NIS2 Applicability Checker
The NIS2 Directive (Directive (EU) 2022/2555) applies to organisations in 35 sectors across all 27 EU member states. It creates two tiers -- Essential Entities and Important Entities -- with fundamentally different supervision regimes, fine levels, and registration deadlines. Most SMEs in covered sectors do not know which tier they fall into, or whether they are in scope at all. This tool uses the Annex I and II classification rules directly from the Directive to give you an instant, deterministic answer. No registration. No consulting fee.
NIS2 Applicability Checker
Determine if your organisation is Essential, Important, or out of scope under Directive (EU) 2022/2555
Select the primary sector your organisation operates in. If you operate in multiple sectors, select the one most likely to place you in the highest category.
Total headcount across all entities in your group (Art. 3, Directive 2022/2555 uses the SME definition from Rec. 2003/361/EC).
Group-wide annual turnover in EUR millions. Use balance sheet total if turnover is not applicable to your entity type.
Your main establishment in the EU. This determines which national authority you must register with and which deadline applies.
Classification based on Directive 2022/2555 Annex I and II. National transposition laws may add sectors or adjust thresholds. Not legal advice.
Frequently asked questions
What is the difference between an Essential Entity and an Important Entity?
Essential Entities face proactive supervision: authorities can audit them at any time. Important Entities face reactive supervision: authorities investigate only after a complaint or incident. Both must implement the same 10 cybersecurity measures and meet the same incident reporting deadlines, but fines differ -- up to EUR 10M or 2% of global turnover for Essential, up to EUR 7M or 1.4% for Important. Board members are personally liable in both cases under Art. 20.
What if my company operates in multiple NIS2 sectors?
If your organisation meets thresholds in multiple sectors, the highest classification applies. A company in both Annex I and Annex II that meets the large enterprise threshold (250+ employees or EUR 50M+ turnover) is classified as Essential regardless of which sector triggers it first. Use this checker for your primary sector and consult a legal advisor if multi-sector classification creates ambiguity.
What are the 10 NIS2 cybersecurity measures under Art. 21?
Art. 21 requires: (1) risk analysis and information system security policies, (2) incident handling, (3) business continuity and crisis management, (4) supply chain security, (5) security in network and information systems acquisition, (6) policies to assess effectiveness of measures, (7) basic cyber hygiene practices and training, (8) policies on cryptography, (9) human resources security and access control, (10) use of multi-factor authentication and secure communications.
What happens if I miss the NIS2 registration deadline?
Failure to register is an infringement subject to fines. National authorities have begun enforcement, and several countries have already issued warnings to unregistered entities in covered sectors. The deadline varies by country -- some have already passed. Register as soon as possible and document your registration attempt and date of submission.
Does NIS2 apply to non-EU companies serving EU customers?
Yes, with conditions. If your organisation provides services covered by NIS2 in the EU but is not established in the EU, you must designate a representative in an EU member state (Art. 26). The representative becomes the point of contact for national authorities. The size thresholds still apply based on the EU-facing operation.