NIS2 Essential vs Important Entities Explained

The NIS2 Directive (Directive 2022/2555) divides regulated organisations into two tiers: essential entities and important entities. Understanding which category your organisation falls into is not optional. It determines your supervision regime, your reporting deadlines, and the maximum fines you face for non-compliance. As of October 2024, when national transposition deadlines expired, over 160,000 organisations across the EU are estimated to fall within scope of NIS2, according to ENISA’s NIS investments report.

This article explains the full classification system, the sectors listed in Annex I and Annex II, the size thresholds that apply, and the concrete differences in obligations between NIS2 essential entities and important entities.

What Are NIS2 Essential Entities?

NIS2 essential entities are organisations operating in sectors that the Directive considers critical to societal and economic functioning. These sectors are listed in Annex I of the NIS2 Directive and comprise eleven high-criticality sectors:

• Energy – electricity, oil, gas, hydrogen, and district heating
• Transport – air, rail, water, and road
• Banking – credit institutions
• Financial market infrastructure – trading venues, central counterparties
• Health – hospitals, reference laboratories, manufacturers of medical devices, pharmaceutical manufacturing
• Drinking water – suppliers of water intended for human consumption
• Waste water – operators collecting, disposing, or treating urban or industrial waste water
• Digital infrastructure – IXPs, DNS service providers, TLD name registries, cloud computing services, data centre services, content delivery networks, trust service providers, public electronic communications networks
• ICT service management (B2B) – managed service providers and managed security service providers
• Public administration – central government entities (excluding judiciary, parliament, and central banks)
• Space – operators of ground-based infrastructure supporting space-based services

An Annex I organisation qualifies as an NIS2 essential entity when it meets the large enterprise size threshold (see below). Some entities are designated essential regardless of size, including qualified trust service providers, TLD name registries, DNS service providers, and public electronic communications networks.

What Are NIS2 Important Entities?

Important entities operate in sectors listed in Annex II of the NIS2 Directive. These seven sectors are considered important but not at the highest criticality level:

• Postal and courier services
• Waste management
• Chemicals – manufacture, production, and distribution of chemicals
• Food – production, processing, and distribution, including food wholesale and industrial food manufacturing
• Manufacturing – manufacturers of medical devices, computers, electronics, optical products, electrical equipment, machinery, motor vehicles, and other transport equipment
• Digital providers – online marketplaces, online search engines, social networking services platforms
• Research – research organisations

Any organisation in an Annex II sector that meets the medium enterprise threshold is classified as an important entity. Additionally, Annex I organisations that meet the medium threshold but not the large threshold also fall into the important category.

How Do the Size Thresholds Work?

NIS2 applies size-based criteria drawn from the EU Recommendation 2003/361/EC on SME definitions. Two thresholds matter:

Medium enterprise threshold

An organisation meets this threshold if it has 50 or more employees or an annual turnover exceeding EUR 10 million (or annual balance sheet total exceeding EUR 10 million). Meeting either the headcount or the financial criterion is sufficient.

Large enterprise threshold

An organisation qualifies as large if it has 250 or more employees or an annual turnover exceeding EUR 50 million (or annual balance sheet total exceeding EUR 43 million).

The classification logic is straightforward:

Sector list	Size	Classification
Annex I	Large enterprise	Essential
Annex I	Medium enterprise	Important
Annex II	Medium or large enterprise	Important
Either Annex	Below medium threshold	Generally out of scope

Certain entity types are in scope regardless of size. Article 2(2) of NIS2 lists these exceptions, including sole providers of a critical service within a Member State, entities whose disruption could have a significant systemic impact, and entities already identified as critical under the CER Directive. The European Commission has estimated that roughly 33% of entities falling in scope qualify as essential, with 67% classified as important.

How Does Categorisation Affect Supervision?

The distinction between essential and important is not cosmetic. It fundamentally shapes how competent authorities interact with your organisation.

Proactive supervision for essential entities

NIS2 essential entities are subject to proactive, ex ante supervision. This means competent authorities can, at any time and without a triggering incident:

• Conduct on-site inspections and off-site audits
• Request evidence of compliance, including security policies, risk assessments, and incident response plans
• Order targeted security audits performed by an independent body
• Require ad-hoc and regular security scans

According to data from the NIS Cooperation Group’s 2024 implementation tracker, 22 of 27 Member States had established or designated their supervisory authorities by mid-2025. Essential entities in those jurisdictions should expect active oversight as enforcement matures.

Reactive supervision for important entities

Important entities face reactive, ex post supervision. Competent authorities intervene only when there is evidence of non-compliance – for example, after a reported incident or following a complaint. This does not mean important entities can relax. They must still implement the same baseline security measures and report incidents within the same timelines. The difference is that authorities will not proactively audit them absent a trigger.

For organisations navigating both NIS2 and the General Data Protection Regulation, our NIS2 vs GDPR comparison clarifies where the two frameworks overlap and diverge.

What Are the Penalty Differences?

NIS2 introduces a tiered penalty regime that mirrors the GDPR’s approach to administrative fines.

Essential entities face fines of up to EUR 10 million or 2% of total annual worldwide turnover, whichever is higher. Important entities face fines of up to EUR 7 million or 1.4% of total annual worldwide turnover, whichever is higher.

Member States must also ensure that natural persons – specifically senior management – can be held personally liable when gross negligence is established after an incident. Article 32(6) allows competent authorities to order the temporary suspension of certifications or authorisations for essential entity services, and to request a temporary ban on management from exercising managerial functions.

These penalty levels are significant. By comparison, the DORA Regulation imposes fines of up to 1% of average daily worldwide turnover for critical ICT third-party providers. Our DORA compliance guide covers the financial sector’s parallel requirements.

What Obligations Apply to Both Categories?

Regardless of whether an organisation is essential or important, Article 21 of NIS2 mandates the same ten baseline cybersecurity risk-management measures:

1. Policies on risk analysis and information system security
2. Incident handling procedures
3. Business continuity and crisis management
4. Supply chain security, including security-related aspects of relationships with direct suppliers
5. Security in network and information systems acquisition, development, and maintenance
6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
7. Basic cyber hygiene practices and cybersecurity training
8. Policies on the use of cryptography and encryption
9. Human resources security, access control policies, and asset management
10. Use of multi-factor authentication and secured communications

Incident reporting obligations are also identical for both tiers. Entities must submit:

• An early warning within 24 hours of becoming aware of a significant incident
• An incident notification within 72 hours with an initial assessment
• A final report within one month, including root cause analysis

These reporting timelines interact with obligations under other frameworks. Our incident reporting guide covering DORA, NIS2, and GDPR explains how to coordinate parallel notifications.

How Does Self-Identification Work?

Unlike the original NIS Directive, NIS2 does not rely on Member States to individually designate operators. Instead, the Directive uses a self-identification mechanism. Organisations must assess whether they fall within scope and register with the relevant competent authority.

Article 3(3) requires Member States to establish a list of essential and important entities by 17 April 2025. Entities are required to provide the following information:

• Name, address, and up-to-date contact details
• The relevant sector and subsector from Annex I or Annex II
• The Member States where they provide services
• Their IP address ranges

Failing to self-identify does not exempt an organisation from NIS2 obligations. Competent authorities retain the power to identify and designate entities that should be in scope. The ENISA 2024 report noted that awareness remains a challenge: approximately 40% of newly in-scope organisations were not yet aware of their NIS2 obligations as of late 2024.

For organisations building a broader compliance programme, our GDPR compliance checklist provides a complementary framework that addresses data protection obligations.

Practical Steps to Determine Your Classification

If you are unsure of your status, follow these steps:

1. Identify your sector. Match your primary activities against the Annex I and Annex II sector lists. Note that an entity may fall under multiple sectors.
2. Check your size. Gather your headcount, annual turnover, and balance sheet total. Apply the medium and large thresholds.
3. Check for exceptions. Review Article 2(2) for size-independent designations.
4. Register. Submit your information to the competent authority in each Member State where you provide services.
5. Conduct a gap analysis. Map your current cybersecurity posture against the ten measures in Article 21.

Platforms like Legiscope can streamline the compliance assessment by mapping regulatory obligations to your specific organisational profile, reducing the manual effort involved in gap analysis and ongoing monitoring.

For organisations that also process personal data at scale, our NIS2 compliance guide provides a complete walkthrough of implementation steps.

FAQ

Does NIS2 apply to small enterprises?

Generally, no. Organisations below the medium threshold (fewer than 50 employees and turnover under EUR 10 million) are excluded. However, specific entity types are in scope regardless of size, including DNS service providers, TLD registries, qualified trust service providers, and sole providers of essential services in a Member State.

Can an organisation be both essential and important?

No. An entity receives a single classification. If an Annex I entity meets the large enterprise threshold, it is essential. If it meets only the medium threshold, it is important. Annex II entities are always classified as important when in scope.

What if my organisation operates in multiple EU Member States?

You must register with the competent authority in each Member State where you provide services. Supervision is primarily conducted by the authority in the Member State of your main establishment, but cross-border cooperation mechanisms exist under Articles 14 and 15 of the Directive.

When do NIS2 obligations take effect?

The transposition deadline was 17 October 2024. Member States were required to adopt national laws implementing NIS2 by that date. Entities that fall in scope are already subject to obligations in Member States that have transposed the Directive. Our GDPR compliance checklist offers a parallel reference for data protection deadlines.

How does NIS2 interact with DORA for financial entities?

DORA (Regulation 2022/2554) is a sector-specific regulation that takes precedence over NIS2 for financial entities within its scope under the lex specialis principle. Financial entities subject to DORA should comply with DORA’s requirements rather than NIS2’s, though they may still appear on NIS2 entity lists. See our DORA compliance guide for details.