Articles 2 and 3 of Directive (EU) 2022/2555 settle who falls under NIS2 — and they do it mechanically. NIS2 essential and important entities are not designated by feel: an entity is in scope when it appears in one of two annexes and crosses a size threshold, or when one of the special cases removes the size question entirely.
The operational risk sits in the order of discovery. Companies that fail on NIS2 rarely fail on the measures first; they fail on the scoping, learning from a supervisory letter that an Annex II line or a national designation had covered them for months. Four tests, run in sequence and documented, produce the answer a regulator will accept — and Article 3, paragraphs 3 and 4, turns that answer into a registration duty with a two-week update clock.
Test 1 — the sector test: 18 sectors across two annexes
Annex I of the directive names eleven "sectors of high criticality": energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management (business-to-business), public administration and space. Annex II adds seven "other critical sectors": postal and courier services, waste management, chemicals, food, manufacturing, digital providers and research. Eighteen sectors in total — but the sector heading is not the test.
The directive applies to "entities of a type referred to in Annex I or II". The operative unit is the entity type listed in the annex, not the industry label. Manufacturing, for instance, covers a closed list of subsectors — medical devices, computer and electronic products, electrical equipment, machinery, motor vehicles and other transport equipment. Digital providers covers exactly three types: online marketplaces, online search engines and social networking platforms. A logistics-software vendor sits in none of them; the same company may instead surface in Annex I under ICT service management as a managed service provider.
The frequent failure mode is scanning the eighteen headings and stopping there. The scoping memo quotes the annex line verbatim — sector, subsector, entity type — or concludes, line by line, that none applies. The 3-question NIS2 scope self-assessment walks the annexes in exactly that order.
Test 2 — the size-cap rule: 50 employees or €10 million
Article 2, paragraph 1 applies the directive to Annex I and II entity types that qualify as medium-sized enterprises under Commission Recommendation 2003/361/EC — or exceed its ceilings — and that provide services or carry out activities in the Union. Translated: an entity is in scope from 50 employees, or from an annual turnover and balance-sheet total above €10 million.
The same arithmetic sets the upper split. Annex I entities that exceed the medium-size ceilings — 250 employees, or more than €50 million turnover and €43 million in balance-sheet total — are essential entities under Article 3, paragraph 1, point (a). Medium-sized Annex I entities, and in-scope Annex II entities of any size, default to the important category.
Two traps hide in the Recommendation. Headcount, turnover and balance sheet are assessed with partner and linked enterprises included — a 30-person subsidiary of a large group can cross the threshold on consolidated figures alone. And the figures move: an entity that passed 50 employees in the last closed financial year is in scope now, not at the next annual review.
Test 3 — in scope regardless of size: Article 2(2) to 2(4)
Article 2, paragraph 2 removes the size cap for defined cases. Point (a) covers three entity types by what they are: providers of public electronic communications networks or services, trust service providers, and top-level domain name registries together with DNS service providers. Points (b) to (e) cover entities a Member State designates individually — the sole provider of an essential service, an entity whose disruption would significantly affect public safety, security or health, a source of systemic cross-border risk, or an entity of specific national or regional importance. Point (f) adds public administration entities of central government.
Paragraph 3 extends the directive to every entity identified as critical under Directive (EU) 2022/2557, the critical-entities resilience directive. Paragraph 4 adds entities providing domain name registration services, again without a size floor.
The directive does not ask whether a company feels critical. It asks whether it is on an annex, over a threshold, or named by an authority — in that order.
The practical consequence: a five-person DNS provider is in scope, and a designation letter under points (b) to (e) overrides every size calculation on file. Designations arrive through the national transposition acts, which is why the scoping file tracks where the four big markets stand on NIS2 transposition — the national law, not the directive, says who signs the letter.
Test 4 — essential or important: what changes between the regimes
Article 3, paragraph 1 lists the essential entities: large Annex I entities; qualified trust service providers, top-level domain registries and DNS providers regardless of size; medium-sized providers of public electronic communications; central-government bodies; Member-State-designated entities under Article 2, paragraph 2, points (b) to (e); and entities identified as critical under Directive 2022/2557. Article 3, paragraph 2 makes every other in-scope entity an important entity. The substantive obligations are identical — the same Article 21 measures, the same incident-reporting clock, the same management-body duties under Article 20 of the directive.
What changes is the exposure. Essential entities face ex-ante supervision under Article 32: audits, on-site inspections and information requests with no suspicion required. Important entities face ex-post supervision under Article 33 — the authority acts when it holds evidence or indication of an infringement. The fine ceilings diverge the same way: at least €10 million or 2% of worldwide annual turnover for essential entities under Article 34, paragraph 4; at least €7 million or 1.4% under paragraph 5 for important ones. How national regulators build that NIS2 fine is arithmetic worth reading before the categorisation memo is signed.
The category also lands in a register. Article 3, paragraph 3 required Member States to establish a list of essential and important entities by 17 April 2025, reviewed at least every two years. Paragraph 4 puts the burden on the entity: submit the name, the address and current contact details — including email addresses, IP ranges and telephone numbers — the Annex I or II sector and subsector, and the Member States where in-scope services are provided. Any change must be notified without delay, and in any event within two weeks.
What good looks like
Three artefacts close the scope question in a form a supervisor can read:
- A dated scoping memo — quoting the exact annex line, stating headcount, turnover and balance-sheet figures at the assessment date, applying the four tests in order, and concluding essential, important or out of scope, signed by legal and the CISO.
- The registration receipt — the submission confirmation from the national authority under Article 3, paragraph 4, filed together with a change log showing every update made within the two-week window.
- A board minute recording the categorisation — the regime, the supervisory consequence, the applicable fine ceiling, and the approval duty that follows for the management body.
None of the three requires a consultant. They require that the answer to "who falls under NIS2" be written down, dated and filed — before the authority asks who should have registered.
Sources
- Directive (EU) 2022/2555, Articles 2 and 3, Annexes I and II.
- Directive (EU) 2022/2557 on the resilience of critical entities, Article 6 (identification of critical entities).
- Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises.
- ENISA — guidance on NIS2 scope and entity categorisation (referenced by name).
