What is the NIS2 50 employees threshold?

NIS2 applies to medium and large enterprises. Medium enterprises are defined as organizations with at least 50 employees OR an annual turnover above EUR 10 million (following EU Recommendation 2003/361/EC).

What is the difference between Essential and Important entities?

Essential entities are large organizations in high-criticality sectors (Annex I): energy, transport, banking, health, water, digital infrastructure, and public administration. Important entities include medium-sized organizations in Annex I sectors, plus organizations in Annex II sectors (manufacturing, waste, food, digital providers, research). Essential entities face stricter supervision and higher fines.

Which sectors are covered by NIS2?

NIS2 covers 18 sectors across two annexes. Annex I (high criticality): energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space. Annex II (other critical): postal and courier, waste management, chemicals, food, manufacturing, digital providers, research.

Does NIS2 apply to small businesses?

Generally no — NIS2 exempts micro and small enterprises (under 50 employees and under EUR 10M turnover). However, there are exceptions: DNS providers, TLD registries, cloud service providers, data centres, CDN providers, and trust service providers are in scope regardless of size. Additionally, organizations in critical supply chains may be required to comply indirectly as part of supplier due diligence.

What are the penalties for NIS2 non-compliance?

Essential entities face fines up to EUR 10 million or 2% of global annual turnover (whichever is higher). Important entities face fines up to EUR 7 million or 1.4% of global annual turnover. Management can be held personally liable and temporarily banned from management positions.

Reglyze

Free tool

NIS2 Scope Checker

Does the NIS2 directive apply to your organization? Answer 6 questions and get an instant verdict: Essential, Important, or Out of Scope. No signup required.

Question 1 of 520%

Where is your organization primarily established?

How NIS2 scoping works

The NIS2 Directive (EU 2022/2555) applies to organizations based on three criteria:

Sector: You must operate in one of the 18 sectors listed in Annex I (high criticality) or Annex II (other critical). Annex I covers energy, transport, banking, health, water, digital infrastructure, and public administration. Annex II covers manufacturing, waste, chemicals, food, digital providers, and research.
Size: NIS2 generally applies to medium and large enterprises. Medium = 50+ employees OR EUR 10M+ turnover. Large = 250+ employees OR EUR 50M+ turnover. Small enterprises are usually exempt.
Special categories: Some entities are in scope regardless of size — DNS providers, TLD registries, cloud service providers, data centres, CDN providers, and trust service providers.

If you meet these criteria, you're classified as either an Essential Entity (large organizations in Annex I sectors) or an Important Entity (medium organizations in Annex I, or organizations in Annex II).

Essential entities face stricter supervision and higher fines (up to EUR 10M or 2% of turnover). Important entities face slightly lower fines (up to EUR 7M or 1.4% of turnover) and lighter ex-post supervision.

Frequently asked questions

What is the NIS2 50 employees threshold?: NIS2 applies to medium and large enterprises. Medium enterprises are defined as organizations with at least 50 employees OR an annual turnover above EUR 10 million (following EU Recommendation 2003/361/EC). If you exceed either threshold, you're a medium enterprise.
Does NIS2 apply to SaaS companies?: It depends. If your SaaS is classified as a "digital service provider" (online marketplace, online search engine, or cloud computing service), you're likely in scope as an Important Entity under Annex II. If you provide cloud infrastructure (IaaS, PaaS), you may be in scope regardless of size. Many B2B SaaS companies fall under Annex I as providers of ICT service management.
What if my supplier asks me to prove NIS2 compliance even though I'm not in scope?: This is increasingly common. NIS2 Article 21(2)(d) requires in-scope entities to manage supply chain risk, which means they push compliance requirements down to their suppliers. Even if you're not directly in scope, you may face indirect compliance pressure. Reglyze helps you demonstrate security posture to your customers without needing full NIS2 certification.
I have ISO 27001 — am I automatically NIS2 compliant?: No, but you're ~80% of the way there. ISO 27001 Annex A maps heavily to NIS2 Article 21. However, NIS2 has specific requirements around incident reporting timelines, management accountability, and registration with national authorities that ISO 27001 doesn't cover. See our NIS2 vs ISO 27001 crosswalk.

Get the full NIS2 gap assessment

The scope checker tells you if NIS2 applies. The full Reglyze assessment tells you exactly what you need to do to comply. Start free.