NIS2 Essential vs Important Entities: Which Are You?
The scope test that determines half of your NIS2 obligations. Annex I vs Annex II, the size threshold, the size-irrelevant categories, and how the two-tier supervision model actually works.
NIS2 Essential vs Important Entities: Which Are You?
The single most consequential question in NIS2 scoping isn't "am I in scope?" — it's "am I essential or important?" That distinction determines whether you face proactive supervision with regular audits or reactive supervision triggered by incidents, whether your penalty cap is €10 million or €7 million, and how much regulatory attention you can expect in the first three years.
This article walks through how the classification actually works, the size threshold rules and exceptions, and the edge cases that catch SMEs out. For the broader scoping context, start with the complete NIS2 and DORA compliance guide.
This is not legal advice. National transpositions can refine sector definitions; verify against your jurisdiction's implementing law.
The classification at a glance
Two annexes, two tiers, one size test:
| Tier | Annex | Sectors | Supervision model | Penalty cap |
|---|---|---|---|---|
| Essential entity | Annex I | 11 sectors of "highest criticality" | Proactive (regular audits) | €10M or 2% of global turnover |
| Important entity | Annex II | 7 "other critical sectors" | Reactive (incident-triggered) | €7M or 1.4% of global turnover |
Plus a default size threshold and a list of size-irrelevant categories that override it. We'll cover each piece in order.
Annex I — the essential sectors
Eleven sectors of highest criticality, listed in Annex I:
- Energy — electricity, district heating and cooling, oil, gas, hydrogen
- Transport — air, rail, water, road
- Banking — credit institutions
- Financial market infrastructures — trading venues, central counterparties
- Health — healthcare providers, EU reference laboratories, R&D of medicinal products, manufacture of basic pharmaceutical products and preparations, manufacture of medical devices considered critical during a public health emergency
- Drinking water — suppliers and distributors
- Waste water — collection, disposal, treatment (where this is an essential part of general public activity)
- Digital infrastructure — IXPs, DNS service providers (excl. root), TLD registries, cloud computing service providers, data centre service providers, content delivery network providers, trust service providers, providers of public electronic communications networks, providers of publicly available electronic communications services
- ICT service management (B2B) — managed service providers, managed security service providers
- Public administration — central government, regional level (member state discretion below regional)
- Space — operators of ground-based infrastructure owned, managed, and operated by member states or private parties supporting the provision of space-based services
An entity falling under Annex I and meeting the size threshold (or a size-irrelevant trigger) is classified as essential.
Annex II — the important sectors
Seven sectors of "other critical" classification, listed in Annex II:
- Postal and courier services
- Waste management
- Manufacture, production, and distribution of chemicals
- Production, processing, and distribution of food — covering wholesale distribution and industrial production and processing
- Manufacturing — covering specific NACE-coded sub-sectors only: medical devices and in vitro diagnostic medical devices, computer/electronic/optical products, electrical equipment, machinery and equipment n.e.c., motor vehicles, trailers and semi-trailers, other transport equipment
- Digital providers — online marketplaces, online search engines, social networking services platforms
- Research — research organisations
An entity falling under Annex II and meeting the size threshold (or a size-irrelevant trigger) is classified as important.
The manufacturing trap
Annex II manufacturing is not "all manufacturing." It is restricted to specific NACE sub-sectors. A 250-person company that makes industrial valves, fasteners, or general metal products is not in scope on a sector basis — those NACE codes are not in Annex II. A 250-person company that makes electrical motors, computer peripherals, or motor vehicle parts is in scope.
Always cross-check your NACE code against the directive's specific sub-sector list. Vendor blogs that lump "manufacturing" together get this wrong.
The default size threshold
NIS2 uses the EU's standard SME definition from Commission Recommendation 2003/361/EC. The size thresholds:
- Medium: fewer than 250 staff and either annual turnover ≤ €50 million or balance sheet total ≤ €43 million
- Small: fewer than 50 staff and either annual turnover ≤ €10 million or balance sheet total ≤ €10 million
- Micro: fewer than 10 staff and either annual turnover ≤ €2 million or balance sheet total ≤ €2 million
NIS2 applies by default to medium-sized enterprises and above — that is, entities that exceed the small-enterprise ceiling. The practical test:
- 50 or more employees, OR
- Annual turnover over €10 million, OR
- Balance sheet total over €10 million
If any one of these is true, you meet the medium threshold. If none is true, you are a small or micro enterprise and generally out of scope unless caught by a size-irrelevant category.
Counting employees
The 50-employee threshold uses full-time equivalent (FTE) headcount averaged across the financial year. Group structure matters — under Commission Recommendation 2003/361/EC, certain affiliations require consolidation of headcount and turnover figures. A 20-person Danish subsidiary of a 5,000-person parent is typically counted at parent level for the purpose of the threshold.
The size-irrelevant categories
Even below the medium threshold, certain entity types are in scope regardless of size:
- Qualified trust service providers (eIDAS regulated)
- Top-level domain name registries
- DNS service providers
- Providers of public electronic communications networks
- Providers of publicly available electronic communications services
- Sole providers in a member state of a service which is essential for the maintenance of critical societal or economic activities
- Public administration entities falling under specific national designations
- Entities providing services where disruption of the service could have significant impact on public safety, public security, or public health
- Entities providing services where disruption of the service could induce significant systemic risk, in particular for sectors where such disruption could have a cross-border impact
- Entities critical because of their specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the member state
A 30-person company operating a .dk TLD service is in scope under NIS2 regardless of headcount or turnover.
How the classification is made
NIS2 uses an automatic classification logic. There is no individual designation process for most entities. You self-classify based on:
- Are you in an Annex I or Annex II sector?
- Do you meet the medium-enterprise threshold, or fall into a size-irrelevant category?
If yes to both, you are in scope — essential if Annex I, important if Annex II.
National authorities may additionally designate specific entities as essential or important even where the automatic test does not apply. Designation is discretionary and member state-specific. Designation is most common for entities at the borderline of automatic scope — for example, a small healthcare provider critical to a region's emergency response.
Registration triggers self-classification
The self-classification is operationalised through national registration. Most member states have built registration portals where entities self-identify their sector, size, and entity type. Examples:
- Denmark — CFCS NIS2 portal (registration deadline was 1 October 2025)
- Germany — BSI registration portal (opened early 2026)
- France — ANSSI MonEspaceNIS2
Registration is itself a regulated act. Submitting an incorrect or incomplete registration is a non-compliance event regardless of whether the underlying classification is correct.
What "essential" vs "important" actually means in practice
The two-tier model is not just a labelling exercise. It changes how supervision works.
Essential entities — proactive supervision
Per Article 32 NIS2, supervision of essential entities can include:
- On-site inspections and off-site supervision
- Regular targeted audits, including those carried out by an independent body or by a competent authority
- Ad hoc audits
- Security scans
- Requests for information necessary to assess the cybersecurity risk management measures
- Requests for evidence of implementation of policies
- Requests for the results of cybersecurity audits
The point is regularity. An essential entity should expect periodic supervisory attention even without an incident having occurred. Plan for it.
Important entities — reactive supervision
Per Article 33 NIS2, supervisory measures for important entities apply only when there is evidence, indication, or information of non-compliance, including incidents or other circumstances. Important entities face the same scope of supervisory measures, but the trigger is different — supervisors do not run regular audits on important entities by default.
The practical implication: important entities have somewhat more latitude on supervisory readiness, but the documentation and control requirements are identical. The differentiation is when supervision happens, not what it consists of.
Edge cases that catch SMEs out
Six classification questions that show up repeatedly:
"We're 30 people but we provide cloud services to banks." Cloud computing service providers are an Annex I sector. The medium-enterprise threshold applies — under 50 staff and turnover ≤€10M and balance sheet ≤€10M means you're out. But many small cloud providers exceed the turnover threshold even with low headcount. Test all three.
"We're a 200-person manufacturer." Annex II manufacturing is sub-sector specific. NACE code matters. General manufacturing is not in scope; specific sub-sectors are.
"We're a Danish subsidiary of a US parent — do we use Danish numbers or group numbers?" Generally group numbers, under the linked/partner enterprise rules of Recommendation 2003/361/EC. A small Danish subsidiary of a large group is typically scoped at group level.
"We provide a service that's not in any annex but everyone says we're in scope." Vendor blogs are often wrong on scope. Check the actual annexes against your activities. If you're not in either annex and not a size-irrelevant category, you are out of scope, regardless of how cybersecurity-adjacent your services feel.
"We're in Annex II but a national authority told us we're essential." Member states can designate entities up a tier or scope them in below threshold. The designation is binding. Document it.
"We're an MSP for non-NIS2 customers — are we still in scope?" Managed service providers are an Annex I sector (ICT service management). Your customers' status doesn't determine yours; your own activities do.
📨 Scope changes when sectors get clarified, when designations issue, and when the 2026 Omnibus moves through. Risk Letters tracks scope developments weekly. Free.
How DORA interacts
A financial entity falling under both NIS2 (banking is an Annex I essential sector) and DORA faces lex specialis displacement under Article 4 NIS2. DORA wins on the dimensions DORA covers — ICT risk management and incident reporting. NIS2 obligations not covered by DORA, such as cross-sector cooperation duties or activities outside the financial perimeter, may still apply.
For the displacement detail see NIS2 vs DORA: Key Differences for European Companies.
Frequently asked questions
Are essential and important entities subject to different Article 21 measures? No. The 10 measures of Article 21 apply identically to both. The difference is in supervision (Articles 32 vs 33) and penalty caps (Article 34).
Can I be reclassified from important to essential? Yes — member states can designate. Reclassification typically follows changes in your services, market position, or criticality assessment by the national authority.
Does the size threshold use FTE or headcount? FTE, averaged across the financial year. Commission Recommendation 2003/361/EC sets the precise calculation rules.
Are public administration entities always essential? Central government typically yes; regional and local at member state discretion. National transpositions vary significantly on the public-sector scope.
Does NIS2 cover our subsidiaries in non-EU countries? No. NIS2 binds entities established in the EU or providing services in the EU. A non-EU subsidiary providing services exclusively outside the EU is out of scope.
What if our sector classification is genuinely ambiguous? Engage your national competent authority. Most authorities publish clarification routes — a formal scope query is preferable to a registration mismatch later.
Does NIS2 apply if we're below the threshold but a designated sole provider? Yes. Sole-provider designation is a size-irrelevant category — you're in scope regardless of headcount or turnover.
The bottom line
Three takeaways:
- Classification is automatic, not discretionary. Sector + size + size-irrelevant trigger determines the answer.
- Essential is not "more compliance" — it's "more supervision." The Article 21 measures apply identically; the difference is when and how supervisors examine you.
- NACE codes matter. Manufacturing in particular is sub-sector specific, not blanket.
For the broader scoping context including the 2026 Digital Omnibus proposal, see the complete NIS2 and DORA compliance guide. For SME-specific implementation regardless of tier, see Minimum Viable NIS2 Compliance for SMEs.
Sources & further reading
- Directive (EU) 2022/2555 — NIS2 — Annexes I and II (sector lists); Article 2 (scope); Article 32 (essential entity supervision); Article 33 (important entity supervision); Article 34 (penalties)
- Commission Recommendation 2003/361/EC — SME definition and calculation rules
- ENISA — NIS2 sector mapping reference
- National registration guidance: CFCS (DK) · BSI (DE) · ANSSI (FR)