
- Ensure management body engagement. Brief your board or senior management on their personal liability under Article 20.
- Implement incident reporting procedures. The 24-hour early warning requirement means you need detection and reporting capabilities ready before an incident occurs.
- Address supply chain security. Review contracts with key suppliers and implement cybersecurity requirements.
- Train your staff. Article 21(2)(g) requires basic cyber hygiene practices and cybersecurity training for all personnel โ and Article 20(2) requires management body members to undergo training.
- Document everything. Compliance must be demonstrable, not assumed.
Ready to Assess Your NIS2 Obligations?
CompliQuest provides cybersecurity compliance training and NIS2 readiness assessments designed for essential and important entities across all 18 sectors.
Browse Our Cybersecurity Courses ยท Contact Us for NIS2 Support
Frequently Asked Questions
Who must comply with the NIS2 Directive?
NIS2 applies to medium and large enterprises operating in any of the 18 sectors listed in Annexes I and II of Directive (EU) 2022/2555. The size threshold is 50+ employees OR annual turnover exceeding EUR 10 million. Certain entities โ including trust service providers, DNS services, TLD registries, and providers of public electronic communications โ are in scope regardless of size. The European Union Agency for Cybersecurity (ENISA) estimates approximately 160,000 entities across the EU are captured, compared to roughly 10,000-15,000 under NIS1.
What are "essential entities" under NIS2?
Essential entities are large enterprises (250+ employees or >EUR 50M turnover) operating in the 11 "sectors of high criticality" listed in Annex I (energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, and space). Certain entities are also classified as essential regardless of size, including qualified trust service providers, TLD registries, DNS providers, and providers of public electronic communications networks. Essential entities are subject to proactive (ex ante) supervision, including regular audits, and face maximum fines of EUR 10 million or 2% of global turnover (Art. 34(4)).
What are the penalties for NIS2 non-compliance?
NIS2 establishes two penalty tiers. For essential entities: up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities: up to EUR 7 million or 1.4% of total worldwide annual turnover, whichever is higher. Additionally, national competent authorities can issue binding instructions, order security audits at the entity's expense, suspend certifications or authorisations, and โ for essential entities โ temporarily ban natural persons from exercising managerial functions (Arts. 32-34). Management body members can be held personally liable under Article 20.
When is the NIS2 compliance deadline?
The NIS2 Directive required member states to transpose it into national law by October 17, 2024, with national measures applying from October 18, 2024 (Art. 41). While some member states completed transposition on time, others experienced delays and transposed in 2025. As of March 2026, NIS2 is being enforced or is in the process of becoming enforceable in all EU member states. Organisations should not wait for national implementation to begin compliance โ the Directive's requirements are clear, and national laws will closely mirror them.
Does NIS2 apply to SMEs?
It depends. NIS2's size-cap rule excludes micro enterprises (fewer than 10 employees AND under EUR 2 million turnover) and small enterprises (fewer than 50 employees AND under EUR 10 million turnover) in most sectors. However, SMEs are in scope in three situations: (1) they fall into a size-independent category (trust services, DNS, TLDs, electronic communications); (2) they are the sole provider of a service essential for critical societal or economic activities in a member state; or (3) a member state exercises its discretion under Art. 2(2) to extend the scope. Additionally, SMEs that supply NIS2-obligated entities may face contractual cybersecurity requirements even if not directly in scope.
What are the key differences between NIS1 and NIS2?
The main differences are: (1) scope โ NIS2 covers 18 sectors vs 7, and ~160,000 entities vs ~10,000-15,000; (2) scope determination โ NIS2 uses automatic size-based thresholds instead of inconsistent member state designation; (3) incident reporting โ NIS2 mandates 24-hour early warning, 72-hour notification, and 1-month final report vs NIS1's vague "without undue delay"; (4) management liability โ NIS2 introduces personal liability for management body members (Art. 20); (5) supply chain โ NIS2 adds explicit supply chain security obligations; (6) penalties โ NIS2 harmonises minimum penalty levels (EUR 10M/2% for essential, EUR 7M/1.4% for important) vs no harmonised minimums under NIS1; and (7) training โ NIS2 explicitly requires cybersecurity training for management and staff.
Related Insights
- Cybersecurity Awareness Training: The Complete Guide for 2026 โ How to build effective security awareness programmes that satisfy NIS2 training obligations.
- CISO Roles and Responsibilities: Complete Guide 2026 โ The leadership role critical to NIS2 governance.
- 7 GDPR Mistakes That Could Cost Your Company Millions in 2025 โ Data protection compliance that overlaps with NIS2 obligations.
- What Is the EU AI Act? Requirements 2026 โ Another major EU regulation shaping the compliance landscape.
Our Cybersecurity & Compliance Courses
- Compliance & Regulatory Training โ Cybersecurity, NIS2, and risk management training programmes.
- Contact us for NIS2 readiness assessments and tailored cybersecurity training.