Who Needs NIS 2 Compliance?

Key Takeaways

Point	Summary
Size threshold	Medium enterprises (50+ employees or 10M+ turnover) and large enterprises (250+ employees or 50M+ turnover)
Sector-based	18 sectors divided into essential (Annex I) and important (Annex II) entities
Exceptions	Some entities are in scope regardless of size (DNS providers, TLD registries, qualified trust service providers)
Non-EU entities	Organizations providing services in the EU from outside the EU may also be in scope
Estimated impact	Over 160,000 entities across the EU

Quick Answer: NIS 2 applies to medium and large organizations in 18 critical sectors. If your organization has 50+ employees or 10M+ annual turnover and operates in energy, healthcare, digital infrastructure, manufacturing, or other covered sectors, you likely need to comply.

The Size-Cap Mechanism

NIS 2 introduces a clear, harmonized approach to determining which organizations are in scope. Unlike the original NIS Directive, which left scope determination largely to member states, NIS 2 uses a size-cap mechanism:

Size Category	Employees	Annual Turnover	Balance Sheet
Medium	50-249	10M-50M	10M-43M
Large	250+	50M+	43M+
Small/Micro	Under 50	Under 10M	Under 10M

Small and micro enterprises are generally exempt from NIS 2, with specific exceptions for:

• Qualified trust service providers
• DNS service providers
• TLD name registries
• Providers of public electronic communications networks or services
• Public administration entities
• Entities that are the sole provider of a critical service in a member state
• Entities whose disruption could have significant impact on public safety, security, or health

Essential Entities (Annex I)

Essential entities face the highest level of regulatory scrutiny under NIS 2. They are subject to proactive supervision, meaning authorities can conduct inspections and audits without a triggering incident.

Sector	Examples
Energy	Electricity, oil, gas, hydrogen, district heating and cooling
Transport	Air, rail, water, road transport operators
Banking	Credit institutions as defined by CRD
Financial market infrastructure	Trading venues, central counterparties
Health	Hospitals, healthcare providers, EU reference laboratories, manufacturers of medical devices considered critical during public health emergencies
Drinking water	Suppliers and distributors of water intended for human consumption
Wastewater	Enterprises collecting, disposing, or treating urban, domestic, or industrial wastewater
Digital infrastructure	IXPs, DNS providers, TLD registries, cloud computing, data centers, CDNs, trust service providers, public electronic communications networks
ICT service management (B2B)	Managed service providers and managed security service providers
Public administration	Central government entities (excluding judiciary, parliaments, and central banks)
Space	Operators of ground-based infrastructure supporting space-based services

Important Entities (Annex II)

Important entities have somewhat lighter supervision (reactive rather than proactive) but still face the same cybersecurity requirements. The main difference is in enforcement and penalties.

Sector	Examples
Postal and courier	Providers of postal and courier services
Waste management	Waste collection, transport, treatment, and disposal operators
Chemicals	Manufacturing, production, and distribution of chemicals
Food	Food production, processing, and distribution businesses
Manufacturing	Medical devices, computer and electronic products, electrical equipment, machinery, motor vehicles, trailers, and other transport equipment
Digital providers	Online marketplaces, online search engines, social networking service platforms
Research	Research organizations (where results could be exploited for commercial or industrial purposes)

How to Determine if Your Organization is in Scope

Step 1: Check your size

• Do you have 50 or more employees? Or annual turnover of 10M+?
• If no, you are generally exempt unless you fall into a special category

Step 2: Identify your sector

• Does your organization operate in any of the 18 sectors listed in Annex I or Annex II?
• Consider all business activities, not just your primary business

Step 3: Determine your entity classification

• Annex I sectors: You are an essential entity (subject to proactive supervision)
• Annex II sectors: You are an important entity (subject to reactive supervision)
• Some entities may qualify under multiple sectors

Step 4: Check for special circumstances

• Are you a critical infrastructure entity under the CER Directive?
• Are you the sole provider of a critical service in a member state?
• Does your organization provide cross-border services?

Essential vs Important: What is the Difference?

Aspect	Essential Entities	Important Entities
Supervision	Proactive (ex-ante)	Reactive (ex-post)
Maximum fine	10M or 2% of global turnover	7M or 1.4% of global turnover
Cybersecurity requirements	Same as important entities	Same as essential entities
Incident reporting	Same timelines	Same timelines
Authority powers	Broader inspection and enforcement powers	Inspection only after evidence of non-compliance

The cybersecurity requirements themselves are identical for both categories. The primary differences lie in the supervisory approach and the maximum penalties.

Non-EU Organizations

NIS 2 has extraterritorial reach. If your organization is established outside the EU but provides services within the EU in a covered sector, you may need to comply. Specifically:

• DNS service providers, TLD name registries, cloud computing providers, data center providers, CDN providers, managed service providers, managed security service providers, and online marketplaces, search engines, or social networking platforms must designate a representative in the EU
• The representative must be established in one of the member states where the entity provides services
• Failure to designate a representative does not exempt the entity from NIS 2 obligations

What Happens if You Do Not Comply?

Non-compliance carries significant consequences:

• Financial penalties: Up to 10M or 2% of global turnover for essential entities, 7M or 1.4% for important entities
• Management liability: Senior management can be held personally accountable
• Operational restrictions: Authorities can temporarily suspend certifications or activities
• Reputational damage: Compliance status may become a factor in business relationships and contracts
• Increased scrutiny: Non-compliance may trigger more frequent and intensive supervisory reviews

Common Questions

Do startups need to comply with NIS 2?

Most startups are exempt because they fall below the size thresholds (50 employees or 10M turnover). However, startups in certain categories like trust service providers or DNS providers must comply regardless of size. Additionally, startups growing rapidly should plan ahead since crossing the threshold triggers compliance obligations.

Does NIS 2 apply to SaaS companies?

It depends on the sector and size. SaaS companies that qualify as managed service providers, cloud computing services, or digital infrastructure providers may fall within scope. If your SaaS product serves essential or important entities, you may also face indirect obligations through your customers' supply chain requirements.

How does NIS 2 interact with national law?

NIS 2 is a directive, meaning each EU member state must transpose it into national law. The directive sets minimum requirements, but member states can adopt stricter measures. Organizations should check their local transposition for any additional requirements beyond the directive's baseline.