NIS2 Essential vs Important Entities
A definitive reference guide to NIS2 entity classification, covering the Annex I and Annex II sector lists, the size-cap rule, supervisory regime differences, and Member State designation powers.
- 1
NIS2 classifies entities into two tiers — essential and important — based primarily on sector (Annex I vs Annex II) and size (large vs medium enterprises).
- 2
Annex I covers 11 sectors of high criticality including energy, transport, banking, health, and digital infrastructure; Annex II covers 7 other critical sectors including manufacturing, food, and digital providers.
- 3
The size-cap rule uses EU SME definitions: entities with 50+ employees or EUR 10M+ turnover are in scope; certain entity types (DNS providers, trust service providers, etc.) are included regardless of size.
- 4
Essential entities face proactive supervision and penalties up to EUR 10M / 2% turnover; important entities face reactive supervision and penalties up to EUR 7M / 1.4% turnover.
- 5
Member States retain designation powers to bring small but critical entities into scope and to classify CER-designated critical entities as essential under NIS2.
Entity Classification Methodology Under NIS2
The NIS2 Directive (2022/2555) introduces a two-tier classification system that divides regulated entities into essential entities and important entities. This classification is fundamental because it determines the supervisory regime, enforcement powers, and penalty exposure applicable to each entity. Unlike the original NIS Directive, which relied on Member States to individually identify operators of essential services through a complex designation process, NIS2 adopts a largely automated approach based on objective criteria: the sector in which the entity operates and its size.
Article 3 establishes the classification rules. An entity is classified as essential if it operates in a sector listed in Annex I of the directive and meets the size thresholds, or if it is specifically designated as essential regardless of size. An entity is classified as important if it operates in a sector listed in either Annex I or Annex II and meets the size thresholds, but does not qualify as essential. This means that medium-sized entities operating in Annex I sectors are generally classified as important rather than essential — a distinction that has significant practical implications for supervisory intensity.
The shift to a criteria-based classification system was driven by concerns about the inconsistency and opacity of the designation process under NIS1. Under the original directive, different Member States applied different criteria when identifying operators of essential services, leading to situations where equivalent entities in the same sector were subject to obligations in one Member State but not another. NIS2's objective criteria ensure a more uniform application of the rules across the internal market, though Member States retain certain designation powers that introduce an element of national discretion.
NIS2 significantly expanded the scope of EU cybersecurity regulation. While NIS1 covered approximately 10,000 entities across the EU, NIS2 is estimated to bring over 160,000 entities into scope through its combination of broader sector coverage and the size-cap mechanism.
Annex I: Sectors of High Criticality (Essential Entities)
Annex I of NIS2 lists the sectors of high criticality. Large entities (as defined by Article 2 of Commission Recommendation 2003/361/EC) operating in these sectors are automatically classified as essential entities under Article 3(1)(a). The eleven sectors of high criticality are: Energy (electricity, district heating and cooling, oil, gas, hydrogen), Transport (air, rail, water, road), Banking, Financial market infrastructures, Health (healthcare providers, EU reference laboratories, entities engaged in research and development of medicinal products, manufacturers of basic pharmaceutical products, and entities manufacturing medical devices considered critical during a public health emergency), Drinking water, Wastewater, Digital infrastructure (Internet Exchange Point providers, DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, trust service providers, providers of public electronic communications networks, providers of publicly available electronic communications services), ICT service management (B2B) (managed service providers and managed security service providers), Public administration (central government entities), and Space.
The Energy sector is the most granular, encompassing electricity undertakings, distribution system operators, transmission system operators, producers, nominated electricity market operators, market participants providing aggregation, demand response, or energy storage services, and operators of electric vehicle charging points. Transport similarly covers a broad range of sub-sectors, from air carriers and airport managing bodies to inland waterway transport operators and traffic management control operators.
It is important to note that not every entity operating in an Annex I sector is automatically essential. The size-cap rule still applies: only large entities meeting the relevant thresholds qualify as essential under Article 3(1)(a). Medium-sized entities in Annex I sectors are generally classified as important entities under Article 3(2), subject to the same cybersecurity risk management and incident reporting obligations but a less intensive supervisory regime. However, certain entity types — such as qualified trust service providers, TLD registries, DNS service providers, and providers of public electronic communications networks or services — are classified as essential regardless of their size under Article 3(1)(b)-(f).
Annex II: Other Critical Sectors (Important Entities)
Annex II lists the other critical sectors whose entities — when meeting the size thresholds — are classified as important entities under Article 3(2). The seven Annex II sectors are: Postal and courier services, Waste management, Manufacture, production and distribution of chemicals, Production, processing and distribution of food, Manufacturing (covering medical devices, computer and electronic products, electrical equipment, machinery and equipment, motor vehicles and trailers, and other transport equipment), Digital providers (online marketplaces, online search engines, social networking services platforms), and Research (research organisations).
The Manufacturing sector in Annex II is particularly broad, covering six NACE division-level categories. This means that a large manufacturer of, for example, electrical switchgear (NACE 27.12) is an important entity under NIS2 — a significant expansion of scope compared to NIS1, which did not cover general manufacturing. The inclusion of food production and distribution, chemical manufacturing, and waste management reflects the EU's growing recognition that cybersecurity incidents in these sectors can have serious public health, environmental, and economic consequences.
Digital providers in Annex II — online marketplaces, search engines, and social networking platforms — were already subject to obligations under NIS1, but as digital service providers rather than operators of essential services. Under NIS2, they are classified as important entities, which brings them under a more structured regulatory framework while maintaining a proportionate approach. Notably, very large online platforms (VLOPs) as defined under the Digital Services Act (Regulation 2022/2065) may be subject to additional sector-specific obligations beyond NIS2.
The Size-Cap Rule: 50+ Employees or EUR 10M+ Turnover
NIS2 employs the EU definition of small and medium-sized enterprises from Commission Recommendation 2003/361/EC to determine which entities fall within its scope. Article 2(1) of NIS2 applies the directive to entities that operate in the Annex I or Annex II sectors and that qualify as at least medium-sized enterprises under that recommendation. A medium-sized enterprise is one that employs 50 or more persons or whose annual turnover or annual balance sheet total exceeds EUR 10,000,000. Entities below both thresholds — fewer than 50 employees and turnover and balance sheet total not exceeding EUR 10M — are generally excluded from NIS2's scope.
Within the entities that meet the size-cap threshold, the distinction between essential and important turns on whether the entity qualifies as large. A large enterprise employs 250 or more persons or has an annual turnover exceeding EUR 50,000,000 or an annual balance sheet total exceeding EUR 43,000,000. Large entities in Annex I sectors are essential; large entities in Annex II sectors, and medium-sized entities in either Annex, are important. This creates a clear hierarchy: large Annex I entities face the most intensive supervision, while medium-sized Annex II entities face the least — though all remain subject to the core Article 21 and Article 23 obligations.
There are important exceptions to the size-cap rule. Article 2(2) lists categories of entities that fall within NIS2's scope regardless of their size. These include providers of public electronic communications networks or services, trust service providers, TLD registries and DNS service providers, entities that are the sole provider of a service in a Member State, entities whose disruption could have a significant impact on public safety or public health, and entities identified as critical under Directive (EU) 2022/2557 (the Critical Entities Resilience Directive, or CER). Member States may also designate additional entities under Article 2(2)(b)-(e), which provides a mechanism to capture small but critical entities that the size-cap would otherwise exclude.
The size-cap calculation follows the linked and partner enterprise rules in Recommendation 2003/361/EC. If your entity is part of a corporate group, you may need to aggregate headcount and financial data across linked enterprises, which could push a seemingly small subsidiary above the thresholds.
Supervisory Regime Differences: Proactive vs Reactive Oversight
The practical consequence of the essential/important classification is most visible in the supervisory regime. Article 32 establishes that competent authorities must ensure effective, proportionate, and proactive supervision of essential entities. This means regular security audits, systematic information requests, security scans, and on-site inspections — irrespective of whether there is any evidence of non-compliance. Essential entities should expect routine engagement with their national competent authority as a matter of course.
Important entities, by contrast, are subject to reactive supervision under Article 33. Competent authorities shall take action when presented with evidence, indications, or information that suggests non-compliance with the directive — for example, following a significant incident report, a complaint from a third party, or intelligence received from another authority. This does not mean important entities can afford to be complacent; a significant incident that reveals underlying compliance deficiencies will trigger full enforcement scrutiny. But it does mean that important entities are less likely to face routine inspections or unprompted audit requests.
The enforcement tools available also differ. Most notably, the management function prohibition under Article 32(5) — which allows authorities to request a temporary ban on a senior executive exercising managerial functions — applies only to essential entities. The administrative fine maximums differ as well: EUR 10M / 2% of worldwide turnover for essential entities versus EUR 7M / 1.4% for important entities. These differences are designed to reflect the proportionality principle: essential entities, whose disruption could have the most severe societal consequences, face correspondingly more intensive oversight and more severe sanctions.
Member State Designation Powers and Special Cases
While NIS2's criteria-based classification system is largely automated, Member States retain several important designation powers that introduce national discretion. Article 2(2)(b) allows Member States to bring entities below the size-cap threshold into scope if the entity is the sole provider of a service that is essential for the maintenance of critical societal or economic activities, a disruption of the entity's service could have a significant impact on public safety, public health, or public security, or a disruption could induce significant systemic risk, in particular for sectors where such disruption could have a cross-border impact. This allows Member States to capture, for example, a small but strategically critical technology provider that serves a national infrastructure operator.
Article 3(1)(e) provides that entities identified as critical entities under the CER Directive are automatically classified as essential entities under NIS2. Since CER and NIS2 share overlapping sector coverage and were adopted as a package, this ensures alignment between physical and cyber resilience obligations. An entity designated as critical under CER will face the full essential-entity supervisory and enforcement regime under NIS2, regardless of whether it would otherwise qualify as essential based on the size-cap and Annex I criteria alone.
Member States must establish and maintain a list of essential and important entities by 17 April 2025, and update it at least every two years thereafter under Article 3(3). Entities are generally required to self-register with the competent authority, providing information including their name, sector, sub-sector, size, and contact details. The registration obligation, combined with the self-assessment of classification status, places a compliance burden on entities themselves — they cannot simply wait to be notified by the competent authority. Organisations that are uncertain about their classification status should conduct a formal scoping assessment, considering their sector, size, and any applicable Member State designations, and seek legal advice where the outcome is not clear-cut.
Do not wait to be designated. NIS2 operates on a self-assessment model — entities must determine whether they fall in scope and register accordingly. Failure to register does not exempt you from the directive's obligations and may itself constitute non-compliance.
My organisation has fewer than 50 employees. Can we still fall under NIS2?
Yes. While the general size-cap rule excludes entities below the medium-sized enterprise thresholds (fewer than 50 employees and turnover/balance sheet below EUR 10M), Article 2(2) lists several exceptions. You may be in scope if you are a provider of public electronic communications networks or services, a trust service provider, a TLD name registry or DNS service provider, the sole provider of a service essential to a Member State, or if your disruption could significantly impact public safety, health, or security. Member States can also designate small entities on a case-by-case basis. If there is any doubt, conduct a formal scoping assessment.
What if my organisation operates in both an Annex I and an Annex II sector?
If your organisation provides services or conducts activities in both Annex I and Annex II sectors, your classification will be determined by the highest applicable tier. If any of your in-scope activities fall within an Annex I sector and you meet the large enterprise threshold, you will be classified as an essential entity. The Article 21 cybersecurity risk management measures and Article 23 incident reporting obligations must then be applied across all your in-scope activities — not just those in the Annex I sector. This prevents entities from selectively applying NIS2 obligations to only their highest-risk activities while neglecting others.
How is the size-cap calculated for entities that are part of a corporate group?
The size-cap applies the linked and partner enterprise aggregation rules from Commission Recommendation 2003/361/EC and its annex. If your entity is a linked enterprise (e.g., a wholly owned subsidiary), you must aggregate headcount and financial data with your parent company and other linked enterprises. If your entity has partner enterprises (25-50% ownership), a proportional share of their headcount and financial data is added. This means that a small subsidiary of a large corporate group will typically exceed the size-cap thresholds and fall within NIS2 scope. The aggregation rules can be complex, particularly for entities with multiple layers of ownership, and legal advice is recommended.
Does the supervisory difference between essential and important entities really matter in practice?
Yes, it has significant practical implications. Essential entities should expect regular, proactive engagement from their competent authority — scheduled audits, routine information requests, and periodic security assessments. This requires dedicated resources for regulatory liaison and ongoing compliance evidence management. Important entities will generally only face scrutiny following an incident, complaint, or intelligence that suggests non-compliance. However, this reactive posture should not encourage complacency — when enforcement action does occur, important entities face the same types of remedial orders and, while the fine caps are lower, the reputational and operational impacts of enforcement can be equally severe.
When does NIS2 entity registration need to be completed?
Article 3(3) requires Member States to establish a list of essential and important entities by 17 April 2025. Entities are required to submit registration information to the competent authority, including their name, address, contact details, sector, sub-sector, the Member States where they provide services, and their IP address ranges. The exact registration process and deadlines are determined by each Member State through their transposition measures. Organisations should check their national competent authority's website for specific registration requirements and deadlines, as these vary by jurisdiction.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.