NIS2: Who does NIS2 apply to? A clear overview for businesses

Check in minutes whether your company may be affected, and see what matters now for security and compliance.

Contents

1. At a glance
2. When NIS2 starts to apply
3. Factor 1: NIS2 sectors
4. Factor 2: location
5. Factor 3: company size
6. Small businesses may also be affected
7. What should you do if you are affected?

At a glance: NIS2, who is affected?

The NIS2 Directive covers far more organisations than its predecessor. For many businesses, the first question is simple: who does NIS2 apply to? A quick first check usually starts with a small number of practical questions.

• Location: If your organisation operates in the EU and provides services or infrastructure in a sector covered by NIS2, it may fall within NIS2 scope.
• Size matters, but it is not the only factor. In many cases, NIS2 applies to organisations with more than 50 employees or annual turnover above €10 million. These will often fall into the NIS2 important entities category. Larger organisations, with more than 250 employees or over €50 million in turnover, are more likely to be treated as NIS2 essential entities.
• The sector also counts, whether that is energy, transport, banking and finance, healthcare, water, digital infrastructure, public administration, space, postal and courier services, waste management, chemicals, food, manufacturing, digital service providers, research, or another area covered by the directive. These are some of the main NIS2 sectors and NIS2 industries organisations need to review.
• But there are exceptions. Smaller organisations can be in scope too, especially if they provide critical services or have particular relevance at national level.

Preparing for NIS2

The new requirements call for more than a policy update. Organisations need a realistic view of where they stand, what is still missing, and where action cannot wait.

Read more

Glossary

NIS2 directive: requirements, deadlines and implementation in 2026

Read more

Glossary

NIS2 checklist: key steps for structured implementation

Read more

Glossary

NIS2 compliance: how to build it effectively

When NIS2 starts to apply to your organisation

NIS2 entered into force on 16 January 2023, and EU Member States were expected to transpose it into national law by 17 October 2024. Even so, that date alone does not tell organisations very much. What matters in practice is when the national law takes effect in each country. That is usually the point when scope becomes clearer and obligations can be enforced.

For businesses, the real issue is usually not just NIS2 scope. Timing matters as well. The point when national law takes effect can leave very little space to deal with things that are still unfinished.

An NIS2 impact assessment helps put that into sharper focus. It can show whether an organisation is likely to be in scope, what may be expected of it, and which basics should not still be missing once compliance work starts moving faster.

Internal responsibility needs to be clear. The evidence needs to be there as well, along with security measures that are good enough in practice. If not, gaps usually show up late.

NIS2 Check in 3 minutes

Go to the NIS2 assessment

Not sure where your organisation stands on NIS2? Our free assessment can help spot gaps, prioritise next steps and prepare more confidently.

Factor 1: NIS2 sectors, which essential and important entities are covered?

One of the first questions in any NIS2 impact assessment is whether an organisation operates in a sector covered by the directive. In broad terms, NIS2 distinguishes between NIS2 essential entities and NIS2 important entities. Both are subject to cybersecurity and risk management requirements. The difference usually lies in the level of supervisory oversight. That is why sector classification is one of the first things to check.

Essential entities

This category usually includes larger organisations in core NIS2 sectors. That can include:

• Public administration
• Energy
• Transport
• Banking and financial market infrastructure
• Healthcare
• Drinking water
• Wastewater
• Digital infrastructure
• ICT service management in a B2B context
• Space

Important entities

This group will often include medium-sized organisations operating in other NIS2 industries covered by the directive. Examples include: 

• Postal and courier services
• Waste management
• Chemicals
• Food production and processing
• Manufacturing
• Digital providers, e.g. online marketplaces and search engines
• Research.

In practice, NIS2 scope does not depend on size alone. It also depends on whether the organisation falls within one of the relevant sectors. That is usually where the assessment starts.

Factor 2: location, where NIS2 applies and who it affects

Whether NIS2 applies does not depend on sector and size alone. Location matters too. In principle, the directive can apply to organisations that provide relevant services within the EU, even if their headquarters are outside the Union.

So the key question is not simply where a company is based. It is whether the organisation operates in a relevant sector and provides services or infrastructure covered by NIS2 within the EU. In other words, operational footprint matters more than registered address.

This can look very different depending on the organisation. 

• An energy provider may be based in one EU country and also serve customers in other Member States.
• A digital service provider may be headquartered outside the EU, yet still offer relevant services within the Union. 
• A public-sector body may deliver covered services inside the EU. 
• On the other hand, an organisation based in one Member State that serves only domestic customers and does not provide relevant services across borders may be less likely to fall within scope.

The point is not just where a company is located on paper. What matters is where it delivers the services in question, and how those services are provided.

Factor 3: company size, when NIS2 applies

Next to sector and location, company size is another key factor when assessing whether NIS2 applies. As a rule, the directive covers medium-sized and larger organisations with more than 50 employees or annual turnover above €10 million.

For very large organisations, those with more than 250 employees and annual turnover above €50 million, the classification as an essential entity is more likely to apply. Smaller organisations can also fall within scope, especially where they operate in a relevant sector and provide services that are considered particularly important.

So business activity alone does not settle the question. Headcount and turnover matter too. This is one reason why NIS2 can also affect organisations that were not previously seen as part of critical infrastructure.

Small businesses may also be affected by NIS2, why size is not always decisive

NIS2 is not limited to large organisations. Smaller businesses can be affected as well, particularly in sectors covered by the directive or where they support services that others depend on. A smaller supplier to an energy company is an obvious example. If that supplier provides something the operator cannot do without, size alone stops being a reliable indicator.

It can also depend on the wider impact a disruption would have on essential or important services. At the same time, a smaller organisation is not in scope just because it appears somewhere in a supply chain. The real question is how critical its role is, what would happen if that role failed, and whether national authorities see it as relevant.

Risks for CISOs and IT decision-makers, taking NIS2 obligations seriously

For organisations in scope, NIS2 brings clear expectations around cyber risk management, governance and incident reporting. So the question is not only relevant for compliance teams. It matters just as much for CISOs, senior IT leaders, and management bodies with oversight responsibilities.

Where NIS2 applies, failing to meet those requirements can lead to regulatory action. That may include substantial fines and, depending on national law, personal accountability for people in positions of responsibility. For that reason alone, organisations should not leave the scope question unanswered for too long.

The risk is not limited to fines. Problems usually start earlier. Governance may be weak. Ownership is not always clear. Documentation is missing, or reporting looks fine until it is tested under pressure. That tends to show up in audits, but not only there. It can slow decisions down, complicate incident handling, and damage trust at the same time.

A review at an early stage helps. Sometimes legal advice is needed. Sometimes the organisation mainly needs a closer look at its NIS2 exposure and the basics around it. Who is responsible. Which controls exist. What is documented. What gets checked, and how often.

What should you do if NIS2 applies to your organisation?

If NIS2 applies to your organisation, the requirement is straightforward in principle. Your network and information systems need to be protected through a mix of technical and organisational measures. Once scope is clear, the next step is to turn that into something practical.

1. Carry out a risk assessment and define a security framework
   Review the systems, processes, assets, and interfaces that matter. The aim is to spot weaknesses that could affect resilience, availability or incident response.
2. Put measures in place to reduce risk
   This includes both technical and organisational safeguards. Access controls are part of it. So are business continuity arrangements and incident response measures.
3. Train employees and strengthen security awareness
   People need regular security awareness training that reflects current threats. They should know how to recognise suspicious activity and what to do when something is not right.
4. Set up clear incident reporting processes
   Internal procedures should make it clear how incidents are identified, escalated, documented and reported within the required timeframes.
5. Review your measures on a regular basis
   Controls should not stay static. They need to be checked and updated as risks, business operations, or legal requirements change.

If you know that NIS2 applies, it makes sense to start early. That usually saves time later, avoids unnecessary cost, and reduces compliance risk. A practical NIS2 checklist also helps keep things moving. Responsibilities are easier to assign, progress is easier to track, and audit questions are less likely to come at the wrong moment.

Legal note: This article is for general information only and is not a substitute for legal advice. Organisations that need clarity on their specific NIS2 obligations should speak to a qualified lawyer or the competent authority in their jurisdiction.