Does NIS2 apply to my company? Essential vs important entities
Not sure if you're in scope? Use the sector list and the size-threshold rule to find out, and learn what 'essential' vs 'important' actually changes.
Step 1: are you in an in-scope sector?
NIS2 lists its sectors in two annexes. Annex I (high-criticality) covers energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, ICT service management, public administration and space. Annex II (other critical) covers postal and courier, waste management, chemicals, food, manufacturing, digital providers and research.
Step 2: do you meet the size threshold?
Generally, NIS2 applies to medium-sized and larger entities in those sectors: at least 50 employees, or annual turnover and balance sheet above €10 million. Below that, you're usually out, but with important exceptions.
Step 3: check the size-cap exceptions
Some entities are in scope regardless of size, for example certain providers of public electronic communications, trust services, DNS and TLD services, and sole providers of a critical service in a Member State. Don't assume 'small' means 'exempt' without checking.
Essential vs important: what changes
- Essential entities (mostly Annex I): proactive supervision, with regulators able to audit you without cause; fines up to €10m or 2% of global turnover.
- Important entities (mostly Annex II): reactive supervision, where scrutiny typically follows an incident or evidence of non-compliance; fines up to €7m or 1.4%.
- Both face the same core Article 20, 21 and 23 obligations; the difference is mainly supervision and maximum penalties.
If you're in scope, start with evidence
Whichever category you fall into, the obligations turn on being able to prove your controls and report incidents on time. Alexus gives you a continuous readiness score and an audit-grade evidence trail from day one. This article is general guidance, not legal advice. Confirm against your national transposition.