NIS2 Directive Applicability Checker

Determine if your organisation is an essential or important entity under NIS2

Check whether your organisation falls under the EU NIS2 Directive. Select your sector and size to classify as an Essential Entity, Important Entity, or out of scope, and see the applicable risk-management obligations and 24-hour, 72-hour, and one-month incident reporting deadlines. Runs in your browser. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is the difference between an Essential and an Important entity?

Essential entities are large organisations in high-criticality sectors and face proactive supervision and higher fines (up to €10m or 2% of global turnover). Important entities cover medium-sized high-criticality firms and other critical sectors, with reactive supervision and lower fines (up to €7m or 1.4%).

The EU’s NIS2 Directive massively widens the population of organisations that must run a baseline cybersecurity programme and report incidents fast. This checker applies the directive’s default sector-plus-size rule so you can see whether you are an Essential entity, an Important entity, or out of scope.

How it works

NIS2 combines two axes — the sector’s criticality annex and the organisation’s size — to assign a classification:

Annex I  + Large            → Essential
Annex I  + Medium           → Important
Annex II + Medium or Large  → Important
Micro / small               → out of scope (unless an always-in-scope type)

A handful of digital-infrastructure providers (DNS providers, TLD registries, internet exchange points and similar) are in scope at any size. The tool encodes both the annex split and these size-cap exceptions.

Which sectors fall in Annex I vs Annex II

Annex I — high criticality sectors:

  • Energy (electricity, oil, gas, district heating/cooling, hydrogen)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Health (hospitals, clinical laboratories, R&D, pharmaceuticals)
  • Drinking water and wastewater
  • Digital infrastructure (internet exchange points, DNS service providers, TLD registries, cloud providers, data centres, content delivery networks, trust service providers, public electronic communications networks)
  • Public administration (central and regional, excluding judiciary, parliament, central banks)
  • Space

Annex II — other critical sectors:

  • Postal and courier services
  • Waste management
  • Manufacture, production and distribution of chemicals
  • Food production, processing and distribution
  • Manufacturing (medical devices, computers, electronics, machinery, vehicles)
  • Digital providers (online marketplaces, search engines, social networking platforms)
  • Research organisations

The size thresholds

NIS2 uses the EU SME definition. Medium means 50-249 staff or €10m-€50m annual turnover (meeting either threshold qualifies). Large means 250+ staff or over €50m turnover. Micro and small organisations (fewer than 50 staff and under €10m turnover) are generally outside scope unless they are one of the always-in-scope digital infrastructure types or are specifically designated by their member state.

What the obligations actually require

Whether you are Essential or Important, the Article 21 security measures are the same in substance:

  • Risk analysis and information security policies
  • Incident handling procedures
  • Business continuity and crisis management
  • Supply chain security
  • Secure system development and acquisition
  • Policies and procedures for assessing cybersecurity risk management effectiveness
  • Basic cyber hygiene and staff training
  • Cryptography and encryption policies
  • Human resources security and access control
  • Multi-factor authentication and encrypted communications where relevant

The incident reporting deadlines are the same for both entity types: 24-hour early warning, 72-hour incident notification, and one-month final report to the national CSIRT or competent authority.

The key difference between Essential and Important entities is supervision: Essential entities face proactive regulatory scrutiny (audits, inspections) and higher fines, while Important entities are subject to reactive oversight — the regulator investigates when something goes wrong rather than checking proactively.

Member state variation

NIS2 is a directive, not a regulation, so each EU member state transposed it into national law with their own competent authorities, deadlines, and in some cases broader sector scope. Always confirm your specific status with the relevant national authority and legal counsel in each jurisdiction where you operate.