NIS2 applies to medium and large companies operating in 18 critical sectors across the EU. Whether your organisation is in scope depends on three things: what you do, how big you are, and which EU member state you operate in. The checker below works through the criteria set out in Article 2 of the NIS2 Directive (EU 2022/2555) and the sectors listed in Annexes I and II.
It takes about two minutes. Answer the questions, and you will get a clear in-scope or out-of-scope result, the entity classification that applies to you (essential or important), and the penalty ceiling that comes with it.
Designed for compliance officers, risk managers, and COOs at EU-based companies who need a documented starting point for their NIS2 assessment. This is not legal advice. For complex group structures or cross-border operations, verify the output with qualified legal counsel before relying on it for formal reporting purposes.
How This Tool Works
The checker applies the scope criteria from Article 2 of NIS2, the sector definitions in Annex I (essential entities) and Annex II (important entities), and the size thresholds set at 50 employees or €10 million annual turnover. It also applies the size-independent exceptions under Article 2(2), which bring certain categories into scope regardless of headcount or revenue, including sole providers of critical services, companies whose disruption would have a significant cross-border impact, and critical infrastructure operators designated by member states.
The tool does not cover the special rules for DNS providers, TLD registries, cloud service providers, data centre operators, CDN providers, and managed security service providers, which are subject to additional or different criteria under Articles 26 and 27. If your organisation falls into any of those categories, the result screen will flag this and direct you to the relevant provision.
Note: The European Commission published a proposal on 20 January 2026 to amend NIS2 in several targeted areas. This tool reflects the current directive. Where the proposal would change a result, the tool flags this.
Frequently Asked Questions
Does NIS2 apply to companies outside the EU?
Yes, in some cases. NIS2 applies to any entity that provides services within the EU, regardless of where it is established. If your company is based outside the EU but delivers services to EU customers in a covered sector, you are required to designate a representative in an EU member state under Article 26. The Commission’s January 2026 amendment proposal would expand this obligation to cover all essential or important entities not established in the EU that provide services here, closing a gap in the current text.
What is the difference between an essential entity and an important entity under NIS2?
Essential entities are those operating in the sectors listed in Annex I of NIS2, including energy, transport, banking, health, drinking water, digital infrastructure, and public administration. Important entities fall under Annex II, which covers postal services, waste management, chemicals, food, certain manufacturing categories, and digital providers. The substantive obligations are the same for both. The difference is the supervisory regime: essential entities face proactive oversight and can be inspected without a prior incident; important entities are subject to reactive supervision triggered by an incident or complaint.
My company has fewer than 50 employees. Are we exempt?
Usually yes, but not always. The 50-employee threshold is the default floor under Article 2(1). However, Article 2(2) lists categories that come into scope regardless of size. These include sole providers of a service that is critical to societal or economic activities in a member state, providers whose disruption would have significant cross-border effects, and entities designated as critical infrastructure at national level. If any of those descriptions could apply to your organisation, size alone does not provide an exemption.
The January 2026 Commission proposal would remove small DNS providers from scope entirely. If this applies to your business, monitor the trilogue process. A political agreement is targeted for early 2027.
Which sectors does NIS2 cover?
Annex I covers: energy (electricity, oil, gas, hydrogen, district heating), transport (air, rail, water, road), banking and financial market infrastructure, health, drinking water, waste water, digital infrastructure (internet exchange points, DNS providers, TLD registries, cloud providers, data centres, CDNs, trust service providers, electronic communications networks), ICT service management (managed service providers, managed security service providers), public administration, and space.
Annex II covers: postal and courier services, waste management, manufacture and distribution of chemicals, food production and distribution, manufacturing (medical devices, computers, electronics, machinery, motor vehicles), digital providers (online marketplaces, online search engines, social networking platforms), and research organisations.
The January 2026 proposal would add operators of submarine data transmission infrastructure to scope while removing chemical distributors (though chemical manufacturers would remain in). These changes are not yet law.
What are the penalties if NIS2 applies and we are not compliant?
Essential entities face fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face fines of up to €7 million or 1.4% of global annual turnover. These are the maximums set in Article 34; member states can apply stricter scales.
Personal liability matters here and is frequently overlooked. In Germany, the national NIS2 implementation law exposes individual managers to fines of up to €500,000. Directors can be temporarily removed from leadership positions in cases of serious negligence. Germany is not alone in taking this approach; several other member states have included personal liability provisions in their transposition laws. If you are a C-level executive at an in-scope company, the compliance question is not only about your organisation.
When did NIS2 become law, and where does enforcement stand as of 2026?
NIS2 entered into force on 16 January 2023. The transposition deadline for member states was 17 October 2024. As of early 2026, 22 of 27 member states have enacted national implementing legislation. France, Ireland, Luxembourg, the Netherlands, and Spain are still completing their legislative processes.
Enforcement is active. The Commission designated 2026 as the year of first NIS2 enforcement actions. Belgium set 18 April 2026 as the deadline for essential entities to demonstrate active implementation of cybersecurity risk management measures. Other national authorities are at similar stages. The correct posture is to treat NIS2 as live and enforced, not as something still being phased in.
What is the January 2026 Commission proposal and does it affect my NIS2 status?
On 20 January 2026, the European Commission published a targeted amendment proposal to NIS2 as part of a broader cybersecurity package. The stated goal is greater legal clarity and simplified compliance. The Commission estimates the changes would affect around 28,700 companies, including 2,200 micro and small businesses currently caught at the margins of scope.
The main proposed changes: mandatory reporting obligations for ransomware attacks; expanded EU representative requirements for non-EU entities; submarine data transmission operators added to scope; chemical distributors removed from scope; small DNS providers removed from scope. The proposal now enters trilogue negotiations between the Commission, the European Parliament, and the Council. A political agreement is targeted for early 2027. Once adopted, member states will have one year to transpose the amendments. None of these changes apply yet.
Does NIS2 replace GDPR for cybersecurity incidents?
No. NIS2 and GDPR operate in parallel and cover different obligations. GDPR governs personal data processing and requires breach notification to data protection authorities within 72 hours. NIS2 governs network and information system security and requires incident notification to the national cybersecurity authority (CSIRT) within 24 hours for early warning, followed by a full report within 72 hours, and a final report within one month. For incidents involving personal data, both sets of obligations apply simultaneously. The ENISA NIS2 guidance covers this overlap.
We operate across multiple EU member states. Which national authority do we report to?
The general rule under NIS2 is that you report to the authority in the member state where you are established. For DNS providers, TLD registries, cloud providers, data centres, CDNs, managed service providers, and online marketplaces with multiple establishments, Article 26 sets out specific rules for determining the competent authority, usually based on where your EU headquarters or main establishment sits.
What to Do Now
If this checker confirms you are in scope, the next step is mapping your current security measures against the 10 minimum requirements listed in Article 21 of NIS2. Incident handling, supply chain risk, and access control are where most mid-market organisations have the largest gaps. If your jurisdiction has already set a compliance assessment deadline, document what you have done and when. Supervisory authorities are moving from preparatory conversations to formal inspections.
Not sure where your organisation stands on EU compliance more broadly? Take the free RegDossier AI Act Readiness Assessment to identify your highest-priority gaps across multiple regulations at once.
This tool provides general guidance based on NIS2 Directive (EU 2022/2555), Article 2 and Annexes I and II. It is not legal advice. Consult qualified legal counsel for your specific situation. Last verified: May 2026.