Skip to content
Background Banner
NIS2 entity classification by sector and size: essential, important, or out of scope.
NIS2June 15, 2026 · Iulian Bozdoghina (Lead Auditor and Consultant) · 10 min read

NIS2 Essential Entity Criteria: How to Classify Your Organisation, and Why Getting It Wrong Cuts Both Ways

NIS2 essential entity criteria: how sector and size decide essential vs important, the size-exempt categories, and what classification really changes.

Iulian Bozdoghina
Iulian BozdoghinaLead Auditor and Consultant

Executive Summary

Under NIS2, whether you are an "essential" entity, an "important" entity, or out of scope is decided by two things together, the sector you operate in and the size of your organisation. Annex I (high-criticality) sectors at large-enterprise size produce essential entities; medium-sized organisations in those sectors, and most organisations in Annex II sectors, are important. A short list of categories (DNS providers, TLD registries, qualified trust service providers, certain public-administration bodies) are essential regardless of size. The classification matters less than most people assume for what security you must implement (the Article 21 measures and incident-reporting duties are identical for both tiers) and more than they assume for how you are supervised and fined. No authority sends you a letter; you classify and register yourself, and in Germany the deadline to do so has already passed.

A NIS2 question rarely arrives as "are we compliant?" It arrives as "are we even in scope?", usually from a managing director who has heard the directive is now German law, has seen a turnover figure quoted somewhere, and cannot tell whether it applies to a 90-person manufacturer in Baden-Württemberg or only to power grids and hospitals.

It is a reasonable place to be confused. The scoping logic reads simply on the page and turns out to have three or four moving parts the moment you apply it to a real company. Across the organisations we help work through this, the same misreadings recur: treating size as the only test, assuming "important" means a lighter compliance load than "essential," and waiting for an official notification that is never going to come. This piece is the practitioner reading of the essential-entity criteria, how the classification actually works, what it changes, and where the costly mistakes sit.

The two-axis test: sector and size, never one alone

NIS2 does not classify organisations by size alone, and it does not classify them by sector alone. It uses both axes together, and you need both readings before the answer means anything.

The sector axis comes from two annexes to the directive. Annex I lists eleven sectors of high criticality: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management (business-to-business), public administration, and space. Annex II lists seven other critical sectors: postal and courier services, waste management, the manufacture and distribution of chemicals, the production and distribution of food, manufacturing (which includes medical devices, electronics, electrical equipment, machinery, and motor vehicles), digital providers such as online marketplaces and search engines, and research.

The size axis uses the EU's standard enterprise definitions. A medium enterprise has at least 50 employees, or annual turnover and balance sheet above €10 million. A large enterprise has at least 250 employees, or turnover above €50 million together with a balance sheet above €43 million. Organisations below the medium threshold, micro and small, are, as a baseline rule, outside the scope of NIS2.

Put the two axes together and you get the actual classification:

  • Essential entity, a large organisation operating in an Annex I (high-criticality) sector.
  • Important entity, a medium organisation in an Annex I sector, or any medium or large organisation in an Annex II sector.
  • Out of scope (baseline), below the medium-enterprise threshold, unless a size-exempt category applies.

This is where the most common misread happens. A 300-person motor-vehicle component manufacturer is a large enterprise, but manufacturing sits in Annex II, so it is an important entity, not essential. A 70-person managed-IT provider delivering ICT service management is in Annex I, but at medium size it is important, not essential. Size alone tells you almost nothing until you have placed the company in the right annex.

The categories that are essential regardless of size

The size thresholds have exceptions, and they matter because they pull small organisations into the highest tier. NIS2 names several categories that are essential regardless of how few people they employ or how little they turn over:

  • DNS service providers, top-level domain (TLD) name registries, and qualified trust service providers, essential even as micro-businesses.
  • Providers of public electronic communications networks or publicly available electronic communications services that qualify as medium-sized, essential at medium size rather than important.
  • Public administration entities designated under the directive, central and, where member states extend it, regional government bodies.

There is also a set of case-by-case routes that override the size test entirely: where an entity is the sole provider of a service that is essential for societal or economic activity, where disruption could have significant impact on public safety or health, or where an entity is identified as critical under the related Critical Entities Resilience (CER) framework. If one of those applies, size stops being the gate.

For most of our automotive, manufacturing, and mid-market clients these exceptions do not bite, but they are the first thing to check for any organisation in digital infrastructure or communications, because they change the answer completely.

What the classification actually changes, and what it doesn't

Here is the point that saves the most wasted effort, and the one most often gotten wrong: essential and important entities carry the same security obligations. The risk-management measures in Article 21 apply identically to both tiers: risk analysis and information-system security policies, incident handling, business continuity and crisis management, supply-chain security, secure development and vulnerability handling, policies to assess the effectiveness of measures, basic cyber hygiene and training, cryptography, access control and asset management, and multi-factor authentication. The incident-reporting duties in Article 23, including the 24-hour early warning and the 72-hour notification, are identical too.

So "we are only an important entity" is not a lighter technical project. The controls you have to build are the same. What the tier changes is two things:

Our TISAX® and ISO 27001 experts help European automotive suppliers achieve compliance within 95 days.

Supervision. Essential entities face ex-ante (proactive) supervision, authorities can conduct audits, inspections, and random checks without needing a triggering incident. Important entities face ex-post (reactive) supervision, scrutiny generally follows an incident or a reasonable suspicion of non-compliance. The difference is not whether the rules apply; it is how likely you are to be examined before something goes wrong.

Penalty ceiling. Essential entities face administrative fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Important entities face up to €7 million or 1.4%. In both cases the more relevant exposure for management is often not the headline fine but the personal accountability NIS2 places on management bodies, who must approve the risk measures, oversee their implementation, and undergo training, and who can be held liable for failures.

Reading the tier correctly therefore matters for risk planning and audit-readiness, but it should never be the reason an organisation scales its security programme up or down. The programme is set by Article 21; the tier sets the supervisory stakes.

No one sends you a letter: classification is self-assessed

A recurring and expensive assumption is that an authority will write to tell you that you are in scope. With limited exceptions, it will not. NIS2 puts the burden of self-identification and registration on the entity. You determine your own sector placement, you apply the size test, you reach a classification, and you register yourself with the competent national authority within the deadlines that the national transposition sets.

That makes a quiet, internal misclassification the real risk. An organisation that decides it is out of scope, or that it is merely "important" when the criteria make it essential, does not get corrected at the point of decision. The gap surfaces later, during an incident, a customer audit, or a supervisory check, when the position is far harder to remediate and the management body is already exposed.

The DACH picture: Germany's law is already live

For organisations in the German market, this has stopped being a future question. Germany missed the directive's 17 October 2024 transposition deadline, but its implementing law, the NIS2-Umsetzungsgesetz, which substantially revises the BSI Act (BSIG), was passed in November 2025 and has been binding since 6 December 2025, with no transition period. The registration portal at the Federal Office for Information Security (BSI) opened on 6 January 2026, and the registration deadline for affected entities fell on 6 March 2026, a date now behind us.

A few German specifics are worth knowing because they differ from the directive's bare text. The BSIG uses its own labels: besonders wichtige Einrichtungen ("particularly important entities," broadly the essential tier) and wichtige Einrichtungen ("important entities"). Around 29,000 organisations are estimated to fall in scope, and the law expanded coverage beyond the directive's minimum in places. The BSIG also includes a practical carve-out, under the threshold calculation, business activities that are "negligible" relative to the entity's overall activity are not counted, which can change a borderline classification. Austria and other DACH jurisdictions have moved on their own timelines; the principle is the same everywhere, but the deadlines, authority, and exact thresholds are national.

If your organisation is in scope in Germany and has not yet self-classified and registered, the position to take is not panic but prompt correction: classify accurately, register, and document the reasoning behind the classification so it stands up if questioned.

Where NIS2 reaches you even when you are out of scope

One last criterion catches organisations that have correctly concluded they are below the threshold: supply-chain security. Article 21 requires in-scope entities to manage the security risks in their supply chains and supplier relationships. In practice that obligation flows downstream as contractual requirements, security questionnaires, evidence requests, and clauses, onto suppliers who are themselves out of scope.

If this pattern sounds familiar, it should: it is the same cascade dynamic that moves TISAX® requirements down the automotive supply chain. An organisation can be out of NIS2 scope in its own right and still have to meet NIS2-derived expectations because an essential-entity customer is passing them down. Reading your own classification is the first step; reading your customers' is the one most suppliers forget.

Frequently asked questions

Q: Is NIS2 a certification I can obtain? No. NIS2 is a legal obligation, not a certificate. There is no "NIS2 certificate" to display. You implement the Article 21 measures, register with your national authority, and remain subject to supervision. Frameworks such as ISO 27001 map closely to the Article 21 measures and are a strong foundation, but holding a certificate does not by itself discharge the legal obligation.

Q: We are a medium-sized manufacturer. Are we essential or important? Manufacturing sits in Annex II, so a medium or large manufacturer is an important entity, not essential, unless a size-exempt category or a case-by-case designation applies. The security obligations are the same as for essential entities; the supervision and penalty ceiling are lower.

Q: What is the difference between essential and important for the work we actually have to do? For the security controls and incident reporting, there is no difference, both tiers implement Article 21 and report under Article 23 identically. The difference is supervision (proactive for essential, reactive for important) and the maximum fine (€10m/2% versus €7m/1.4%).

Q: Will an authority tell us we are in scope? Generally no. Classification and registration are the entity's own responsibility. Waiting for a notification is one of the more common and more costly mistakes.

Q: The German registration deadline has passed. What now? Classify accurately, register with the BSI without further delay, and document your reasoning. Late registration is a weaker position than timely registration, but an accurate, documented late position is far stronger than an unexamined assumption that you were out of scope.

Working out which side of the NIS2 line you fall on, and what that means for the security programme you actually need, is the part worth getting right before anything else. If you want a clear read on your classification and the gap between where your ISMS is today and what Article 21 expects, our team maps both in a short assessment. Talk to us about NIS2.

This article is a practitioner explanation of the NIS2 criteria, not legal advice. National transposition laws vary in their thresholds, authorities, and deadlines; confirm your specific position against the applicable national law.

TISAX® is a registered trademark of ENX Association. ITIS-Secure provides advisory and preparation services and is not a certification or supervisory body.

Iulian Bozdoghina

"Iulian Bozdoghina is a veteran cybersecurity strategist with over 15 years of experience in securing automotive supply chains and critical infrastructure. He specializes in TISAX®, ISO 27001, and the emerging NIS2/DORA regulatory landscape."

ISO 27001 Lead AuditorTISAX® SpecialistISO14001 AuditorISO42001 Auditor

Ready to get certified?

Book your free gap assessment today. Our experts will map your current posture against your target framework and give you a clear, honest roadmap to certification.

Book Free Gap Assessment

No commitment required • GDPR compliant • Strategy confirmed via secure link

Related Articles

Continue reading about similar cybersecurity and compliance topics.