Who is affected by NIS2?
The classification under the NIS2 Directive (Network and Information Security Directive 2) follows several key rules. Organizations are divided into two main categories.
1.Essential and Important Entities
Entities are classified based on their size and sector of operation.
A) Organization Size
👉 Automatically falls under NIS2:
- Medium-sized enterprises (50+ employees or turnover above €10 million)
- Large enterprises (250+ employees or turnover above €50 million)
Smaller companies may be included if they operate in critical sectors.
B) Sector of Operation
The directive distinguishes between two types of sectors:
1️⃣ Highly Critical Sectors (Essential Entities):
- Energy (electricity, gas, oil)
- Transport (aviation, rail, maritime)
- Banking and financial markets
- Healthcare (hospitals, pharmaceuticals)
- Drinking water and wastewater
- Digital infrastructure (cloud services, DNS, data centers)
- Public administration
2️⃣ Other Critical Sectors (Important Entities):
- Postal and courier services
- Food production and distribution
- Chemical manufacturing
- Electronics manufacturing
- Machinery manufacturing
- Transport vehicle manufacturing
- Waste management
- Research
2. Exceptions and Special Cases
- Smaller companies (fewer than 50 employees) are generally excluded unless they are part of critical infrastructure or have a significant impact on society.
- Organizations providing public services may have specific regulations.
Got questions?
Get in touch with us!
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.