NIS2 does not treat every organisation in scope the same way. It sorts them into two tiers — essential and important entities — and the tier you fall into decides how closely you are supervised and how hard a failure is punished. Knowing your class is the first move in any NIS2 program.
The distinction trips up a lot of teams because both classes have largely the same security obligations. The difference is not what you must do — it is how the regulator checks that you did it, and what happens if you did not.
Two classes, one set of duties
Both essential and important entities must take appropriate technical and organisational risk-management measures and report significant incidents. Where they diverge is supervision: essential entities face proactive oversight — regulators can audit them at any time — while important entities are supervised reactively, typically after evidence that something went wrong.
Start with the size threshold
NIS2 generally applies to organisations that hit at least the medium-enterprise threshold — broadly 50 or more staff, or annual turnover and balance sheet above €10 million — operating in a covered sector. Below that size you may still be pulled in if you play a critical role, but size is the usual first gate.
- Large & medium entities in covered sectors are in scope by default.
- Small & micro entities are usually out — unless they are a sole provider, a critical infrastructure operator, or designated by a member state.
Sector decides essential vs. important
Once you are in scope, your sector mostly determines your class. NIS2 defines sectors of high criticality and other critical sectors.
Typically essential
- Energy, transport, banking and financial market infrastructure
- Health, drinking and waste water
- Digital infrastructure, ICT service management and public administration
Typically important
- Postal and courier services, waste management
- Manufacturing of certain products, chemicals, food
- Digital providers such as online marketplaces, search engines and social platforms
Size and sector set the default, but a member state can designate an organisation as essential regardless of size if it is critical enough. Always confirm against your national transposition, not just the directive.
A quick decision path
- Do you operate in a covered sector? If no, you are likely out of scope.
- Do you meet the medium-enterprise size threshold? If no, check the critical-role exceptions.
- Is your sector listed as high-criticality? If yes, you are most likely essential; if it is an other-critical sector, most likely important.
- Confirm against your national law and any specific designation.
What actually changes
The class you land in changes three things in practice:
- Supervision. Essential entities can be audited proactively; important entities mainly after an incident.
- Penalties. Both face significant fines, but the ceilings and enforcement posture are stricter for essential entities.
- Registration. Either way you will likely need to register with your national authority — but timelines and detail can differ.
If you are in scope
Classification is step zero. The real work — risk management, an incident process, supply-chain security and management sign-off — is the same regardless of class. Treating it as one control program is the fastest way through, especially if you also fall under ISO 27001 or GDPR.
Key takeaways
- NIS2 sorts in-scope organisations into essential and important entities.
- Size (medium-enterprise threshold) gets you in scope; sector decides your class.
- Both classes share obligations — supervision and penalties differ.
- Always confirm against your national transposition and any designation.
Not sure where you land? Book a 30-minute demo and we will scope your NIS2 obligations with you.
This article is general guidance, not legal advice. Verify obligations and deadlines for your organisation with qualified counsel.