← Thought Leadership

Compliance Guides

Does NIS2 apply to my business?

NIS2 applies to medium-sized and larger entities in a defined list of essential and important sectors — plus some entities regardless of size. Here is how to tell if you are in scope.

Martin Foerster
Co-founder
· 5 min read
High-voltage electricity transmission pylons against a sunset sky

Photo: Matthew Henry / Unsplash

New to the topic? Start with What sovereign compliance actually means.

NIS2 applies to your business if you operate in one of its listed essential or important sectors and are generally medium-sized or larger— at least 50 employees, or annual turnover or balance sheet above €10 million. Some entities are in scope regardless of size. So the answer turns on two things: your sector, and your size. Here is how to check both.

Who NIS2 covers

NIS2 — the second Network and Information Security Directive — lists the sectors it covers in two annexes. Annex I holds the highest-criticality sectors; Annex II holds other important sectors. If your activity is not in either list, NIS2 does not apply to you directly.

Annex I — sectors of high criticalityAnnex II — other critical sectors
EnergyPostal and courier services
TransportWaste management
BankingManufacture, production and distribution of chemicals
Financial market infrastructuresProduction, processing and distribution of food
HealthManufacturing (e.g. medical devices, computers and electronics, machinery, motor vehicles)
Drinking waterDigital providers (online marketplaces, search engines, social networking platforms)
Waste waterResearch organisations
Digital infrastructure
ICT service management (business-to-business)
Public administration
Space

NIS2 replaced the original 2016 NIS Directive and widened this list considerably, so many organisations that were outside the first regime are now in scope. If you are unsure which other EU regimes sit alongside it, start with which EU regulations apply to your company.

The size threshold

Being in a listed sector is necessary but not always sufficient. NIS2 applies a size cap: it generally reaches medium-sized and larger entities — those with at least 50 employees, or annual turnover or annual balance sheet total above €10 million — that operate in the Annex I or Annex II sectors.

There are important exceptions where NIS2 applies regardless of size. These include, among others, certain providers of critical digital infrastructure — such as DNS service providers, top-level-domain name registries, and providers of public electronic communications networks or services — and specified public-administration entities. If your service is one a member state cannot afford to see disrupted, size will not exempt you.

Essential vs important entities

If NIS2 applies, you fall into one of two categories, and the difference decides how a regulator supervises you rather than what you must do.

Definition
Essential entity (NIS2)
An in-scope entity in one of NIS2’s highest-criticality sectors (Annex I) that meets the size threshold, or that is designated in scope regardless of size. Essential entities face proactive, ex-ante supervision — regulators can inspect them without waiting for an incident.
Definition
Important entity (NIS2)
An in-scope entity in one of NIS2’s other listed sectors (Annex II), or an Annex I entity that does not reach the essential-entity threshold. Important entities face reactive, ex-post supervision — regulators act when there is evidence of non-compliance — but must meet the same core security measures.

Both categories carry the same core risk-management and reporting requirements. The distinction is supervisory intensity: essential entities are watched proactively; important entities are held to account after the fact. Higher maximum fines apply to essential entities.

What NIS2 requires

NIS2 requires in-scope entities to do three things:

  • Risk-management measures (Article 21)— a set of appropriate technical, operational, and organisational measures, including policies on risk analysis and information-system security, incident handling, business continuity and backup, supply-chain security, vulnerability handling, encryption, access control, and the use of multi-factor authentication.
  • Incident reporting (Article 23)— a phased notification of significant incidents to your CSIRT or competent authority: an early warning within 24 hours, a fuller incident notification within 72 hours, and a final report within one month.
  • Management-body accountability— senior management must approve and oversee the cybersecurity measures, can be held liable for failures, and must undergo training.

This management-body accountability is why NIS2 is a board-level matter, not just an IT one. It also mirrors a pattern across recent EU digital law — the same operational-resilience thinking runs through DORA for financial entities. If you are in banking or financial market infrastructure, check whether DORA applies to your company too, since the two regimes can overlap.

If your business is outside the EU

NIS2 is a directive, not a regulation: each member state transposes it into national law, so the precise thresholds, registration duties, and penalties vary by country. You need to check the implementing law of each member state where you operate, not just the directive text.

A non-EU establishment does not automatically place you outside NIS2. Certain digital service providers — such as DNS providers, cloud computing services, online marketplaces, and search engines — that offer services in the EU must designate a representativeestablished in the Union, and fall under the jurisdiction of the member state where that representative sits. Doing business in Europe generally means meeting European requirements, wherever you are based — a point we cover more broadly in non-EU company selling into the EU. The same reach applies under the EU AI Act if you also build or deploy AI systems.

How COMPLY.Reg helps

COMPLY.Reg is a regulatory compliance platform that uses AI to turn NIS2 from a directive — and its national transpositions — into a working set of requirements: it extracts the individual Article 21 measures and Article 23 reporting duties, maps them to your controls, and tracks the evidence that proves each one, with a human reviewing the result. Your source documents stay on your own systems, and your compliance data is processed in the EU. It is built for European companies and for companies outside Europe that need to meet EU requirements to do business in the EU, and our information-security posture is on track for ISO 27001 and SOC 2 in Q3 2026.

Frequently asked questions

What size does a company have to be for NIS2 to apply?
Generally medium-sized or larger — at least 50 employees, or annual turnover or balance sheet total above €10 million — if it operates in a listed sector. Some entities are in scope regardless of size, such as certain digital-infrastructure and public-administration providers.
What is the difference between essential and important entities?
Essential entities face proactive, ex-ante supervision; important entities face reactive, ex-post supervision. Both must meet the same core risk-management and incident-reporting requirements.
Does NIS2 apply to companies outside the EU?
It can. NIS2 is transposed into national law in each member state, and certain digital service providers offering services in the EU must designate an EU representative even without an EU establishment.

Sources