Most "am I in scope for NIS2?" answers online are vague. Here is the deterministic version. You are in scope for the NIS2 Directive (Directive (EU) 2022/2555) only if you answer yes to both questions below.
Question 1: Is your sector covered?
NIS2 lists sectors in two annexes.
Annex I (high-criticality sectors): energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management (B2B, including managed service providers), public administration, and space.
Annex II (other critical sectors): postal and courier services, waste management, chemicals, food, manufacturing (medical devices, computers and electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networks), and research.
If your activity is not in either annex, NIS2 does not apply.
Question 2: Are you big enough?
NIS2 generally applies from the medium-enterprise threshold up: 50+ employees, or EUR 10M+ in annual turnover or balance sheet. Below that you are usually out of scope, with narrow exceptions (DNS providers, TLD registries, trust service providers and some telecom and digital-infrastructure providers are in scope regardless of size).
Essential or Important?
Both answers "yes" means you are in scope. Which tier you land in changes your supervision and your fines:
- Essential Entity (large entities in Annex I): proactive supervision, fines up to EUR 10M or 2% of global turnover, whichever is higher.
- Important Entity (medium entities in Annex I, plus Annex II entities): reactive supervision, fines up to EUR 7M or 1.4%.
Under Art. 20, your management body must approve and oversee the measures and can be held personally liable.
The exception that catches everyone: banks, insurers, financial firms
This is the most common "does NIS2 apply to me?" mistake. Banking and financial market infrastructure are listed in Annex I, but DORA (the Digital Operational Resilience Act, Reg. (EU) 2022/2554) is the lex specialis for financial entities. Where a sector-specific act imposes at least equivalent cybersecurity requirements, it applies instead of NIS2 (Art. 4). In practice that means banks, insurers, investment firms and most regulated financial entities follow DORA, not NIS2's Art. 21 measures. If you searched "does NIS2 apply to banks" or "does NIS2 apply to insurance companies," DORA is almost certainly your real obligation.
Quick answers for the sectors people ask about
- SaaS / cloud / managed IT: usually yes. Most B2B SaaS qualifies as a managed service provider (ICT service management, Annex I) or cloud computing service (digital infrastructure, Annex I).
- Manufacturing: yes if medium-sized or larger and you make medical devices, electronics, machinery or vehicles (Annex II).
- Banks / insurers / financial services: DORA applies, not NIS2 (see above).
Find your exact answer in 30 seconds
This guide gives you the rules. The tool gives you your classification.
-> Run the free NIS2 Applicability Checker - enter your sector, headcount and turnover and get an instant Essential / Important / out-of-scope result with your obligations.
-> Which EU regulations apply to me? - the QuickScan covers NIS2, GDPR, CBAM, PPWR and the AI Act in one pass.
Source
Directive (EU) 2022/2555 (NIS2) | Regulation (EU) 2022/2554 (DORA)
Last verified: 21 June 2026. National transposition deadlines vary; check your national authority for the local registration date.