I remember sitting across from a client last autumn, a cybersecurity lead at a midsized energy firm, when they leaned forward and asked, “So, who exactly falls under NIS2? Are we really in scope?” That moment perfectly captures the uncertainty many companies face as they grapple with the NIS2 Directive — Europe’s new, far-reaching update to its cybersecurity framework.
Without further ado, let’s break down the NIS2 sectors, the scope of application, and what companies should prepare for to stay compliant.
Understanding the NIS2 directive scope: why it matters
The NIS2 Directive (Directive (EU) 2022/2555) is the European Union’s answer to the growing cyber threat landscape. It replaces the original NIS Directive, expanding both the sectors covered and the depth of obligations. The goal? To strengthen the overall cybersecurity posture across critical sectors that are foundational to the EU’s economy and society.
But what does NIS2 apply to, exactly? The directive applies to two main categories of entities: essential entities and important entities. Essential entities face stricter oversight due to the critical nature of their services, while important entities must comply with security and reporting rules but with somewhat lighter supervisory measures.
What makes NIS2 particularly transformative is its reach: it applies not just to large enterprises, but to many medium-sized firms as well. To grasp this, we need to explore the NIS2 scope of application in detail.
Mapping the NIS2 sectors: essential and important entities
To understand the regulatory sweep, it’s useful to break down the sectors affected by NIS2. This includes both traditional critical infrastructure and sectors newly brought under regulation.
The table below summarizes the NIS2 sectors list and how they are classified:
NIS2 essential and important entities by sector
| Sector category | Examples of essential entities | Examples of important entities |
| Energy | Electricity, district heating, gas, oil | Distribution system operators |
| Transport | Air, rail, water, road operators | Freight transport, logistics platforms |
| Banking | Banks, payment service providers | Credit institutions |
| Financial markets | Central counterparties, trading venues | Investment firms |
| Health | Hospitals, healthcare providers, labs | Medical device manufacturers |
| Drinking water | Water suppliers, wastewater management | Water distribution networks |
| Digital infrastructure | DNS providers, cloud services, data centers | Content delivery networks, domain registrars |
| ICT services | Managed service providers, MSPs | Software providers |
| Public administration | Central and regional authorities | Municipalities over 50,000 population |
| Space | Satellite operators, ground-based systems | Space data service providers |
This expanded reach makes NIS2 one of the most comprehensive cybersecurity regulations globally. A full and regularly updated reference can be found in the official text of the directive.
Conducting a nis2 scope assessment: are you in or out?
Once organizations understand the sectors, the next critical step is determining whether they are directly impacted. This is where the NIS2 scope assessment comes in.
The key criteria hinge on two factors:
- The sector the organization operates in.
- The size threshold: typically, entities with 50+ employees or €10+ million in annual turnover are in scope, though some micro or small enterprises may also fall under NIS2 if they provide critical services.
The following table outlines the typical size thresholds:
Size thresholds for NIS2 application
| Entity type | Employees | Annual turnover |
| Essential entities | ≥ 250 employees OR ≥ €50 million | Critical even if below threshold in some cases |
| Important entities | ≥ 50 employees OR ≥ €10 million | Critical even if below threshold in some cases |
It’s crucial that companies not assume they are exempt just because they’re small. For example, a small water utility providing services to a major metropolitan area may still be classified as critical.
For a detailed breakdown of the NIS2 scope assessment, the European Commission’s explanatory materials are invaluable, such as their Q&A page.
The expanding web: NIS2 directive sectors and new entrants
One of the most striking elements of the directive is how it pulls in new NIS2 sectors compared to the original framework. While the first NIS directive largely focused on traditional infrastructure, NIS2 expands to areas like public administration and space, reflecting a broadened view of what counts as critical.
Interestingly, NIS2 impacted sectors now include digital service providers such as cloud computing and online marketplaces — entities that were previously left in a regulatory gray zone. This signals a recognition that digital infrastructure is no less critical than physical infrastructure.
The next table gives a snapshot of some of these newly covered sectors:
Newly included NIS2 sectors
| Sector | Example of entities impacted |
| Public administration | Government agencies, municipalities |
| Space | Satellite companies, launch operators |
| Digital services | Cloud providers, data center operators |
Why the NIS2 directive matters: looking beyond compliance
The significance of the NIS2 directive scope isn’t limited to legal compliance — it’s about building cyber resilience. For companies, this means not just checking boxes but embedding cybersecurity into their DNA.
Many firms I’ve worked with initially approached NIS2 as a compliance hurdle, only to realize that strengthening incident response, supply chain risk management, and vulnerability disclosure processes ultimately made them more competitive and trusted in the market.
While the NIS2 critical sectors may face the heaviest burden, the ripple effect reaches well into supply chains and partner networks. This is why the notion of NIS2 affected sectors extends beyond direct regulation, influencing third parties and vendors who need to demonstrate their own resilience.
Are you ready for the NIS2 era?
As the clock ticks toward implementation deadlines, companies across Europe and beyond are grappling with their place under the NIS2 umbrella. Whether you’re in energy, healthcare, digital infrastructure, or public administration, understanding where you fit into the NIS2 essential and important entities landscape is no longer optional.
My advice? Don’t wait for a regulator to come knocking. Start your NIS2 scope assessment now, lean on resources like ENISA and the European Commission, and consider engaging sector-specific consultants if needed.
If you’re wondering whether you’re truly prepared, here’s a provocative thought: are you treating NIS2 as a regulatory burden or as a competitive advantage? Because in the new cybersecurity era, resilience may just be the ultimate differentiator.
