does-nis-2-apply-to-your-organisation-5-step-scope-guide
  • NIS 2
  • 10th Jul 2026
  • 1 min read

Does NIS 2 Apply to Your Organisation? 5-Step Scope Guide

Gabriel Few-Wiegratz
  • Written by
Gabriel Few-Wiegratz
View my profile on
In Short...
  • Size still catches you: medium-sized organisations (50 to 249 employees, or turnover up to €50 million) fall into scope alongside large operators once they sit in a covered sector.
  • Sector determines everything: Annex I holds 11 high-criticality sub-sectors that produce essential entities; Annex II holds 7 further critical sectors that produce important entities.
  • UK headquarters keep EU exposure in scope: any EU client, subsidiary, or data flow brings that activity under NIS 2, regardless of where the parent company sits.
  • Classification changes your supervisory intensity: essential entities face proactive audits, important entities reactive review, though core security duties are identical for both.
  • Exceptions catch some organisations regardless of size: sole providers, entities with significant cross-border impact, and organisations designated critical under the CER Directive can fall into scope even as a small business.

NIS 2 (the EU's Network and Information Security Directive 2, Directive (EU) 2022/2555) applies to your organisation if you sit in one of 18 covered sectors and meet a modest size threshold, usually 50 or more employees or turnover above €10 million. That's a lower bar than most mid-sized firms assume, and it means your sector and size decide whether you're in scope, regardless of your public profile. Classification as an essential or important entity then determines how you're supervised. This guide walks through the five checks that settle the question: sector, size, EU presence, classification, and exceptions.

Expert View

 

Matt Davies

Chief Product Officer, SureCloud

LinkedIn

What our experts say about the size threshold catching mid-sized firms

 

"Most scope conversations stall on sector questions when the real trip-wire is size. We see 60-person firms assume NIS 2 is for critical infrastructure giants, then realise a single EU client pulls their whole delivery chain into scope. Map supply chain exposure alongside your own footprint from day one."

 

The Assumption That Costs Mid-Sized Teams Time

The assumption we hear most often from mid-sized organisations sounds like this: "NIS 2 is for the big players. We're not a critical national infrastructure operator. It probably doesn't apply to us." That assumption is wrong, and it's already costing some teams the time they don't have to spare.

 

Member states transposed NIS 2 into national law by 17 October 2024. For most in-scope organisations, it's already a live obligation today.

 

NIS 2 is a significant expansion of the original NIS Directive, and pulling medium-sized organisations into scope was one of its deliberate design choices. The Directive covers 18 sectors and uses a size-threshold model that catches far more organisations than most compliance teams realise.

 

Size determines your classification, essential or important; sector determines whether you're covered at all. The rest of this guide walks through the five questions that settle your position.

Step 1: Check Whether You Sit in a Covered Sector

NIS 2 organises covered sectors into two annexes. Your first job is checking whether your organisation appears in either one.

 

Annex I: High-Criticality Sectors

These are the sub-sectors the Directive treats as most critical to societal and economic function:

  1. Energy (electricity, gas, oil, hydrogen, district heating and cooling)
  2. Transport (air, rail, water, road)
  3. Banking
  4. Financial market infrastructure
  5. Health (hospitals, pharmaceutical manufacturers, medical device makers, research labs)
  6. Drinking water
  7. Wastewater
  8. Digital infrastructure (cloud providers, data centres, DNS, CDNs, trust service providers)
  9. ICT service management, including managed service providers (MSPs) and managed security service providers (MSSPs)
  10. Public administration
  11. Space (ground-based infrastructure)

Annex II: Other Critical Sectors

These sectors carry the same compliance obligations, but sit in a second tier for classification purposes:

  1. Postal and courier services
  2. Waste management, where it's the principal economic activity
  3. Chemicals (manufacture, production, distribution)
  4. Food (wholesale distribution, industrial production and processing)
  5. Manufacturing: medical devices, electronics, electrical equipment, machinery, motor vehicles, other transport equipment
  6. Digital providers: online marketplaces, search engines, social networking platforms
  7. Research organisations

Your sector sets the ceiling on your obligations. If it doesn't appear in either annex, you're out of scope and the rest of this guide won't apply to you; if it does, move to step two. One nuance worth flagging early: a handful of digital infrastructure sub-sectors, including qualified trust service providers, DNS service providers, and TLD name registries, are in scope regardless of size. For those, skip ahead to step three.

Step 2: Check Whether You Meet the Size Threshold

This is where the ‘large operators only’ myth falls apart. NIS 2 uses the EU's standard enterprise size definitions:

 

Entity size

Employees

Annual turnover

Microenterprise

Fewer than 10

Up to €2 million

Small enterprise

Fewer than 50

Up to €10 million

Medium enterprise

50 to 249

Up to €50 million

Large enterprise

250 or more

Over €50 million

 

Micro and small enterprises generally sit outside NIS 2's scope. Medium and large enterprises in covered sectors sit inside it.

 

The size test uses ‘or’ logic on employees and turnover: meeting one criterion, 50 or more employees, or turnover exceeding €10 million, is enough to move you past the small-enterprise threshold. You don't need both. (The EU's enterprise-size test also allows an annual balance-sheet total as an alternative to turnover; most mid-sized firms clear the employee count anyway, so this rarely changes the answer.)

 

What this looks like in practice: a regional managed security service provider with 60 employees and €8 million turnover is in scope. An e-commerce logistics business with 120 employees and €15 million turnover is in scope. A pharmaceutical research firm with 55 employees is in scope, regardless of turnover.

Each of these is a mid-sized enterprise operating in a covered sector, exactly the profile NIS 2 was designed to catch.

 

One more detail on size: the thresholds apply to your organisation as a standalone entity, though group ownership can change the answer. A subsidiary that would be small on its own may be treated as medium or large if a qualifying parent owns it.

Step 3: Check Whether Your EU Presence Matters

NIS 2 is an EU Directive. It applies to organisations that provide services within the EU, including those headquartered outside it.

 

If your organisation is based in the UK but provides services into EU member states, the Directive reaches those operations. EU-based customers, EU-based subsidiaries, or services delivered to EU-regulated clients can all create a NIS 2 obligation.

 

Post-Brexit, the picture carries an extra layer for UK-headquartered organisations. The UK isn't implementing NIS 2 directly; instead, government has signalled updates to the UK's own NIS Regulations. Your EU operations, EU clients, or EU data flows still fall under the Directive, wherever your headquarters sits.

 

Practical rule: if you have an EU entity, serve EU-regulated customers, or operate infrastructure in EU member states, treat NIS 2 as applicable to those activities and assess your obligations under the relevant member state's transposition. For purely UK-based operations with no EU presence, track the UK NIS Regulations separately; the scope and thresholds are similar but not identical.

Step 4: Check Your Classification, Essential or Important

Once you clear steps one through three, the next question is how you're classified. NIS 2 distinguishes between two types of in-scope entity under Article 2, and the distinction shapes both your obligations and the penalties you face.

 

Essential Entities

Large enterprises (250 or more employees, or over €50 million turnover) operating in Annex I sectors are classified as essential entities. These organisations face proactive, ex-ante supervision: regulators can audit them without waiting for an incident.

 

Important Entities

Medium enterprises in Annex I sectors, plus medium and large enterprises in Annex II sectors, are classified as important entities. Supervision here is reactive, or ex-post: regulators act following an incident or complaint, rather than running routine proactive audits.

 

The core security obligations are identical for both classifications: risk management and supply chain security under Article 21, incident reporting under Article 23, and management-body governance under Article 20. What differs is supervisory intensity and the penalty ceiling under Article 34:

 

Classification

Supervisory model

Maximum fine

Essential entity

Proactive (ex-ante)

€10 million or 2% of global turnover, whichever is higher

Important entity

Reactive (ex-post)

€7 million or 1.4% of global turnover, whichever is higher

 

Important-entity classification lowers your odds of an unprompted audit; it carries the same underlying security duties as essential-entity status. The moment an incident occurs, you're subject to the same scrutiny as an essential entity. Preparing as if you were essential is the safer posture.

Step 5: Check the Exceptions

The size-threshold rule has genuine exceptions under Article 2(2) of the Directive. Some organisations fall into scope even at small or micro size.

 

Member states can designate any entity as essential or important regardless of size, on several grounds:

  1. Sole provider: the organisation is the only provider, in that member state, of a service critical to societal or economic activity.
  2. Significant cross-border impact: a disruption to the organisation's services could have a significant effect across borders.
  3. Critical entity designation: the organisation has been designated a critical entity under the Critical Entities Resilience Directive (the CER Directive, Directive (EU) 2022/2557), which automatically brings it into NIS 2 scope as an essential entity.

Certain digital infrastructure sub-sectors, specifically qualified trust service providers, DNS service providers, and TLD name registries, are in scope regardless of size, as flagged in step one. If you operate in any of those sub-sectors, the standard size threshold offers no protection. Full designation criteria for critical entities sit in the CER Directive, Directive (EU) 2022/2557.

 

The inverse holds too: meeting the size threshold in a covered sector doesn't guarantee you're in scope if your activities within that sector are incidental rather than primary. Waste management, for example, only applies where it's your organisation's principal economic activity.

You're In Scope. What Happens Next

Confirming you're in scope is only the starting point. NIS 2 imposes mandatory obligations on every in-scope entity, whatever your classification. At a minimum, you need to address:

  1. Risk management: documented policies for identifying, assessing, and treating cybersecurity risks across your network and information systems.
  2. Incident reporting: a process for reporting significant incidents to your national competent authority. Article 23 sets a 24-hour early warning, a 72-hour incident notification with an initial severity assessment, and a final report due within one month.
  3. Supply chain security: assessment of the cybersecurity posture of your key suppliers and service providers. NIS 2 explicitly extends obligations upstream.
  4. Governance and accountability: management bodies carry personal responsibility for approving and overseeing cybersecurity measures. IT can support this work; it can't own it alone.
  5. Business continuity: plans for maintaining operations during and after a significant incident.

Most mid-sized organisations already understand what NIS 2 requires. Building the evidence that they've done it, and keeping that evidence current as the environment shifts, is where the real cost sits. A spreadsheet-and-email approach struggles to keep pace with a moving regulatory target; treating this as an ongoing execution challenge is what separates teams that stay ready from teams that scramble.

 

SureCloud's Business Continuity & Resilience module is built around exactly this. Aligned to DORA, NIS 2, and ISO 22301, it turns scattered plans and evidence into one auditable system that management can sign off on with confidence. For the broader picture of what's required once you're in scope, our NIS 2 Compliance: The Complete Guide for Essential and Important Entities covers risk management, incident reporting timelines, supply chain obligations, and governance accountability in full. And if you'd rather see the structured route through all of this than build it yourself, SureCloud's NIS 2 compliance framework lays out the same path start to finish.

 

The organisations that struggle with NIS 2 are rarely the ones that misread the Directive. They're the ones that did the scoping work, filed the answer away, and mistook that certainty for preparation. Scope is a snapshot; staying in scope safely is an ongoing practice.

Turn Your NIS 2 Scope Check Into an Audit-Ready Programme

Once you've confirmed you're in scope, Gracie AI Agents with Personas and Skills keeps your NIS 2 risk register, incident evidence, and supply chain assessments in one auditable system, cutting manual evidence collection by 50 to 65%.
Related articles:
  • NIS 2
  • Cyber Security

NIS2 Compliance Software: From Directive to Execution 2026

  • Compliance Management
  • Cyber Security

The UK Cyber Security and Resilience Bill: What It Means in Practice

  • NIS 2

NIS2 Compliance Software: 3 Gaps Spreadsheets Miss

Share this article

FAQ’s

Does NIS 2 only apply to large organisations?

No. NIS 2 catches medium-sized organisations too, once they operate in a covered sector and meet the size threshold. In some sectors, certain entities are in scope regardless of size. Medium-sized organisations face the same core obligations as their larger counterparts, just under a different supervisory model.

Which sectors are covered by NIS 2?

Eighteen sectors, split across two annexes. Annex I covers 11 high-criticality sub-sectors, including energy, transport, banking, health, water, digital infrastructure, and public administration. Annex II covers 7 other critical sectors, including postal services, waste management, chemicals, food, manufacturing, and digital providers such as online marketplaces and search engines.

What size counts as medium under NIS 2?

50 to 249 employees, or turnover up to €50 million, using the EU's standard enterprise-size definitions. The threshold uses ‘or’ logic on employees and turnover, so you only need to meet one to qualify, not both. A balance-sheet-total test also applies as an alternative to turnover in edge cases.

Does being based in the UK change anything?

Only partly. NIS 2 applies to services provided within the EU, covering organisations headquartered elsewhere too. If you have EU operations, EU clients, or EU data flows, those activities fall under NIS 2 wherever your head office sits. Purely UK-based operations should track the UK's own NIS Regulations separately.

What happens if my organisation is in scope?

You take on mandatory obligations covering risk management, incident reporting, supply chain security, governance accountability, and business continuity planning. Incident reporting under Article 23 means a 24-hour early warning, a 72-hour incident notification with an initial assessment, and a final report within one month. Classification as essential or important changes only the supervisory model; the underlying obligations stay the same.

Can a small business still fall under NIS 2?

Yes, in specific cases. Member states can designate any organisation as essential or important regardless of size if it's a sole service provider, its disruption would have significant cross-border impact, or it's already designated a critical entity under the CER Directive. Certain digital infrastructure sub-sectors, including DNS providers and TLD registries, are in scope regardless of size by default.