The EU’s NIS2 Directive massively widens the population of organisations that must run a baseline cybersecurity programme and report incidents fast. This checker applies the directive’s default sector-plus-size rule so you can see whether you are an Essential entity, an Important entity, or out of scope.
How it works
NIS2 combines two axes — the sector’s criticality annex and the organisation’s size — to assign a classification:
Annex I + Large → Essential
Annex I + Medium → Important
Annex II + Medium or Large → Important
Micro / small → out of scope (unless an always-in-scope type)
A handful of digital-infrastructure providers (DNS providers, TLD registries, internet exchange points and similar) are in scope at any size. The tool encodes both the annex split and these size-cap exceptions.
Which sectors fall in Annex I vs Annex II
Annex I — high criticality sectors:
- Energy (electricity, oil, gas, district heating/cooling, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Health (hospitals, clinical laboratories, R&D, pharmaceuticals)
- Drinking water and wastewater
- Digital infrastructure (internet exchange points, DNS service providers, TLD registries, cloud providers, data centres, content delivery networks, trust service providers, public electronic communications networks)
- Public administration (central and regional, excluding judiciary, parliament, central banks)
- Space
Annex II — other critical sectors:
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Food production, processing and distribution
- Manufacturing (medical devices, computers, electronics, machinery, vehicles)
- Digital providers (online marketplaces, search engines, social networking platforms)
- Research organisations
The size thresholds
NIS2 uses the EU SME definition. Medium means 50-249 staff or €10m-€50m annual turnover (meeting either threshold qualifies). Large means 250+ staff or over €50m turnover. Micro and small organisations (fewer than 50 staff and under €10m turnover) are generally outside scope unless they are one of the always-in-scope digital infrastructure types or are specifically designated by their member state.
What the obligations actually require
Whether you are Essential or Important, the Article 21 security measures are the same in substance:
- Risk analysis and information security policies
- Incident handling procedures
- Business continuity and crisis management
- Supply chain security
- Secure system development and acquisition
- Policies and procedures for assessing cybersecurity risk management effectiveness
- Basic cyber hygiene and staff training
- Cryptography and encryption policies
- Human resources security and access control
- Multi-factor authentication and encrypted communications where relevant
The incident reporting deadlines are the same for both entity types: 24-hour early warning, 72-hour incident notification, and one-month final report to the national CSIRT or competent authority.
The key difference between Essential and Important entities is supervision: Essential entities face proactive regulatory scrutiny (audits, inspections) and higher fines, while Important entities are subject to reactive oversight — the regulator investigates when something goes wrong rather than checking proactively.
Member state variation
NIS2 is a directive, not a regulation, so each EU member state transposed it into national law with their own competent authorities, deadlines, and in some cases broader sector scope. Always confirm your specific status with the relevant national authority and legal counsel in each jurisdiction where you operate.