• 0728 ADVICE (0728238423)
  • office@itadviser.com
Facebook Linkedin

Who has to comply with the
NIS2 Directive?

The NIS2 Directive classifies organizations according to clear criteria to clarify which category they belong to and which measures they must adopt. To provide a clear overview, organizations are divided into two categories required to implement cybersecurity measures: essential entities and important entities. The NIS2 Directive establishes different obligations for each category. Essential entities (ES) are subject to stricter requirements, as any incident affecting their operations could have major repercussions for European society and infrastructure. Typically, these organizations have at least 250 employees and an annual turnover of €50 million or a total balance sheet of €43 million.

Sectors in which essential entities operate:

ENERGY
TRANSPORT AND LOGISTICS
FINANCE
HEALTH
WATER SUPPLY
DIGITAL INFRASTRUCTURE
PUBLIC
ADMINISTRATION
Meanwhile, important entities (IE) must comply with the requirements set by NIS2. This category is considered to have a minimum of 50 employees and an annual turnover of €10 million or a balance sheet total of €10 million.

Sectors in which important entities operate:

POSTAL SERVICES
FOOD INDUSTRY
CHEMICAL INDUSTRY
MANUFACTURING
DIGITAL SERVICES
RESEARCH
INSTITUTIONS
WASTE
MANAGEMENT

How NIS2 determines
who must comply

Studies show that over 50% of organizations that are not properly equipped have been the target of a successful cyberattack within a 12-month period. Information systems have evolved rapidly in recent years, and with them, cyber threats have increased. In a highly interconnected society, a compromised system can trigger cascading effects with significant repercussions for other organizations and for the community as a whole. For this reason, the EU has established clear rules to determine which organizations should implement a certain level of cybersecurity. The criteria are based on:

  • Sector of activity – organizations providing essential services (energy, transport, healthcare, finance, etc.) or critical digital services.
  • Organization size – large entities, with over 250 employees or significant turnover and balance sheets, are directly targeted, while medium and small entities may be included if they are critical for their sector or supply chain.
  • Impact on society and economy – if an incident could have major repercussions on infrastructure, essential services, or public safety.
  • Interdependencies and critical role – organizations that are the sole providers of an essential service or contribute to the functioning of critical infrastructures.

Additional criteria that bring organizations in scope

Some organizations may fall under the NIS2 scope of the directive even if they do not strictly meet the criteria mentioned above, because their activities play an essential role in the economy and society. According to Article 2, paragraph 2 of the directive, the obligation to comply arises when:

  • Provides public electronic communications services or publicly available electronic communication services
  • Is a trust service provider
  • Is a top-level domain administrator or DNS service provider
  • Is the sole provider in a member state for an essential service that maintains critical societal or economic activities
  • Could have a significant impact on public safety, security, or public health in case of interruption of the service
    • Could generate a major systemic risk in case of interruption of the service, especially in sectors where effects may be felt in other member states
  • Is considered critical due to its specific importance at national or regional level for the sector, type of service, or other interdependent sectors
  • Is a public administration structure at central or regional level, as defined by the member state, which, following a risk-based assessment, provides services whose interruption could significantly impact societal or economic activities

Does NIS2 apply to small businesses?

The classification of organizations by size, as established by NIS2, allows requirements to be adapted to the resources available. Accordingly:
  • Large organizations have at least 250 employees or an annual turnover of €50 million or more, and a total balance sheet of €43 million or more.
  • Medium organizations include companies with a minimum of 50 employees or an annual turnover and balance sheet of at least €10 million.
  • Small organizations are those with fewer than 50 employees and an annual turnover or balance sheet below €10 million.
In general, the NIS2 Directive does not apply to small and micro-enterprises, but there are important exceptions. Certain organizations may fall within the scope regardless of size if they meet one of the additional criteria outlined above.

Does NIS2 apply to non-EU companies?

The NIS2 Directive also extends to non-EU organizations, but only under specific conditions. A company may fall within its scope if it has sales or support operations in EU Member States, serves critical clients in sectors such as healthcare, finance, utilities, or infrastructure, directly or indirectly supplies products or services to regulated industries, or if its contracts, privacy policies, or incident management documents reference EU law. Non-EU companies must comply with NIS2 requirements to ensure business continuity and the delivery of services within the EU. This approach helps strengthen organizations’ resilience against cyber threats and ensures alignment with European cybersecurity standards.

How can I check if my organization falls under NIS2?

If your organization is considered an essential or important entity, or if it does not fall into these categories but its activities meet at least one of the additional criteria mentioned above, it must comply with the NIS2 requirements.