What is the NIS2 50 employees threshold?

NIS2 applies to medium and large enterprises. Medium enterprises are defined as organizations with at least 50 employees OR an annual turnover above EUR 10 million (following EU Recommendation 2003/361/EC).

What is the difference between Essential and Important entities?

Essential entities are large organizations in high-criticality sectors (Annex I): energy, transport, banking, health, water, digital infrastructure, and public administration. Important entities include medium-sized organizations in Annex I sectors, plus organizations in Annex II sectors (manufacturing, waste, food, digital providers, research). Essential entities face stricter supervision and higher fines.

Which sectors are covered by NIS2?

NIS2 covers 18 sectors across two annexes. Annex I (high criticality): energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space. Annex II (other critical): postal and courier, waste management, chemicals, food, manufacturing, digital providers, research.

Does NIS2 apply to small businesses?

Generally no — NIS2 exempts micro and small enterprises (under 50 employees and under EUR 10M turnover). However, there are exceptions: DNS providers, TLD registries, cloud service providers, data centres, CDN providers, and trust service providers are in scope regardless of size. Additionally, organizations in critical supply chains may be required to comply indirectly as part of supplier due diligence.

What are the penalties for NIS2 non-compliance?

Essential entities face fines up to EUR 10 million or 2% of global annual turnover (whichever is higher). Important entities face fines up to EUR 7 million or 1.4% of global annual turnover. Management can be held personally liable and temporarily banned from management positions.

Free tool

NIS2 Scope Checker

Does the NIS2 directive apply to your organization? Answer 6 questions and get an instant verdict: Essential, Important, or Out of Scope. No signup required.

Question 1 of 520%

Where is your organization primarily established?

How NIS2 scoping works

The NIS2 Directive (EU 2022/2555) applies to organizations based on three criteria:

Sector: You must operate in one of the 18 sectors listed in Annex I (high criticality) or Annex II (other critical). Annex I covers energy, transport, banking, health, water, digital infrastructure, and public administration. Annex II covers manufacturing, waste, chemicals, food, digital providers, and research.
Size: NIS2 generally applies to medium and large enterprises. Medium = 50+ employees OR EUR 10M+ turnover. Large = 250+ employees OR EUR 50M+ turnover. Small enterprises are usually exempt.
Special categories: Some entities are in scope regardless of size — DNS providers, TLD registries, cloud service providers, data centres, CDN providers, and trust service providers.

If you meet these criteria, you're classified as either an Essential Entity (large organizations in Annex I sectors) or an Important Entity (medium organizations in Annex I, or organizations in Annex II).

Essential entities face stricter supervision and higher fines (up to EUR 10M or 2% of turnover). Important entities face slightly lower fines (up to EUR 7M or 1.4% of turnover) and lighter ex-post supervision.

What NIS2 requires once you're in scope

Being in scope is only the first answer. NIS2 then imposes three layers of obligation: technical and organisational risk-management measures, incident-reporting duties on a strict clock, and registration plus management accountability.

The ten Article 21(2) risk-management measures

Every in-scope entity must implement these baseline measures, proportionate to its size and risk exposure:

Risk-analysis and information-system security policies.
Incident handling (detection, response and recovery).
Business continuity — backup management, disaster recovery and crisis management.
Supply-chain security, including the security of relationships with direct suppliers and service providers.
Security in network and information system acquisition, development and maintenance, including vulnerability handling and disclosure.
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
Basic cyber hygiene practices and security training.
Policies on the use of cryptography and, where appropriate, encryption.
Human-resources security, access-control policies and asset management.
Multi-factor authentication, secured communications and secured emergency communications where appropriate.

Incident reporting on a 24h / 72h / 1-month clock

For a significant incident, Article 23 requires an early warning within 24 hours, a fuller incident notification within 72 hours, and a final report within one month. Several transpositions add national specifics — Italy benchmarks significance against ACN-published thresholds; qualified trust providers in France face a tighter 24-hour intermediate window.

Registration and management accountability

In-scope entities must register with their national authority (for example within three months of becoming in-scope in Germany) and the management body must approve and oversee the cybersecurity measures. Under Article 20, directors can be held personally liable and, in some Member States, temporarily banned from management functions. See our guide to NIS2 fines, enforcement and director liability.

Frequently asked questions

What is the NIS2 50 employees threshold?: NIS2 applies to medium and large enterprises. Medium enterprises are defined as organizations with at least 50 employees OR an annual turnover above EUR 10 million (following EU Recommendation 2003/361/EC). If you exceed either threshold, you're a medium enterprise.
Does NIS2 apply to SaaS companies?: It depends. If your SaaS is classified as a "digital service provider" (online marketplace, online search engine, or cloud computing service), you're likely in scope as an Important Entity under Annex II. If you provide cloud infrastructure (IaaS, PaaS), you may be in scope regardless of size. Many B2B SaaS companies fall under Annex I as providers of ICT service management.
What if my supplier asks me to prove NIS2 compliance even though I'm not in scope?: This is increasingly common. NIS2 Article 21(2)(d) requires in-scope entities to manage supply chain risk, which means they push compliance requirements down to their suppliers. Even if you're not directly in scope, you may face indirect compliance pressure. Reglyze helps you demonstrate security posture to your customers without needing full NIS2 certification.
I have ISO 27001 — am I automatically NIS2 compliant?: No, but you're ~80% of the way there. ISO 27001 Annex A maps heavily to NIS2 Article 21. However, NIS2 has specific requirements around incident reporting timelines, management accountability, and registration with national authorities that ISO 27001 doesn't cover. See our NIS2 vs ISO 27001 crosswalk.

Get the full NIS2 gap assessment

The scope checker tells you if NIS2 applies. The full Reglyze assessment tells you exactly what you need to do to comply. Start free.