If you’re asking who needs to comply with NIS 2, you’re not alone. For many organizations, the hard part isn’t understanding that NIS 2 raises cybersecurity expectations—it’s quickly determining whether you’re actually in scope, and documenting that decision in a way you can defend later.

NIS 2 is an EU directive, which means each Member State transposes it into national law. In practice, that creates two realities at the same time:

the “shape” of scope is consistent across the EU (sectors, entity categories, and baseline security measures), and
the details you’ll be held to can vary depending on where you operate.

This guide covers:

How NIS 2 scope is typically determined (sector → size → criticality → exceptions)
What “essential” vs “important” means for supervision and enforcement
The security and incident reporting requirements you should operationalize if you’re in scope
The penalties and management accountability expectations to plan for
A scoping workflow you can run in a week, with owners and evidence outputs

When scoping turns into a detective job

GIF via GIPHY

Related guides:

Key takeaways

Scope is a decision you should document: sector mapping + entity size + criticality triggers + Member State implementation notes.
Most in-scope organizations are mid-sized and large: but some entities may be in scope regardless of size due to their role.
“Essential” vs “important” changes supervision: essential entities are typically subject to more proactive oversight.
Security requirements are practical and program-wide: risk management, incident handling, business continuity, supply chain security, and secure development are core themes.
Penalties can be material: NIS 2 is commonly summarized with maximum fines up to (€10m/2%) (essential) and (€7m/1.4%) (important), plus non-monetary enforcement measures.

NIS 2 scope in plain English

NIS 2 is designed to raise baseline cybersecurity and resilience for organizations that are important to the EU’s economy and society.

To determine whether you’re likely in scope, you usually need to answer four questions:

Do we operate in (or provide covered services into) the EU?
Are we in a covered sector?
Do we meet size thresholds—or fall into an exception category?
If we’re in scope, are we likely an essential entity or an important entity?

If you can answer those with evidence (not just opinions), you’re in good shape for the next step: turning NIS 2 into owned workstreams and maintainable proof.

Which sectors are covered (and how to map yours)

NIS 2 covers a broad set of sectors. The most reliable way to scope is to map your actual services (not your marketing description) to sector definitions as implemented by the Member State(s) you operate in.

At a high level, sectors commonly discussed as “essential” include:

Energy, transport, banking, and financial market infrastructures
Health
Drinking water and wastewater
Digital infrastructure and certain ICT service management providers
Public administration
Space

Sectors commonly discussed as “important” include:

Postal and courier services
Waste management
Chemicals
Food production/processing/distribution
Manufacturing
Digital providers
Research

A practical mapping tip (that reduces rework)

When you do sector mapping, write down:

Entity: the legal entity in scope (not just the brand)
Service: the product/service actually delivered
Where delivered: Member State(s) and customer type(s)
Why you believe it maps: 2–5 bullets, with references to internal docs (contracts, service catalog, org chart)

That becomes your scoping evidence packet (and it prevents “scope drift” when teams change).

Size thresholds and common exceptions

NIS 2 scope is often described as “mostly medium and large organizations,” but there are two important nuances:

Size is a strong signal, not the only signal: your role and criticality can matter.
Some organizations may be treated as in scope regardless of size: particularly where disruption would create outsized systemic impact.

Size categories teams typically use during scoping

Organization size	Employee count (typical)	Turnover signal (typical)	What to do next
Large	≥ 250	≥ €50m	Assume likely in scope if sector-mapped; proceed to essential vs important assessment
Medium	50–249	≥ €10m	Assess sector + criticality triggers; proceed to essential vs important assessment
Small / micro	< 50	< €10m	Look for exception triggers (critical role, systemic impact); document why in or out

What “exceptions” look like in practice

Even if your organization is small, you may be treated as in scope if you:

Are a sole or highly concentrated provider of a critical service in a Member State
Provide services where disruption could have cross-border impacts
Support services where failure could affect public safety, security, or health

Because these determinations can be fact-specific (and Member State implementations can vary), treat this as a “document and confirm” area with counsel—not a “guess and move on” area.

Essential vs important entities (what changes operationally)

Both essential and important entities generally need to implement similar baseline cybersecurity risk management measures. The practical difference is how supervision and enforcement tend to show up.

Topic	Essential entities (typical)	Important entities (typical)
Supervision	More proactive (audits/inspections may occur without a trigger)	More reactive (often triggered by incidents or evidence of non-compliance)
Evidence expectations	Higher “prove it now” readiness (policies + control evidence + reporting artifacts)	Still needs evidence, but oversight may be less frequent until a trigger occurs
Enforcement posture	Faster escalation risk if gaps persist	Often escalates after a material event or repeated non-compliance
First 30 days focus	Scope confirmation, incident reporting operationalization, and control evidence inventory	Same priorities, plus ensuring escalation paths are clear if supervision follows an incident

Operational takeaway: regardless of category, your first priority should be building a program you can demonstrate—not a set of policies you can’t evidence.

What in-scope entities must implement (security requirements)

If you’re in scope, NIS 2 expects you to implement and maintain practical cybersecurity risk-management measures. Teams typically operationalize NIS 2 across these workstreams:

Risk analysis and security policies (governance, risk register, risk treatment decisions)
Incident handling (detection, response, roles, escalation, and communications)
Business continuity management (backups, crisis management, disaster recovery)
Supply chain security (vendor inventory, tiering, access paths, contract expectations)
Secure acquisition, development, and maintenance (change management, vulnerability handling)
Measuring effectiveness (control testing, reviews, continuous improvement)
Security training and cyber hygiene (baseline + role-based)
Cryptography and encryption (where applicable)
Asset management + access control + HR security (joiner/mover/leaver, access reviews)
MFA and secure communications (appropriate authentication and protected comms)

If you want a deliverables-first breakdown, use The NIS 2 Compliance Checklist as a starting point and assign owners by workstream.

Incident reporting readiness (what to operationalize)

Incident reporting is where many programs fail under pressure—not because teams don’t care, but because they haven’t made reporting a repeatable operating procedure.

NIS 2 is often summarized with a fast initial reporting window (commonly referenced as 24 hours) for significant incidents, followed by additional reporting milestones. Because reporting details can vary by national implementation, the safest approach is to build a reporting capability that can produce regulator-ready notifications quickly, then align the exact timelines to the Member State(s) you operate in.

To operationalize incident reporting, define and test:

What qualifies as a “significant incident” in your environment (and who decides)
Decision rights: who can trigger reporting, who approves, and who is informed
Minimum data set you can produce within hours (impacted services, scope, mitigations, customer impact, indicators of compromise where relevant)
Evidence trail: a consistent incident timeline and decision log
External communications path: legal, PR, customer comms, regulators, and partners

Practical tip: run a tabletop exercise that starts at “we discovered something at 2:00am” and ends with a draft early notification. If you can’t produce the draft, you don’t yet have an operational process.

Penalties and enforcement (including management accountability)

NIS 2 enforcement typically includes both monetary and non-monetary measures.

Monetary penalties (commonly cited maximum levels)

While national transposition can influence enforcement details, NIS 2 is commonly summarized with maximum fine levels in the range of:

Essential entities: up to (€10,000,000) or 2% of global annual turnover (whichever is higher)
Important entities: up to (€7,000,000) or 1.4% of global annual turnover (whichever is higher)

Non-monetary enforcement measures (common examples)

Supervisory authorities may also issue measures such as:

Binding instructions to remedy deficiencies
Compliance orders with expectations for remediation
Requests for evidence demonstrating control effectiveness
Notifications to affected parties in certain circumstances (implementation-dependent)

Management accountability (what it means in practice)

NIS 2 increases the focus on senior leadership accountability. Operationally, that typically means:

Clear executive sponsorship (budget, staffing, risk acceptance decisions)
A management reporting cadence for cybersecurity risk (not just technical metrics)
Documented decisions when risk is accepted or timelines are extended

If your program depends on “we’ll fix it later,” you should expect SecureSlateiny—especially after an incident.

A practical scoping workflow (owners, evidence, outputs)

Here’s a workflow many teams can run in 5–10 business days to determine scope and create a defensible record.

Step 1: Define the legal entities and EU footprint

Owner: Legal + Finance
Output: entity list, Member State operations, and where services are delivered
Evidence: org chart, entity registry docs, contracts list by entity/customer

Step 2: Map services to covered sectors

Owner: Compliance/GRC + business owners
Output: sector mapping memo per service/entity
Evidence: service catalog, product descriptions, customer contracts, regulated customer list

Step 3: Confirm size thresholds and exception triggers

Owner: Finance + Compliance/GRC
Output: size banding and exception assessment per entity
Evidence: headcount, financial statements, concentration/sole-provider analysis (if relevant)

Step 4: Determine likely classification (essential vs important) and oversight posture

Owner: Compliance/GRC + Security
Output: classification rationale + first 90-day implementation priorities
Evidence: criticality assessment, dependency mapping, incident impact scenarios

Step 5: Build a “prove it” evidence inventory

Owner: Security/GRC program owner
Output: evidence map (control → artifact → owner → refresh cadence)
Evidence: policy set, risk register, incident response artifacts, vendor reviews, backup tests

A decision table you can use to drive next actions

Question	If “Yes”	If “No”	Evidence to collect
Do we have EU operations or deliver covered services into the EU?	Continue scoping	Likely out of scope (document)	Entity list, delivery locations, customer contracts
Do our services map to a covered sector?	Continue scoping	Likely out of scope (document)	Sector mapping memo, service catalog
Are we medium/large (or do exceptions apply)?	Continue scoping	Assess exceptions carefully	Headcount/turnover signals, exception analysis
Are we likely essential or important?	Plan for more proactive oversight	Plan for reactive oversight (still prepare)	Criticality assessment, dependency mapping

Streamline NIS 2 readiness with SecureSlate

NIS 2 readiness gets hard when scope, controls, vendors, incidents, and evidence live across spreadsheets and disconnected tools.

SecureSlate helps you operationalize NIS 2 by centralizing the work:

Map requirements to controls so your program stays coherent as guidance evolves
Assign owners and track remediation with clear timelines and accountability
Centralize evidence for supervisory requests, internal reviews, and incident follow-ups
Support supply chain oversight with vendor workflows and consistent evidence expectations

Get started for free: Create your SecureSlate account

FAQ: NIS 2 scope

Is NIS 2 a directive or a regulation?

NIS 2 is a directive, meaning each EU Member State transposes it into national law. Implementation and enforcement details can vary by country.

Does NIS 2 apply to organizations outside the EU?

It may, depending on how services are delivered and how a Member State implements scope for specific provider categories. If you sell services into the EU—especially into covered sectors—treat NIS 2 scoping as a priority and confirm with counsel.

Are small companies ever in scope?

Sometimes. While many in-scope entities are medium or large, certain organizations may be considered in scope regardless of size due to criticality or systemic impact.

What should we do first if we think we’re in scope?

Confirm scope (sector + size/exception triggers), assign a program owner, and operationalize incident reporting and evidence collection early—those are the areas that tend to fail under time pressure.

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to NIS 2 and related laws and regulations, consult a licensed attorney.

Who needs to comply with NIS 2? Scope, requirements, and penalties explained