• NIS2
  • Compliance
  • Classification

NIS2: essential or important entity? The classification test explained

How to determine whether your company is an essential or important entity under NIS2: Annex I and II sectors, size thresholds, size-independent special cases, and what classification actually changes (supervision, penalties, reporting).

Komplyo3 min read

The first NIS2 question is not "which measures do we need?" but "are we in scope, and under which status?". The NIS2 directive distinguishes two statuses — essential entity and important entity — and that status determines your supervision regime, the ceiling on penalties and, in practice, how urgent your compliance work is.

This guide walks through the classification test step by step. It complements our general NIS2 guide for SMEs.

Step 1 — Is your sector listed in the annexes?

NIS2 applies by sector, listed in two annexes:

  • Annex I (sectors of high criticality): energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure (DNS, cloud, data centres, content delivery networks…), ICT service management (managed service providers and managed security service providers), public administration, space.
  • Annex II (other critical sectors): postal services, waste management, chemicals, food, manufacturing (medical devices, electronics, machinery, vehicles…), digital providers (online marketplaces, search engines, social networks), research.

If your activity falls under neither annex, you are outside the direct scope — but your regulated customers will pass their requirements down to you through Article 21 (supply-chain security).

Step 2 — The size threshold

The general rule (the "size cap"): NIS2 targets medium and large enterprises in the listed sectors, meaning from 50 employees or €10M annual turnover upward.

  • Large enterprise (≥ 250 employees, or > €50M turnover and > €43M balance sheet) in an Annex I sector → essential entity.
  • Medium enterprise (50–249 employees) in an Annex I sector → important entity, unless an exception moves it up to essential.
  • Medium or large enterprise in an Annex II sector → important entity.

Step 3 — Special cases that ignore size

Some activities are covered regardless of size: DNS service providers and top-level-domain name registries, trust service providers, providers of public electronic communications networks or services, and any entity a Member State designates as critical (sole provider of an essential service, potential systemic impact…).

In France, ANSSI offers an online scope test, MonEspaceNIS2, which applies the national transposition — the up-to-date reference for settling your case. Other Member States run equivalent registration portals.

What classification actually changes

The Article 21 measures are the same for both statuses. What differs:

  • Supervision: essential entities are supervised ex ante (proactive audits, inspections); important entities ex post (the authority acts on evidence of non-compliance).
  • Penalties: up to €10M or 2% of worldwide turnover for essential entities; €7M or 1.4% for important ones.
  • Management accountability: in both cases, management bodies must approve the measures, oversee their implementation and receive training — compliance cannot be fully delegated.

Incident-reporting obligations (24-hour early warning, 72-hour notification, final report within one month) apply to both statuses.

Document your classification

Whether you land on essential, important or out of scope, the conclusion deserves to be written down and justified: it is the first document a customer, an insurer or an authority will ask for. The memo should record the sector assessed, headcount and financial data, the special cases you examined and the conclusion — dated and signed.

That is exactly what Komplyo produces: our assessment includes a NIS2 classification questionnaire and generates the corresponding scope memo, alongside the Article 21 coverage table and the 24h/72h notification procedures. The free NIS2 diagnostic is the right starting point: within minutes you know where you stand — and what remains to be done.