The NIS2 Directive (EU 2022/2555) classifies in-scope organizations into two tiers: essential entities and important entities. This classification determines the supervision regime (proactive vs. reactive), the maximum penalties (EUR 10 million vs. EUR 7 million), and the level of regulatory scrutiny your organization will face. The Directive covers 18 sectors in total -- 11 sectors of "high criticality" (Annex I, producing essential entities) and 7 "other critical sectors" (Annex II, producing important entities). According to European Commission estimates, NIS2 brings approximately 160,000 entities into scope across the EU, a tenfold increase from the roughly 15,000 covered by the original NIS Directive.
Key Takeaways
- Two tiers: Essential entities (Annex I, proactive supervision, higher fines) and Important entities (Annex II, reactive supervision, lower fines)
- 18 sectors total: 11 high-criticality sectors + 7 other critical sectors
- Size matters: Large enterprises (250+ employees or EUR 50M+ turnover) in Annex I sectors are essential; medium enterprises (50+ employees or EUR 10M+ turnover) in Annex II sectors are important
- Same security requirements: Both tiers must comply with Article 21 (security measures) and Article 23 (incident reporting)
- Exceptions exist: Some entities are always essential regardless of size (trust services, DNS, TLD registries)
The Two-Tier Classification System
NIS2's classification system combines two factors: the sector in which you operate and the size of your organization. The general rules are:
| Classification | Sectors | Size Threshold | Supervision | Max Fine |
|---|---|---|---|---|
| Essential Entity | Annex I (11 high-criticality sectors) | Large: 250+ employees OR EUR 50M+ turnover | Proactive (ex-ante) | EUR 10M or 2% global turnover |
| Important Entity | Annex II (7 other critical sectors) | Medium: 50+ employees OR EUR 10M+ turnover | Reactive (ex-post) | EUR 7M or 1.4% global turnover |
| Important Entity | Annex I (high-criticality sectors) | Medium: 50-249 employees, EUR 10-50M turnover | Reactive (ex-post) | EUR 7M or 1.4% global turnover |
Note the third row: medium-sized enterprises operating in Annex I sectors are classified as important (not essential). Only large enterprises in Annex I sectors receive the essential classification. However, all entities in Annex I and II sectors that meet the medium-enterprise threshold are in scope.
Annex I: 11 Sectors of High Criticality (Essential Entities)
The following sectors are listed in NIS2 Annex I. Large enterprises in these sectors are classified as essential entities:
| # | Sector | Sub-sectors / Entity Types | Examples |
|---|---|---|---|
| 1 | Energy | Electricity (generation, distribution, transmission, supply); Oil (pipelines, production, refining, storage); Gas (distribution, supply, transmission, storage, LNG); Hydrogen; District heating/cooling | Power utilities, oil companies, gas distribution networks, hydrogen producers |
| 2 | Transport | Air (carriers, airports, traffic management); Rail (infrastructure managers, railway undertakings); Water (inland, maritime, ports); Road (road authorities, ITS operators) | Airlines, railway operators, port authorities, highway management bodies |
| 3 | Banking | Credit institutions as defined in Regulation (EU) No 575/2013 | Commercial banks, savings banks, cooperative banks |
| 4 | Financial market infrastructures | Operators of trading venues, central counterparties | Stock exchanges, clearing houses |
| 5 | Health | Healthcare providers; EU reference laboratories; Entities conducting R&D of medicinal products; Manufacturers of basic pharmaceutical products; Manufacturers of critical medical devices (especially during public health emergencies) | Hospitals, pharmaceutical companies, medical device manufacturers, research labs |
| 6 | Drinking water | Suppliers and distributors of water intended for human consumption | Water utilities, municipal water systems |
| 7 | Waste water | Undertakings collecting, disposing of, or treating urban waste water, domestic waste water, or industrial waste water | Waste water treatment plants, sewage operators |
| 8 | Digital infrastructure | Internet exchange point providers; DNS service providers; TLD name registries; Cloud computing service providers; Data centre service providers; Content delivery network providers; Trust service providers; Providers of public electronic communications networks/services | IXPs, cloud providers (AWS, Azure, GCP), data centers, CDNs, certificate authorities, telecom operators |
| 9 | ICT service management (B2B) | Managed service providers; Managed security service providers | IT outsourcing companies, MSSPs, SOC-as-a-service providers |
| 10 | Public administration | Central government entities (excluding judiciary, parliaments, central banks); Regional government entities (at Member State discretion) | National ministries, government agencies, regulatory bodies |
| 11 | Space | Operators of ground-based infrastructure supporting space-based services (excluding providers of public electronic communications networks) | Satellite ground station operators, space data processing facilities |
Annex II: 7 Other Critical Sectors (Important Entities)
The following sectors are listed in NIS2 Annex II. Medium and large enterprises in these sectors are classified as important entities:
| # | Sector | Sub-sectors / Entity Types | Examples |
|---|---|---|---|
| 1 | Postal and courier services | Providers of postal services, including courier services | National postal operators, express delivery companies, logistics providers |
| 2 | Waste management | Undertakings carrying out waste management (excluding those for which waste management is not their principal economic activity) | Waste collection companies, recycling plants, hazardous waste processors |
| 3 | Manufacture, production and distribution of chemicals | Undertakings carrying out the manufacture, production, or distribution of substances and mixtures (REACH Regulation) | Chemical manufacturers, chemical distributors, specialty chemical producers |
| 4 | Production, processing and distribution of food | Food businesses engaged in wholesale distribution, industrial production, or processing | Food processors, wholesale food distributors, large agricultural businesses |
| 5 | Manufacturing | Medical devices and in vitro diagnostics; Computer, electronic and optical products; Electrical equipment; Machinery and equipment n.e.c.; Motor vehicles, trailers and semi-trailers; Other transport equipment | Medical device makers, electronics manufacturers, automotive OEMs, aerospace manufacturers |
| 6 | Digital providers | Online marketplace providers; Online search engine providers; Social networking services platform providers | E-commerce platforms, search engines, social media companies |
| 7 | Research | Research organisations (as defined by each Member State) | Universities, research institutes, R&D centers |
Proactive vs. Reactive Supervision
One of the most significant practical differences between essential and important entities is the supervision regime:
Essential Entities: Proactive Supervision (Ex-Ante)
Under Article 32, competent authorities may subject essential entities to:
- Regular and targeted security audits -- authorities can audit your security measures at any time, not just after an incident
- On-site and off-site inspections -- including unannounced inspections
- Requests for evidence of implementation of cybersecurity policies and measures
- Requests for access to data, documents, and information needed to carry out supervisory tasks
- Requests for evidence of implementation of security audit results
If non-compliance is found, authorities can issue binding instructions, order the entity to cease conduct that violates the Directive, and -- in serious cases -- temporarily prohibit management body members from exercising their functions.
Important Entities: Reactive Supervision (Ex-Post)
Under Article 33, competent authorities take enforcement action against important entities when provided with evidence, indication, or information suggesting non-compliance. This means:
- Authorities generally do not conduct routine audits of important entities
- Supervision is triggered by incidents, complaints, or intelligence suggesting non-compliance
- Once triggered, authorities have the same investigative powers (audits, inspections, requests for information)
- Enforcement measures are similar but with lower maximum fines
Size Thresholds and Exceptions
The general size thresholds for NIS2 classification follow the EU SME definition:
| Entity Size | Employees | Turnover | NIS2 Classification (Annex I sector) | NIS2 Classification (Annex II sector) |
|---|---|---|---|---|
| Micro (<10 employees) | <10 | <EUR 2M | Out of scope (with exceptions) | Out of scope (with exceptions) |
| Small (10-49 employees) | 10-49 | EUR 2-10M | Out of scope (with exceptions) | Out of scope (with exceptions) |
| Medium (50-249 employees) | 50-249 | EUR 10-50M | Important entity | Important entity |
| Large (250+ employees) | 250+ | EUR 50M+ | Essential entity | Important entity |
Entities That Are Always Essential (Regardless of Size)
Article 3(1) specifies that certain entities are always classified as essential, regardless of their size:
- Qualified trust service providers under the eIDAS Regulation
- Top-level domain (TLD) name registries
- DNS service providers
- Providers of public electronic communications networks or services that qualify as medium enterprises
- Public administration entities at central government level
- Entities identified as critical entities under Directive (EU) 2022/2557 (CER Directive)
- Entities previously identified as operators of essential services under NIS1
- Sole providers of a service essential for maintaining critical societal or economic activities
Obligations Comparison: Essential vs. Important
| Obligation | Essential Entities | Important Entities |
|---|---|---|
| Article 21 security measures (10 categories) | Required | Required |
| Article 23 incident reporting (24h/72h/1m) | Required | Required |
| Article 20 management body responsibility | Required | Required |
| Registration with competent authority | Required | Required |
| Supervision type | Proactive (ex-ante) | Reactive (ex-post) |
| Maximum fine | EUR 10M or 2% global turnover | EUR 7M or 1.4% global turnover |
| Management body suspension | Possible (in serious cases) | Not applicable |
| Routine audits without triggering event | Yes | No (only upon evidence of non-compliance) |
Sector-Specific Considerations for Italy and Spain
Italy
Italy transposed NIS2 through D.Lgs. 138/2024. The ACN (Agenzia per la Cybersicurezza Nazionale) is the competent authority for all sectors. Key considerations:
- Italy has not significantly expanded the sector scope beyond the Directive's minimum requirements
- The ACN has published a classification questionnaire to help organizations determine their status
- Registration on the ACN portal is mandatory, with deadlines varying by sector
- Italy's manufacturing sector (Annex II) is particularly significant given the country's strong industrial base, especially in machinery, automotive, and food production
- The healthcare sector faces particular urgency, with ENISA reporting that healthcare was the most targeted sector in the EU in 2023, accounting for 8% of all incidents
Spain
Spain is finalizing its transposition of NIS2. Key considerations:
- INCIBE serves as the reference CSIRT for private sector entities; CCN-CERT for public administration
- Organizations already compliant with the Esquema Nacional de Seguridad (ENS) have a head start
- Spain's energy sector (Annex I) is significant given the country's role in renewable energy and gas distribution to Europe
- The food production and distribution sector (Annex II) is particularly relevant for Spain as one of the EU's largest agricultural producers
- Tourism-related digital services may fall under the digital providers sector (Annex II) depending on their classification
How to Determine Your Classification: A Practical Guide
Step 1: Identify Your Sector
Review the Annex I and Annex II sector lists above. If your primary economic activity falls within any of these sectors, you may be in scope. Note that some organizations may operate across multiple sectors -- in this case, the most critical sector classification applies.
Step 2: Check Your Size
Determine whether you meet the medium or large enterprise thresholds. Remember that you need to exceed either the employee count OR the financial threshold (turnover or balance sheet total), not both.
Step 3: Check for Exceptions
Even if you are below the size thresholds, check whether you fall into one of the exception categories (trust service providers, DNS providers, TLD registries, sole providers of critical services, or entities designated under NIS1 or the CER Directive).
Step 4: Register with Your National Authority
Once you have determined your classification, register with your national competent authority. In Italy, this is the ACN portal. In Spain, follow guidance from INCIBE or CCN depending on whether you are a private or public entity.
Step 5: Implement Proportionate Measures
Both essential and important entities must implement the ten categories of security measures under Article 21. However, the specific implementation should be proportionate to your size, the likelihood and severity of incidents, and your societal and economic impact. A NIS2 compliance assessment can help you determine the appropriate level of measures for your organization.
Sector Overlap with Other Regulations
Several NIS2 sectors are also covered by sector-specific regulations. The Directive includes coordination mechanisms to avoid conflicting requirements:
- Financial sector: The Digital Operational Resilience Act (DORA) applies to banking and financial market infrastructure entities, with DORA taking precedence as the sector-specific legislation (lex specialis)
- Telecoms: The European Electronic Communications Code (EECC) already imposes security and reporting obligations on telecom providers, coordinated with NIS2
- Energy: The Network Code on Cybersecurity for the electricity sector introduces specific security requirements coordinated with NIS2
- Healthcare: GDPR applies to personal health data, requiring parallel compliance for incidents involving patient data
- Maritime: IMO guidelines and EU maritime security regulations create additional sector-specific requirements
Conclusion
Understanding whether your organization is classified as essential or important under NIS2 is the first step toward compliance. While both tiers face the same security and reporting obligations, the supervision regime and penalty exposure differ significantly. Essential entities should prepare for proactive regulatory scrutiny, while important entities should focus on building robust compliance programs that can withstand reactive investigation. Regardless of classification, the practical requirements are the same: implement risk management, build incident response capabilities, secure your supply chain, train your management body, and establish reporting procedures. For organizations seeking guidance on their classification and compliance path, a NIS2 compliance assessment provides a structured starting point.