NIS2 Essential vs Important Entities Explained

Under NIS2, every in-scope company is classified as either an essential entity or an important entity. The category does not change what security measures you must implement. Article 21 of the NIS2 Directive sets identical requirements for both. What it changes is how regulators supervise you and how much you can be fined when something goes wrong. For most companies in high-criticality sectors, the deciding factor is a single threshold: whether you employ 250 or more people.

NIS2 is moving from policy preparation into active enforcement across the EU. As it does, a very practical question is landing in compliance inboxes. Do we even fall under this directive at all? The directive covers 18 critical sectors, and classification depends on a combination of sector, company size, type of service, and specific exemptions. Most companies sort out the essential-vs-important question second. Before that, they need to answer whether they are in scope at all.

Essential and Important Entities Under NIS2: Same Obligations, Very Different Consequences

The most common misconception about NIS2 is that essential entities face stricter security requirements than important ones. They do not. Article 21 lists ten minimum measures that apply equally to both: risk analysis, incident handling, business continuity, supply chain security, network security in procurement, access control, cryptography, HR security, MFA, and secured communications. The European Commission’s official FAQ describes “a different supervisory regime.” Not different security obligations.

Oversight is where the categories actually split. Essential entities are subject to proactive, systematic supervision under Article 32: regular scheduled audits, random on-site inspections, and continuous off-site monitoring. Authorities do not need a reason to audit you. You are auditable by default. Important entities fall under Article 33: oversight is reactive, triggered only when there is “evidence, indication or information” of non-compliance. Recital 122 makes this explicit. Important entities are not required to systematically document compliance.

Maximum fines under Article 34 follow the same split. Essential entities: €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Important entities: €7,000,000 or 1.4% of global turnover, whichever is higher.

One thing that rarely makes it into compliance summaries: under Article 32(5), national authorities can temporarily suspend an essential entity’s certification or authorisation, or prohibit the CEO or legal representative from exercising managerial functions. These sanctions do not exist for important entities. The gap between a €7M and a €10M fine ceiling matters. The prospect of a personal management ban operates in a different register entirely.

The 250-Employee Threshold That Determines Your NIS2 Category

Annex I covers 11 high-criticality sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. For companies operating in any of these, classification follows a size rule set by Commission Recommendation 2003/361/EC. Large enterprise means essential; medium enterprise means important; small and micro companies fall outside scope.

Large means 250 or more employees, or annual turnover above €50 million combined with a balance sheet above €43 million. Medium is everything below those thresholds. NIS2 Article 2(1) removes the standard SME group consolidation rule: each legal entity is assessed on its own figures, not on the combined figures of its corporate group. A subsidiary of a large multinational is assessed independently, on its own headcount and financials.

Annex II covers 7 sectors: postal and courier services, waste management, chemicals, food production, manufacturing (medical devices, computers and electronics, electrical equipment, machinery, motor vehicles, and other transport equipment), digital providers (online marketplaces, search engines, and social networking platforms), and research organisations. For companies in any of these, the default classification is always important. Size does not move an Annex II company to essential. A member state can reclassify specific Annex II entities as essential under Article 2(2)(b)-(e), but that requires a deliberate regulatory decision based on criteria such as sole-provider status or systemic risk. It is not an automatic outcome of growth.

On paper the criteria are clear. In practice, companies near the 250-employee line, subsidiaries, and corporate groups with multiple legal entities hit complications quickly. A more sensible model would have the competent authority run a clear register or at least a confirmation process, so companies can verify their classification rather than interpret it alone. Most member state implementations have not gone that far.

Check your classification now with the NIS2 Checker.

DNS Providers, Trust Services, and Central Governments: Essential Regardless of Size

Seven types of entity are classified as essential under Article 3(1) without any reference to headcount or turnover: qualified trust service providers, top-level domain name registries, DNS service providers (except root name servers), public administration bodies of central government, and entities designated as critical under the CER Directive (EU) 2022/2557. For these, size is irrelevant. The nature of the service is the only criterion.

A common error in third-party analyses cites Directive 2008/114/EC as the reference for critical infrastructure entities. That directive was repealed. NIS2 Article 3(1)(f) references CER 2022/2557 exclusively.

Beyond the automatic classifications, Article 2(2) gives member states discretion to bring additional companies into scope or reclassify important entities as essential, based on criteria including sole-provider status, significant systemic risk, or critical importance at national or regional level. Several states have used this broadly. Poland’s transposition entered into force on 3 April 2026 and reclassified manufacturing companies from important to essential. If you run operations in Poland in that sector, you are not in the important-entity category you might have assumed. You are essential, with the audit regime and fine ceiling that come with it. Slovenia added research and higher education institutions. Croatia introduced authority-led classification: companies do not self-register but are classified by the national authority.

The European Commission proposed amendments to NIS2 as part of the Digital Omnibus package on 20 January 2026, including a certification pathway for SMEs and further simplifications. As of May 2026, these amendments have not been adopted. The current classification rules remain in force.

How to Check Your NIS2 Category Before Your National Authority Does

Member states were required under Article 3(3) to establish lists of essential and important entities by 17 April 2025. National authorities are now moving from list-building to enforcement. Germany’s BSI required self-registration by March 2026. Austria’s NISG 2026 enters into force on 1 October 2026, with mandatory entity registration from 1 January 2027. France and the Netherlands have legislation in progress as of May 2026.

There are four things to check before your national authority checks them for you. The order matters.

Start with your primary sector against the Annex I and Annex II lists. If your company spans multiple sectors, the classification that results in essential status takes precedence.

Apply the size threshold from Recommendation 2003/361/EC to your own legal entity’s figures. If you are part of a corporate group, each subsidiary is assessed independently on its own headcount and financials.

Check your national transposition law, not just the directive text. Poland, Croatia, Slovenia, Italy, and Germany have all expanded scope or reclassified categories beyond the directive defaults. The European Commission transposition tracker shows current national legislation status.

If you operate across multiple member states, run this check for each jurisdiction separately. The classification that results in essential status in any single country is the one to prepare for.

NIS2 is a European directive. The actual obligations, registration requirements, and additional scope expansions are shaped by each member state’s transposition law. A company that checks only the directive text does not have the full answer. Check sector and size first, then confirm for each country how NIS2 has been transposed locally. Only then does a company know whether it is preparing as an important or essential entity. The directive is the floor. Your national law is the ceiling. They are not always the same height.

Work through the full decision logic with the NIS2 Checker.