What is the difference between an Essential and an Important entity?

Essential entities are large organisations in high-criticality sectors and face proactive supervision and higher fines (up to €10m or 2% of global turnover). Important entities cover medium-sized high-criticality firms and other critical sectors, with reactive supervision and lower fines (up to €7m or 1.4%).

How does the size-cap rule work?

By default, only medium and large organisations in covered sectors are in scope. Medium means 50 to 249 staff or €10m–€50m turnover; large means 250+ staff or over €50m turnover. Micro and small firms are usually excluded unless individually designated.

Are any entities in scope regardless of size?

Yes. Certain digital-infrastructure providers — DNS service providers, TLD name registries, internet exchange points, and some trust, telecom, and public-administration entities — are in scope no matter how small they are.

What are the incident reporting deadlines?

An early warning must reach the CSIRT or competent authority within 24 hours of becoming aware of a significant incident, a fuller notification within 72 hours, and a final report within one month.

Is this legal advice?

No. NIS2 is transposed into national law and member states can broaden scope or designate specific entities. This tool applies the directive's default rule for guidance only — confirm with your national authority and legal advisers.

NIS2 Directive Applicability Checker

The EU’s NIS2 Directive massively widens the population of organisations that must run a baseline cybersecurity programme and report incidents fast. This checker applies the directive’s default sector-plus-size rule so you can see whether you are an Essential entity, an Important entity, or out of scope.

How it works

NIS2 combines two axes — the sector’s criticality annex and the organisation’s size — to assign a classification:

Annex I  + Large            → Essential
Annex I  + Medium           → Important
Annex II + Medium or Large  → Important
Micro / small               → out of scope (unless an always-in-scope type)

A handful of digital-infrastructure providers (DNS providers, TLD registries, internet exchange points and similar) are in scope at any size. The tool encodes both the annex split and these size-cap exceptions.

Notes and example

A large hospital sits in health, an Annex I high-criticality sector, so at large size it is an Essential entity: it must implement the Article 21 measures — risk analysis, incident handling, business continuity, supply-chain security, vulnerability disclosure, cryptography and management accountability — and meet the 24-hour, 72-hour and one-month reporting deadlines. A medium-sized food manufacturer, an Annex II sector, would be an Important entity with the same obligations but lighter supervision. Because member states transpose NIS2 into national law and can extend scope, always confirm your status with the competent authority in each country where you operate.