NIS2: Who is affected? A clear overview for companies

In a nutshell: NIS2 – Who is affected?

The NIS2 Directive covers significantly more organisations than its predecessor. A quick NIS2 applicability check is based on these points:

• Location: Active in the EU – with services or infrastructure in one of the NIS2-relevant sectors?
• Company size: Usually more than 50 employees or over €10 million annual turnover (‘important entities’). Large companies with over 250 employees or a turnover of over €50 million are often considered “essential entities”.
• Industry: Relevant sectors include, among others. Energy, transport, banking and finance, health, water, digital infrastructure, public administration, space, postal and courier services, waste management, chemicals, food, manufacturing, digital service providers and research.
• Special regulations: Smaller companies can also be affected if they provide critical services or are of national importance.

Mandatory from 2025: When NIS2 applies to your company

The NIS2 Directive came into force on 16 January 2023. From 17 October 2024, all EU member states were required to transpose the requirements into national law. However, the obligations for companies only take effect once the respective member state has completed its implementation.

In Germany, this step has now been taken: The NIS2 Implementation Act came into force on 6 December 2025. This means the NIS2 requirements are now binding for affected companies in Germany. In practice, this means: There are no more additional transition periods. Organisations that fall under NIS2 must now fulfil the obligations and implement and provide evidence of corresponding measures. The NIS2 checklist offers structured guidance, bundling the key requirements and helping to systematically establish responsibilities, measures and evidence.

Test your NIS2 readiness now

Check NIS2 readiness

Answer a handful of practical questions to see how prepared your organisation is and get simple tips to strengthen your defences right away.

Factor 1: NIS2 sectors – These (particularly) important entities are affected

A fundamental factor in determining which organisations fall under the NIS2 Directive is their affiliation with certain NIS2 sectors. The directive distinguishes between ‘essential entities’ (‘NIS2 Essential Entities’) and ‘important entities’ (‘NIS2 Important Entities’). Both categories must meet the same security requirements, but are subject to different supervision: essential entities are monitored proactively, while important entities are monitored reactively.

Essential entities

This group typically includes large companies with at least 250 employees, an annual turnover of over €50 million and an annual balance sheet total of more than €43 million. The following NIS2 sectors (Annex I) are affected, among others:

• Public administration
• Energy
• Transport
• Banking and financial market infrastructure
• Healthcare
• Drinking water supply and wastewater management
• Digital infrastructure
• ICT service management (B2B)
• Space

Important entities

This category affects medium-sized companies with 50 to 249 employees and an annual turnover of between €10 million and €50 million. Relevant NIS2 sectors include:

• Postal and courier services
• Waste management
• Chemical industry
• Food production and processing
• Manufacturing
• Digital providers (online marketplaces, search engines, social networks)
• Research institutions

Factor 2: Location – Where NIS2 applies and who it affects

Whether a company is affected by the NIS2 Directive depends not only on its sector and size, but also on its geographical area of operation. As a general rule, NIS2 applies to organisations that are active in the European Union – regardless of whether their headquarters are located inside or outside the EU.

What is relevant is whether the company is active in one of the NIS2 sectors and offers essential or important services there. This affects both NIS2 Essential Entities and NIS2 Important Entities. Examples include:

• An energy provider based in Germany that also supplies customers in other EU countries
• A digital service provider outside the EU that specifically provides its services in several member states
• An authority in the NIS2 public administration sector that provides data and services within the EU
• Not affected: A company based in Germany that exclusively supplies German customers and does not provide cross-border services in the EU

So, the rule is: Anyone providing essential or important services in relevant NIS2 sectors within the EU may fall under the regulations – regardless of where their company is headquartered.

Factor 3: Company size – When NIS2 applies

In addition to sector and location, the size of the company also determines whether an organisation falls under the requirements of the NIS2 Directive. This generally affects medium-sized and large companies with more than 50 employees or an annual turnover of over €10 million.

For particularly large companies – often with over 250 employees and more than €50 million in turnover – the stricter requirements for essential entities apply. Smaller organisations can also be included if they are active in a relevant sector and their services are of considerable importance.

This makes it clear that the question of who is affected by NIS2 does not just depend on the field of activity. Economic indicators can also place a company within the scope of application – even if it was not previously one of the businesses classified as critical.

Even small companies can be affected by NIS2 – why size is not always the deciding factor

The NIS2 Directive does not only cover large organisations. Even companies that are below the usual thresholds can be affected by NIS2. This applies in particular to businesses in relevant sectors or with a key role in critical supply chains.

For example, a medium-sized supplier to an energy provider can be classified as one of the companies affected by NIS2 despite its smaller size – for instance, if its services are indispensable for the operation of an essential entity.

Classification is therefore not based solely on the number of employees or turnover, but also on the consequences an outage would have for essential or important entities.

Important: This inclusion of smaller organisations is not automatic for all suppliers. It is based on a concrete risk assessment or an explicit determination by the competent authorities.

NIS2 for companies – in the Human Firewall Podcast

NIS2 applicability check – get clarity quickly with official tools

Whether an organisation falls under the requirements of the NIS2 Directive is not always obvious at first glance. In addition to industry, location and company size, individual risk factors often play a role. A structured NIS2 applicability check helps to clarify these questions unequivocally.

Risks for CISOs and IT decision-makers – Taking NIS2 obligations seriously

The NIS2 Directive provides for strict sanctions for infringements of its requirements. For companies affected by NIS2, this can mean – depending on national implementation – heavy fines and, in certain cases, personal liability for individuals, for example, for managing directors, CISOs or others responsible for information security.

In Germany, the implementation act (NIS2UmsuCG) is not yet in force. As long as it is missing, no fines can be imposed in Germany under NIS2. In other EU member states that have already implemented it, sanctions are already possible.

As soon as the German law is in force, violations can be sanctioned immediately. The specific amount and the framework for fines will be determined nationally. Companies should therefore check now whether they are affected by the NIS2 Directive and then implement the necessary security measures – such as clear responsibilities, documented processes and regular audits. This allows legal and economic risks to be minimised at an early stage.

What to do if you are affected by NIS2?

Organisations that fall under the NIS2 Directive must secure their network and information systems with an effective mix of organisational and technical measures. For companies affected by NIS2, this includes in particular:

1. Risk analysis and security concept
   Inventory of all relevant systems, processes and interfaces, as well as a targeted search for possible vulnerabilities.
2. Risk mitigation measures
   Introduction of suitable technical and organisational safeguards – from strict access controls to robust emergency plans.
3. Training and awareness
   Regularly train employees on cybersecurity topics and promote security awareness – for example, with practical Cyber Security Awareness Training from SoSafe.
4. Establish reporting structures
   Introduce procedures for reporting security incidents within the prescribed deadlines.
5. Continuous review
   Regularly evaluate measures and adapt them as necessary.

Those who act early and follow a clear implementation checklist will save time in an emergency, avoid unnecessary costs and reduce the risk of sanctions – as soon as the national implementation act comes into force in Germany. Please note: This article does not constitute legal advice. It is for general information purposes only and is not a substitute for an individual legal review. For binding information on your obligations under the NIS2 Directive, please contact qualified legal advisers or the competent authorities.