Blog

Is your company under the NIS 2 scope?

Written by Maiky | Jun 30, 2025 11:03:36 AM

What is NIS 2, and why does it matter now?

The Network and Information System (NIS) 2 directive is the European Union's latest initiative to strengthen cybersecurity across member states. It builds on the original NIS Directive introduced in 2016. This update is especially relevant today, given the rising number of cyberattacks in Europe, which has highlighted the need for a more structured and unified response.



NIS 2 aims to mitigate these risks by establishing a standardized framework for addressing cybersecurity threats across the entire EU. To achieve this, the updated directive expands its scope, adding more sectors and subsectors, categorized into high criticality and other critical sectors.

What sectors are in the NIS 2 scope?

Below is a comprehensive list of the sectors in scope:

HIGH CRITICALITY SECTORS
 
  • Energy
  • Transport
  • Banking
  • Financial market infrastructure
  • Health
  • Drinking water
  • Waste Water
  • Digital infrastructure
  • ICT service management
  • Public Administration
  • Space


  • OTHER CRITICAL SECTORS
  •  

  • Postal and courier

  • Waste management

  • Chemicals

  • Food

  • Manufacturing

  • Digital provider

  • Research


Why is scope determination so complex?

Within these sectors, organizations fall into one of three categories:

1. Not in scope
2. Important entity
3. Essential entity

While the directive outlines compliance requirements, determining whether your company is in scope can be challenging, especially when trying to distinguish between an important and an essential entity.

  1. Key inclusion criteria

  2. To fall under the scope of NIS 2, your organization must:

  • provide a service or carry out activities within the European Union

  • operate in one of the critical sectors listed above

  • be a medium-sized or large organization

Essential entities include:

  • large enterprises operating in a critical sector

  • DNS service providers

  • trust service providers

  • public administration bodies

  • public electronic communication networks

  • any critical entity under the CER directive (2022/2557)

  • additional entities as specified by individual EU member states



Important entities include:

  • organizations that meet the scope criteria but do not qualify as essential.



  •  

Organization size threshold

Understanding your company’s size category is key to scope determination:
  •  
Size Employees (FTE) Turnover OR Balance Sheet Total
Small/Micro Fewer than 50 Below €10 million
Medium 50–249 Over €10 million OR €43 million
Large 250+ Over €50 million AND €43 million

For important entities, meeting just one of the financial or employee thresholds is enough to be in scope. This does not automatically make them essential entities.

Monitoring differences:


  • Important entities are monitored ex post (after the fact, when non-compliance is suspected).

  • Essential entities are monitored ex ante (must proactively demonstrate compliance).

    To help visualize the scope, see the image below (click the image to see a larger version):

In scope? Here is what to do next


Once companies have determined whether they are on scope and if they are an essential or important entity, it is time to act.

  1. 1. Check national legislation

  • Each EU country is responsible for transposing the NIS 2 Directive into national law, with its own registration deadlines and requirements. In most cases, companies will have 12 months to comply before their first audit.

  1. 2. Understand incident reporting deadlines

  • Under the NIS 2 directive, entities must report significant cybersecurity incidents:

  • an initial report within 24 hours

  • a more comprehensive report on critical incidents within 72 hours.

  • However, member states can impose stricter requirements, as seen in Cyprus, where the initial report must be made within 6 hours (See section 3 "ΚΟΙΝΟΠΟΙΗΣΗ ΠΕΡΙΣΤΑΤΙΚΩΝ" of the Cyprus NIS2 Guide).


  1. 3. Be aware of local variations

  • The definition of critical incidents may vary by country. Some states, like the Czech Republic, have introduced multi-tiered incident classification. This means the same event may trigger different obligations depending on location.
  •  

  1. 4. Start strengthening your security posture

Even before local legislation is finalized, enhancing cybersecurity maturity is essential. You can start by:

  • adopting a recognised standard like ISO 27001 as a starting point;

  • conducting risk assessments to identify vulnerabilities;

  • implementing robust security measures such as encryption, access controls, and incident response plans;

training employees on cybersecurity awareness and best practices.

Why start preparing now?

Determining whether your business is under the NIS 2 compliance scope may feel overwhelming, but delaying can be costly.

While many EU countries are still finalizing their legislation, the directive is already in force, and non-compliance can result in severe fines. In some cases, executives may be held personally liable for cybersecurity failures.

By proactively assessing your organization’s eligibility and obligations under NIS 2, you will be ahead of the curve, both in terms of compliance and cybersecurity maturity.
View full post