NIS2: Scope and Definitions

Scope and Definitions [Art 2-6]

Rule: NIS2 applies to medium and large entities in essential and important sectors, with some entities covered regardless of size.

Essential Entities [Art 3(1), Annex I]

Sector	Sub-sectors
Energy	Electricity, oil, gas, hydrogen, district heating/cooling
Transport	Air, rail, water, road
Banking	Credit institutions
Financial market infrastructure	Trading venues, central counterparties
Health	Healthcare providers, EU reference labs, pharma, medical devices
Drinking water	Water suppliers
Waste water	Waste water operators
Digital infrastructure	IXPs, DNS providers, TLD registries, cloud, data centers, CDNs, trust services, public electronic comms
ICT service management (B2B)	Managed service providers, managed security service providers
Public administration	Central government entities
Space	Ground-based infrastructure operators

Important Entities [Art 3(2), Annex II]

Sector	Examples
Postal/courier	Postal service providers
Waste management	Waste collection, treatment, disposal
Chemicals	Manufacture, production, distribution
Food	Production, processing, wholesale distribution
Manufacturing	Medical devices, computers, electronics, machinery, motor vehicles, transport equipment
Digital providers	Online marketplaces, search engines, social networking platforms
Research	Research organizations

Size Thresholds [Art 2(1)]

Entity must be medium or large:

Category	Employees	OR	Turnover	OR	Balance Sheet
Medium	50-249	OR	€10M-€50M	OR	€10M-€43M
Large	250+	OR	€50M+	OR	€43M+

Covered Regardless of Size [Art 2(2)]

Some entities always covered, regardless of size:

Entity Type	Reason
Trust service providers	Critical digital infrastructure
TLD registries	DNS ecosystem criticality
DNS service providers	Internet core function
Public electronic communications	Essential communications
Public administration	Central government
Sole provider	Only entity providing essential service in Member State
Critical impact	Significant impact on public safety, security, health
Cross-border impact	Systemic risk across Member States

Key Definitions [Art 6]

Term	Definition
Network and information system	Electronic communications network, device/group processing data, digital data stored/processed/transmitted
Security of network and information systems	Ability to resist events that compromise availability, authenticity, integrity, confidentiality
Incident	Event compromising availability, authenticity, integrity, or confidentiality of data or services
Significant incident	Causes serious operational disruption OR financial loss OR affects others
Cyber threat	Potential circumstance, event, or action that could damage, disrupt, or adversely impact systems
Near miss	Event that could have been an incident but was prevented or didn’t occur

Exclusions [Art 2(3)-(10)]

NOT covered:

• Entities in sectors already covered by sector-specific legislation (e.g., DORA for finance)
• National security, defense, law enforcement activities
• Diplomatic and consular missions
• Judicial, parliamentary, and central bank entities performing non-commercial activities

Group Undertakings [Art 2(1)]

Assessment at individual entity level, not group:

• Each subsidiary assessed separately
• Cannot aggregate parent and subsidiary metrics
• Entity must independently meet thresholds

Essential vs Important — Why It Matters

Aspect	Essential	Important
Maximum fine	€10M or 2% turnover	€7M or 1.4% turnover
Supervision	Ex-ante (proactive)	Ex-post (reactive)
Audit frequency	Regular, mandatory	After incidents
Compliance checks	Routine inspections	Triggered inspections

Citation

Art 2-6, Directive (EU) 2022/2555