Skip to Content

NIS2 scoping

Scoping answers the first question every organisation has: does NIS2 apply to us, and as what? Reglyze classifies you as an essential entity, an important entity, or out of scope, and records the reasoning.

A NIS2 scoping result — in scope as an important entity, with the reasoning and applicable sectors

How classification works

NIS2 scope is a function of three things:

  1. Sector — whether you operate in an Annex I (“sectors of high criticality”) or Annex II (“other critical sectors”) sector.
  2. Size — the medium/large-enterprise thresholds (headcount and turnover/balance-sheet), with sector-specific exceptions where size doesn’t matter.
  3. Member-state designation — some entities are designated essential regardless of size by their national authority.

Reglyze walks you through these and produces a classification with the inputs that drove it, so an auditor can see why you concluded what you did.

Guided vs. conversational scoping

You can complete scoping as a structured questionnaire or via the AI-assisted conversational flow, which asks follow-up questions in plain language and infers the structured answers. Both produce the same recorded classification.

Why it matters downstream

Your classification sets the obligations that follow — the Article 21 measures you’re assessed against, the Article 23 incident-reporting duties, and the registration expectations with your national authority. Re-run scoping whenever your size, sector activities, or a member-state designation changes.

Auto-scoping enrichment

For digital-facing organisations, Reglyze can enrich scoping from your public web presence (domain, exposed services) to suggest in-scope systems — a starting point you confirm, never an automatic decision.

Getting started