Scope and Entities: Who Must Comply with NIS2?

1. From NIS1 to NIS2: Why Scope Matters Now

NIS2 dramatically widens who must comply with EU cybersecurity rules compared with the original NIS Directive (NIS1).

• NIS1 (2016–2024) focused on a narrower set of operators of essential services and digital service providers.
• NIS2 (Directive (EU) 2022/2555) entered into force in 2023 and must be transposed by Member States by 17 October 2024 (already passed relative to today, December 2025). National laws based on NIS2 now apply across the EU/EEA, with some variations.

Key changes relevant to scope:

1. More sectors: From a handful under NIS1 to 18+ sectors and sub‑sectors under NIS2.
2. Size-cap rule: Most medium and large entities in the listed sectors are in scope by default.
3. Two categories of regulated entities:

• Essential entities (EE) – higher criticality, stricter supervision.
• Important entities (IE) – still regulated but with lighter ex‑ante supervision.

1. Public administration explicitly included (with some exceptions, e.g., national security, judiciary).
2. Cross‑border operations: A single entity can fall under multiple Member States’ jurisdiction.

In this module you will learn a systematic method to answer, for any organization:

> Is it in scope of NIS2? If yes, is it an essential or important entity, and in which Member State(s)?

2. The Sectoral Map: Sectors and Sub‑Sectors Under NIS2

NIS2 Annexes I and II list the sectors covered. Conceptually, there are two groups:

• Annex I – High criticality sectors → usually Essential Entities
• Annex II – Other critical sectors → usually Important Entities

Below is a condensed map (names slightly simplified for clarity; check national law for exact transposition):

Annex I – Typically Essential Entities

1. Energy

• Electricity (generation, transmission, distribution)
• District heating and cooling
• Gas (production, transmission, distribution, storage, LNG)
• Oil (production, refining, pipelines, storage)

1. Transport

• Air (airlines, airports, air traffic management)
• Rail (infrastructure managers, railway undertakings)
• Water (ports, shipping companies)
• Road (road authorities, traffic management, some freight/logistics)

1. Banking

• Credit institutions

1. Financial market infrastructures (FMI)

• Central counterparties (CCPs)
• Central securities depositories (CSDs)

1. Health

• Hospitals and private clinics
• EU reference labs
• Healthcare providers
• Critical medical device manufacturers (depending on Member State transposition)

1. Drinking water

• Supply and distribution of potable water

1. Waste water

• Collection, treatment facilities

1. Digital infrastructure

• Internet exchange points (IXPs)
• DNS service providers, TLD name registries
• Cloud computing services
• Data centre services
• Content delivery networks (CDNs)
• Trust service providers (eIDAS)
• Public electronic communications networks and services (telcos)

1. Public administration (core)

• Central and some regional public administration entities (excluding national security, defence, judiciary, parliaments, central banks)

1. Space

• Operators of ground‑based infrastructure for space‑based services that are critical for other sectors

Annex II – Typically Important Entities

1. Postal and courier services
2. Waste management (non‑waste‑water)
3. Manufacturing of critical products, e.g.:

• Pharmaceuticals
• Medical devices (certain categories)
• Chemicals
• Computer, electronics, optical products
• Electrical equipment, machinery, motor vehicles, etc. (as listed in Annex II)

1. Food production, processing and distribution (large players)
2. Digital providers (non‑Annex I)

• Online marketplaces
• Online search engines
• Social networking platforms

1. Research organisations
2. Public administration (additional levels)

• Certain regional/local entities, depending on national choices

> Important nuance: The same type of activity may be classified as essential in one Member State and important in another, depending on how the national law uses the Annexes and any additional criteria.

3. The Size‑Cap Rule: Who Is In Scope by Default?

NIS2 introduces a size‑cap rule: for the listed sectors, medium and large entities are in scope by default.

The EU uses the standard SME definition:

• Micro: < 10 employees and ≤ €2m turnover or balance sheet total
• Small: < 50 employees and ≤ €10m
• Medium: < 250 employees and ≤ €50m turnover or ≤ €43m balance sheet
• Large: ≥ 250 employees or exceeding the medium thresholds

Under NIS2:

• Medium and large entities in Annex I or II sectors are automatically in scope.
• Micro and small entities are generally out of scope, unless they fall under specific exceptions (see next step).

A simple decision logic:

```text

1. Is the entity active in any Annex I or II sector?

└─ No → NIS2 generally does not apply (unless national law extends scope).

└─ Yes → Go to 2.

1. Is it at least a medium‑sized enterprise (EU definition)?

└─ Yes → In scope (EE or IE depending on sector and national law).

└─ No (micro/small) → Go to 3.

1. Does it meet any exception criteria (e.g., sole provider, critical at national/EU level, etc.)?

└─ Yes → It can still be designated as essential/important.

└─ No → Out of scope of NIS2, but other cybersecurity laws may still apply.

```

> Critical point: NIS2 sets an EU minimum. Many Member States (as of late 2024–2025) have extended scope to cover more entities (including some small ones) or more sectors. Always check the specific national transposition.

4. Essential vs Important Entities: Legal and Practical Distinction

NIS2 creates two categories with similar obligations but different regulatory treatment:

4.1. Obligations (largely) the same

Both Essential Entities (EE) and Important Entities (IE) must:

• Implement risk management measures (governance, policies, supply chain security, incident handling, etc.).
• Report significant incidents within specific timelines.
• Use secure ICT procurement and development practices.
• Manage supply‑chain and outsourcing risks.

The substantive cybersecurity obligations are very similar.

4.2. Supervision and enforcement differ

• Essential Entities
• Subject to proactive (ex‑ante) supervision: audits, inspections, security scans even without suspicion.
• Higher maximum fines in many Member States.
• Typically cover Annex I sectors and some critical Annex II entities.

• Important Entities
• Subject mainly to reactive (ex‑post) supervision: investigations triggered by evidence or indications of non‑compliance (e.g., major incident, complaints).
• Lower (but still significant) maximum fines.
• Typically cover Annex II sectors plus some less‑critical entities in Annex I sectors.

4.3. How classification is usually determined

1. By sector (Annex I vs Annex II)
2. By criticality (e.g., sole provider in a region, systemic importance)
3. By national designation (Member States can upgrade an entity to essential status)

> In practice: Annex I + medium/large → usually Essential; Annex II + medium/large → usually Important, but always verify with your Member State’s official list or criteria, because derogations and additional designations are common.

5. Worked Case Studies: Applying Sector and Size Criteria

Let’s apply the logic step‑by‑step to complex, realistic scenarios. Assume each entity is established in an EU Member State that has closely followed the NIS2 text (no major national extensions).

---

Case A – Regional Hospital Network

• Activity: Healthcare services (multiple hospitals, clinics)
• Employees: ~3,000
• Turnover: > €400m

Step 1 – Sector?

• Healthcare provision is in Annex I (Health).

Step 2 – Size?

• Clearly large (>250 employees) → in scope by size‑cap rule.

Step 3 – Essential vs Important?

• Annex I + large → Essential Entity.

Conclusion: The network is an Essential Entity under NIS2.

---

Case B – Cloud Services Start‑up

• Activity: IaaS/PaaS cloud services to EU customers
• Employees: 40
• Turnover: €6m

Step 1 – Sector?

• Cloud computing services are in Annex I (Digital infrastructure).

Step 2 – Size?

• Small (<50 employees and turnover < €10m) → not automatically in scope.

Step 3 – Exceptions?

• Could be designated if, for example:
• It is the sole provider for a critical national function (e.g., national e‑health platform), or
• National law explicitly includes certain small cloud providers.

Conclusion: Absent special designation, this specific start‑up is likely out of NIS2 scope, though national law may still regulate it (e.g. sectoral rules, data protection, cloud security schemes).

---

Case C – Pan‑EU Online Marketplace

• Activity: Large online marketplace platform
• Employees: 800
• Turnover: €250m
• Users: Millions across several Member States

Step 1 – Sector?

• Online marketplaces are in Annex II (Digital providers).

Step 2 – Size?

• Large → in scope.

Step 3 – Essential vs Important?

• Annex II + large → Important Entity (unless upgraded by national rules).

Conclusion: The marketplace is an Important Entity and must comply with NIS2 obligations, subject to ex‑post supervision.

---

Case D – Municipal Water Utility (Medium‑Sized)

• Activity: Drinking water supply for a medium‑sized city
• Employees: 120
• Turnover: €20m

Step 1 – Sector?

• Drinking water is in Annex I (Drinking water).

Step 2 – Size?

• Medium → in scope.

Step 3 – Essential vs Important?

• Annex I + medium → typically Essential Entity.

Conclusion: The utility is an Essential Entity, even though it serves only one city.

---

Case E – Research Institute with Critical National Role

• Activity: National research centre providing cyber‑threat intelligence to multiple ministries and critical operators
• Employees: 80
• Turnover: €12m

Step 1 – Sector?

• Research organisations are in Annex II.

Step 2 – Size?

• Small → borderline/just over small (depending on exact figures). Assume it is just below medium.

Step 3 – Exceptions?

• It plays a critical role at national level. NIS2 allows Member States to designate specific entities as essential or important even if they are small, when disruption would have significant societal or economic impact.

Conclusion: The institute can be designated as an Important or even Essential Entity by national law, despite its size. This is an example of criticality overriding size.

6. Thought Exercise: Build a Quick NIS2 Scope Checklist

Construct a 3‑minute checklist you could use in a consulting engagement to triage whether a client is likely in scope of NIS2.

Task: On a sheet of paper or in a text editor, draft no more than 8 yes/no questions that:

1. Identify sector (map to Annex I/II).
2. Determine size (micro/small vs medium/large).
3. Capture criticality exceptions (sole provider, systemic impact, cross‑border relevance).
4. Flag public administration nuances.

Example starter questions (do not just copy; refine them):

1. Does your organization provide services or products in any of the following domains: energy, transport, banking/finance, health, water, digital infrastructure, public administration, space, postal/courier, waste management, manufacturing of critical products, food, digital platforms, or research?
2. How many employees do you have, and what is your annual turnover/balance sheet total (approximate figures)?
3. Are you the sole or dominant provider of a service that, if disrupted, would significantly affect public safety, public health, or the economy in your country or region?
4. Do you provide services across multiple EU Member States, or host critical infrastructure used by customers in several Member States?

After drafting, stress‑test your checklist by applying it to two entities:

• A national telecom operator.
• A mid‑sized local waste management company.

Ask yourself: Does my checklist correctly flag them as in or out of scope, and as essential vs important? Where does it fail or produce ambiguity?

7. Public Administration and Additional Sectors Added by NIS2

NIS2 explicitly brings public administration and several new sectors into scope compared to NIS1.

7.1. Public administration

NIS2 covers certain public administration entities, but with important exclusions:

• Included (subject to Member State choices):
• Central government ministries/agencies.
• Some regional authorities.
• Certain local authorities, especially where they provide critical services (e.g., big city administrations managing transport, water, or emergency services).

• Excluded at EU level (but may be regulated by national law):
• National security, public security, defence, military activities.
• Judiciary, parliaments, central banks.

Member States can:

• Extend NIS2‑type obligations to more public bodies (e.g., all municipalities above a certain size).
• Harmonize obligations with existing e‑government and data protection rules.

7.2. New sectors vs NIS1

Compared with NIS1, NIS2 clearly adds or strengthens coverage for:

• Waste water and broader waste management.
• Postal and courier services.
• Food production, processing and distribution.
• Manufacturing of a wide range of critical products (e.g., pharmaceuticals, medical devices, ICT equipment, vehicles).
• Research organisations.
• A broader set of digital services (online marketplaces, search engines, social networks), with more explicit obligations.

> For an exam or practical assessment, you should be able to explain why including these sectors is rational from a systemic risk perspective (e.g., how disruption of postal services or food supply chains can cascade into other critical sectors).

8. Cross‑Border Operations and Multi‑Jurisdictional Scope

Modern organizations often operate across borders, raising complex questions of jurisdiction under NIS2.

8.1. Basic rule: Country of establishment

• An entity is generally supervised by the Member State where it is established (its head office or main establishment in the EU).
• If it has multiple establishments, NIS2 and national laws specify criteria (e.g., main place of business, central administration) to determine the primary competent authority.

8.2. Cross‑border service provision

• A cloud provider established in Member State A but serving customers in B, C, and D is primarily supervised by A.
• However, cooperation mechanisms (CSIRTs network, European cyber crisis liaison organization network – EU‑CyCLONe, etc.) ensure that incidents affecting B, C, or D are coordinated at EU level.

8.3. Groups and subsidiaries

• A corporate group with subsidiaries in multiple Member States may have several in‑scope entities:
• Each subsidiary that meets the sector + size criteria is itself an EE or IE.
• The parent may also be in scope if it directly provides covered services or central ICT functions.
• Some Member States treat shared services centres (IT, SOC, data centres) as separate entities under NIS2.

8.4. Non‑EU entities offering services into the EU

• NIS2 extends to certain non‑EU providers (e.g., large cloud, DNS, TLD, and digital platform providers) offering services in the EU.
• They must designate a representative in the EU and are subject to supervision by the Member State where that representative is established.

> In practice, cross‑border scope questions often require detailed factual analysis (group structure, contracts, data flows) and careful reading of national transposition laws and guidance from national CSIRTs and competent authorities.

9. Quick Check: Classifying Entities Under NIS2

Test your understanding of scope, size, and entity classification.

Question:

A company established in France operates data centres and provides IaaS cloud services to customers in France, Germany, and Spain. It has 300 employees and €120m annual turnover. It is not the only such provider in any of these markets. Under a typical NIS2 transposition, how is it most likely classified?

(Assume France follows NIS2 Annexes closely, with no major extensions.)

10. Flashcard Review: Core NIS2 Scope Concepts

Flip these cards (mentally or with your own notes) to reinforce the key concepts about NIS2 scope and entity classification.