I remember sitting across from a client last autumn, a cybersecurity lead at a midsized energy firm, when they leaned forward and asked, “So, who exactly falls under NIS2? Are we really in scope?” That moment perfectly captures the uncertainty many companies face as they grapple with the NIS2 Directive — Europe’s new, far-reaching update to its cybersecurity framework.
Without further ado, let’s break down the NIS2 sectors, the scope of application, and what companies should prepare for to stay compliant.
Understanding the NIS2 directive scope: why it matters
The NIS2 Directive (Directive (EU) 2022/2555) is the European Union’s answer to the growing cyber threat landscape. It replaces the original NIS Directive, expanding both the sectors covered and the depth of obligations. The goal? To strengthen the overall cybersecurity posture across critical sectors that are foundational to the EU’s economy and society.
But what does NIS2 apply to, exactly? The directive applies to two main categories of entities: essential entities and important entities. Essential entities face stricter oversight due to the critical nature of their services, while important entities must comply with security and reporting rules but with somewhat lighter supervisory measures.
What makes NIS2 particularly transformative is its reach: it applies not just to large enterprises, but to many medium-sized firms as well. To grasp this, we need to explore the NIS2 scope of application in detail.
Mapping the NIS2 sectors: essential and important entities
To understand the regulatory sweep, it’s useful to break down the sectors affected by NIS2. This includes both traditional critical infrastructure and sectors newly brought under regulation.
The table below summarizes the NIS2 sectors list and how they are classified:
Sector category | Examples of essential entities | Examples of important entities |
Energy | Electricity, district heating, gas, oil | Distribution system operators |
Transport | Air, rail, water, road operators | Freight transport, logistics platforms |
Banking | Banks, payment service providers | Credit institutions |
Financial markets | Central counterparties, trading venues | Investment firms |
Health | Hospitals, healthcare providers, labs | Medical device manufacturers |
Drinking water | Water suppliers, wastewater management | Water distribution networks |
Digital infrastructure | DNS providers, cloud services, data centers | Content delivery networks, domain registrars |
ICT services | Managed service providers, MSPs | Software providers |
Public administration | Central and regional authorities | Municipalities over 50,000 population |
Space | Satellite operators, ground-based systems | Space data service providers |
This expanded reach makes NIS2 one of the most comprehensive cybersecurity regulations globally. A full and regularly updated reference can be found in the official text of the directive.
PRO TIP
Maintain a living inventory that maps your business activities to NIS2 sectors. Include third-party functions and outsourced services, especially in IT, logistics, and cloud infrastructure, to identify latent exposures within your operations.
Conducting a NIS2 scope assessment: are you in or out?
Once organizations understand the sectors, the next critical step is determining whether they are directly impacted. This is where the NIS2 scope assessment comes in.
The key criteria hinge on two factors:
- The sector the organization operates in.
- The size threshold: typically, entities with 50+ employees or €10+ million in annual turnover are in scope, though some micro or small enterprises may also fall under NIS2 if they provide critical services.
The following table outlines the typical size thresholds:
Entity type | Employees | Annual turnover |
Essential entities | ≥ 250 employees OR ≥ €50 million | Critical even if below threshold in some cases |
Important entities | ≥ 50 employees OR ≥ €10 million | Critical even if below threshold in some cases |
It’s crucial that companies not assume they are exempt just because they’re small. For example, a small water utility providing services to a major metropolitan area may still be classified as critical.
For a detailed breakdown of the NIS2 scope assessment, the European Commission’s explanatory materials are invaluable, such as their Q&A page.
PRO TIP
Use both quantitative (e.g., turnover, employee count) and qualitative (e.g., criticality of service, dependency risk) metrics in your internal NIS2 scope assessment. Entities that don’t meet size thresholds can still be in-scope if they play a key role in critical service delivery.
The expanding web: NIS2 directive sectors and new entrants
One of the most striking elements of the directive is how it pulls in new NIS2 sectors compared to the original framework. While the first NIS directive largely focused on traditional infrastructure, NIS2 expands to areas like public administration and space, reflecting a broadened view of what counts as critical.
Interestingly, NIS2 impacted sectors now include digital service providers such as cloud computing and online marketplaces — entities that were previously left in a regulatory gray zone. This signals a recognition that digital infrastructure is no less critical than physical infrastructure.
The next table gives a snapshot of some of these newly covered sectors:
Sector | Example of entities impacted |
Public administration | Government agencies, municipalities |
Space | Satellite companies, launch operators |
Digital services | Cloud providers, data center operators |
PRO TIP
If you’re in a newly added sector—like cloud or digital services—review your supply chain and subcontracting arrangements. Under NIS2, you’re expected to ensure resilience across third-party dependencies, especially those providing hosting, connectivity, or essential IT operations.
Why the NIS2 directive matters: looking beyond compliance
The significance of the NIS2 directive scope isn’t limited to legal compliance — it’s about building cyber resilience. For companies, this means not just checking boxes but embedding cybersecurity into their DNA.
Many firms I’ve worked with initially approached NIS2 as a compliance hurdle, only to realize that strengthening incident response, supply chain risk management, and vulnerability disclosure processes ultimately made them more competitive and trusted in the market.
While the NIS2 critical sectors may face the heaviest burden, the ripple effect reaches well into supply chains and partner networks. This is why the notion of NIS2 affected sectors extends beyond direct regulation, influencing third parties and vendors who need to demonstrate their own resilience.
Are you ready for the NIS2 era?
As the clock ticks toward implementation deadlines, companies across Europe and beyond are grappling with their place under the NIS2 umbrella. Whether you’re in energy, healthcare, digital infrastructure, or public administration, understanding where you fit into the NIS2 essential and important entities landscape is no longer optional.
My advice? Don’t wait for a regulator to come knocking. Start your NIS2 scope assessment now, lean on resources like ENISA and the European Commission, and consider engaging sector-specific consultants if needed.
If you’re wondering whether you’re truly prepared, here’s a provocative thought: are you treating NIS2 as a regulatory burden or as a competitive advantage? Because in the new cybersecurity era, resilience may just be the ultimate differentiator.