NIS 2 sectors in scope: essential, important, and the size-cap exceptions

Annex I: essential sectors

• Energy (electricity, district heating and cooling, oil, gas, hydrogen).
• Transport (air, rail, water, road).
• Banking (credit institutions).
• Financial market infrastructure (operators of trading venues, central counterparties).
• Health (healthcare providers, EU reference laboratories, R&D of medicinal products, manufacturers of basic pharmaceutical products, manufacturers of medical devices considered critical during public health emergencies).
• Drinking water and wastewater.
• Digital infrastructure (internet exchange points, DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, trust service providers, providers of public electronic communications networks, providers of publicly available electronic communications services).
• ICT service management (managed service providers, managed security service providers).
• Public administration entities of central and (where designated) regional governments.
• Space (operators of ground-based infrastructure).

Annex II: important sectors

• Postal and courier services.
• Waste management.
• Manufacture, production, and distribution of chemicals.
• Production, processing, and distribution of food.
• Manufacturing (medical devices and in vitro diagnostics, computer, electronic and optical products, electrical equipment, machinery, motor vehicles, other transport equipment).
• Digital providers (online marketplaces, online search engines, social networking platforms).
• Research organisations.

The size threshold (more nuanced than the headlines suggest)

For entities in Annex I or Annex II sectors, NIS 2 applies when the entity is medium-sized or larger under Commission Recommendation 2003/361/EC. The "medium or larger" test is the inverse of the "small enterprise" test in the Recommendation, and the financial part of that test has an "and/or" that is easy to misread.

Practical floor: if you have 50 or more employees, you are in scope unconditionally. If you have fewer than 50 employees, you are in scope only if both your annual turnover and your annual balance sheet total exceed €10 million. A company with, for example, 30 staff, €15 million turnover, and €5 million balance sheet still qualifies as a "small enterprise" under the Recommendation (the financial threshold is met by either criterion), and is therefore outside the sectoral NIS 2 scope.

Below the threshold, entities in the same sector can still be caught through the Article 2(2) and 2(3) provisions listed above (sole providers, critical-impact entities, entities designated under the CER Directive, and so on).

Entities caught regardless of size

Article 2(2) and Article 2(3) of NIS 2 catch certain entity categories without any size threshold. The full list is broader than the six commonly cited online:

• DNS service providers (excluding operators of root name servers).
• Top-level domain name registries.
• Trust service providers (qualified and non-qualified under eIDAS Regulation (EU) 910/2014).
• Providers of public electronic communications networks.
• Providers of publicly available electronic communications services.
• Sole providers in a member state of a service essential for the maintenance of critical societal or economic activities (Article 2(2)(d)).
• Entities whose disruption of service could significantly impact public safety, public security, or public health (Article 2(2)(e)).
• Entities identified as critical entities under Directive (EU) 2022/2557 (the CER Directive on the resilience of critical entities), caught by NIS 2 by reference under Article 2(3).
• Public administration entities of central government (and, where designated by member states, regional government).

How to check your customers

Most software vendors are not themselves in scope of NIS 2; their customers are. The relevant question for a B2B vendor is which of its customers are in scope and what flows down via the supply chain security obligations in Article 21(2)(d).

A short test: is the customer in an Annex I or Annex II sector? Are they above 50 employees or €10 million turnover? Do they provide a service whose disruption could cascade across the EU? If yes to any, expect NIS 2 due-diligence questions on your security posture, your incident response, and your supplier chain.

National transposition variation (this is where it gets uneven)

The directive sets a floor. Each member state's national act sets the operational ceiling, and the acts diverge on detail that matters for compliance. A few worked examples of the variation we see in practice:

• Belgium transposed via the Loi du 26 avril 2024, which entered into force on 18 October 2024 (the day after the EU transposition deadline). The Centre for Cybersecurity Belgium (CCB) is the single competent authority, which simplifies the reporting route compared with multi-authority models.
• Italy transposed via Decreto Legislativo 138/2024 (published in the Gazzetta Ufficiale on 1 October 2024). The decree gives the Agenzia per la Cybersicurezza Nazionale (ACN) broad supervisory powers, including ex ante inspections for essential entities, and layers sector-specific obligations on top of the directive floor.
• Netherlands is transposing through the Cyberbeveiligingswet (Cbw), which has been significantly delayed and is in the legislative pipeline. The draft text splits supervisory authority by sector (separate competent authorities for finance, telecoms, digital infrastructure, and others), meaning a single entity in multiple sectors may report to multiple authorities once the act takes effect.
• Germany is transposing through the NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), repeatedly delayed and still in the legislative pipeline as of mid-2026. The draft raises the personal-liability bar: management body members can be held personally liable for damages from failure to implement the cybersecurity measures, with indemnification only under restrictive conditions.
• Member states have also made different choices on the discretionary scope provisions in Article 2. Some have designated additional sub-national public administration entities as in scope; others have stayed at the central-government floor. Confirm against the specific national act before assuming scope.