NIS2 essential vs important entities — Annex I, Annex II, thresholds and supervision

The basic rule — Article 3(1) and (2)

Article 3(1) classifies as essential entities entities of a type referred to in Annex I that exceed the ceilings for medium-sized enterprises provided for in Article 2(1) of the Annex to Commission Recommendation 2003/361/EC, plus a number of size-agnostic categories listed in points (b) to (i) of Article 3(1).

Article 3(2) classifies as important entities entities of a type referred to in Annex I or Annex II that do not qualify as essential entities pursuant to paragraph 1 of Article 3.

In practice this means: take the sector (Annex I or II), then apply the size cap from Recommendation 2003/361/EC (the SME definition: a medium enterprise has fewer than 250 staff and either annual turnover up to EUR 50 million or balance-sheet total up to EUR 43 million). Above the medium cap and in Annex I → essential. Anything else in Annex I or II that is at least medium-sized → important.

Annex I — sectors of high criticality

Annex I lists the sectors of high criticality, which include:

• Energy — electricity, district heating and cooling, oil, gas, hydrogen.
• Transport — air, rail, water, road.
• Banking.
• Financial market infrastructures.
• Health — healthcare providers, EU reference laboratories, R&D of medicinal products, manufacturers of pharmaceutical preparations and medical devices considered critical during a public-health emergency.
• Drinking water.
• Waste water.
• Digital infrastructure — IXPs, DNS service providers, TLD name registries, cloud-computing service providers, data-centre service providers, content-delivery network providers, trust-service providers, providers of public electronic-communications networks, providers of publicly available electronic-communications services.
• ICT service management (B2B) — managed service providers and managed security service providers.
• Public administration entities of central government and, optionally, regional level.
• Space.

Annex II — other critical sectors

Annex II lists other critical sectors, which include:

• Postal and courier services.
• Waste management.
• Manufacture, production and distribution of chemicals.
• Production, processing and distribution of food.
• Manufacturing — manufacture of medical devices and in-vitro diagnostic medical devices; manufacture of computer, electronic and optical products; manufacture of electrical equipment; manufacture of machinery and equipment n.e.c.; manufacture of motor vehicles, trailers and semi-trailers; manufacture of other transport equipment.
• Digital providers — providers of online marketplaces, online search engines and social-networking-services platforms.
• Research organisations.

Annex II entities at or above the medium-enterprise cap default to importantunless a size-agnostic ground in Article 3(1) brings them up to essential.

The size-agnostic exceptions — Article 3(1)(b)–(i)

Article 3(1) also classifies as essential, regardless of their size:

• qualified trust-service providers and TLD name registries as well as DNS service providers, regardless of their size;
• providers of public electronic-communications networks or of publicly available electronic-communications services which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC;
• public administration entities of central government as defined by a Member State in accordance with national law;
• any other entity of a type referred to in Annex I or II that a Member State identifies as an essential entity pursuant to Article 2(2)(b) to (e);
• entities identified as critical entities under Directive (EU) 2022/2557 (CER Directive);
• entities providing domain-name registration services, if the Member State so decides.

Member States may further designate entities under Article 2(2) regardless of their size, for example where the entity is the sole provider in a Member State of a service essential for the maintenance of critical societal or economic activities.

Supervisory regime — essential vs important

• Essential entities — Article 32 ex-ante supervision.Competent authorities can carry out on-site inspections and off-site supervision, including random checks, regular and targeted security audits, ad-hoc audits, security scans, requests for information needed to assess cybersecurity measures and requests for access to data, documents and information.
• Important entities — Article 33 ex-post supervision. Competent authorities supervise where evidence, indication or information suggests that an important entity is not in compliance with the directive. Toolkit is similar to Article 32 but triggered after the fact.

Penalties — Article 34

• Essential entities — Article 34(4): administrative fines of a maximum of at least EUR 10 000 000 or of a maximum of at least 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher.
• Important entities — Article 34(5): administrative fines of a maximum of at least EUR 7 000 000 or of a maximum of at least 1.4% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the important entity belongs, whichever is higher.
• Top-management accountability — Article 20. Management bodies of essential and important entities must approve the cybersecurity risk-management measures taken in order to comply with Article 21, oversee their implementation, and can be held liable for infringements pursuant to Article 32(6) and Article 33(5). Members of the management body are required to follow training and to encourage similar training on a regular basis for their employees.

Same duties, different supervision

Both essential and important entities are subject to the same substantive obligations: cybersecurity risk-management measures under Article 21 and incident-reporting under Article 23 (the 24-hour early warning, 72-hour incident notification, 1-month final report). The difference lies in how the competent authority can act on them.

Common misconceptions

• “Important means optional.” Important entities are fully in scope. They face ex-post supervision rather than routine ex-ante audits.
• “Under 50 staff means out of scope.” Several Article 3(1) categories (qualified trust-service providers, TLD registries, DNS providers, public-administration central government, designated under Article 2(2)) are size-agnostic.
• “NIS2 only applies to entities established in the EU.” Article 26 sets out jurisdiction and territoriality — DNS providers, TLD registries, cloud, data-centre, CDN, managed service providers, providers of online marketplaces, search engines and social networks are deemed to fall under the jurisdiction of the Member State where they have their main establishment in the Union, and may need to designate a representative where they do not.
• “Only the IT department is liable.” Article 20(1) makes the management body responsible for approving and overseeing risk-management measures, with personal accountability.

Related EU guides

• EU AI Act timeline for deployers
• EU AI Act enforcement — who supervises and how
• Human oversight — Article 14
• Record-keeping & logging — Article 12
• Data governance & bias testing — Article 10

Sources

• Directive (EU) 2022/2555 (NIS2), Articles 2, 3, 20, 21, 23, 26, 32, 33, 34; Annex I; Annex II — EUR-Lex: eur-lex.europa.eu/eli/dir/2022/2555/oj
• Commission Recommendation 2003/361/EC (SME definition) — EUR-Lex: eur-lex.europa.eu/eli/reco/2003/361/oj
• ENISA — NIS2 Directive overview: enisa.europa.eu/topics/cybersecurity-policy/nis-directive-new