NIS2 Applicability Checker
The NIS2 Directive (Directive (EU) 2022/2555) applies to organisations in 35 sectors across all 27 EU member states. It creates two tiers -- Essential Entities and Important Entities -- with fundamentally different supervision regimes, fine levels, and registration deadlines. Most SMEs in covered sectors do not know which tier they fall into, or whether they are in scope at all. This tool uses the Annex I and II classification rules directly from the Directive to give you an instant, deterministic answer. No registration. No consulting fee.
Verificador de aplicabilidad NIS2
Determine si su organización es esencial, importante o está fuera de ámbito según la Directiva (UE) 2022/2555
Seleccione el sector principal en el que opera su organización. Si opera en varios sectores, seleccione el que con mayor probabilidad le sitúe en la categoría más alta.
Plantilla total en todas las entidades de su grupo (Art. 3, Directiva 2022/2555 utiliza la definición de pyme de la Rec. 2003/361/CE).
Facturación anual a nivel de grupo en millones de EUR. Utilice el total del balance si la facturación no aplica a su tipo de entidad.
Su establecimiento principal en la UE. Esto determina ante qué autoridad nacional debe registrarse y qué plazo aplica.
Clasificación basada en los Anexos I y II de la Directiva 2022/2555. Las leyes de transposición nacionales pueden añadir sectores o ajustar umbrales. No constituye asesoramiento jurídico.
Frequently asked questions
What is the difference between an Essential Entity and an Important Entity?
Essential Entities face proactive supervision: authorities can audit them at any time. Important Entities face reactive supervision: authorities investigate only after a complaint or incident. Both must implement the same 10 cybersecurity measures and meet the same incident reporting deadlines, but fines differ -- up to EUR 10M or 2% of global turnover for Essential, up to EUR 7M or 1.4% for Important. Board members are personally liable in both cases under Art. 20.
What if my company operates in multiple NIS2 sectors?
If your organisation meets thresholds in multiple sectors, the highest classification applies. A company in both Annex I and Annex II that meets the large enterprise threshold (250+ employees or EUR 50M+ turnover) is classified as Essential regardless of which sector triggers it first. Use this checker for your primary sector and consult a legal advisor if multi-sector classification creates ambiguity.
What are the 10 NIS2 cybersecurity measures under Art. 21?
Art. 21 requires: (1) risk analysis and information system security policies, (2) incident handling, (3) business continuity and crisis management, (4) supply chain security, (5) security in network and information systems acquisition, (6) policies to assess effectiveness of measures, (7) basic cyber hygiene practices and training, (8) policies on cryptography, (9) human resources security and access control, (10) use of multi-factor authentication and secure communications.
What happens if I miss the NIS2 registration deadline?
Failure to register is an infringement subject to fines. National authorities have begun enforcement, and several countries have already issued warnings to unregistered entities in covered sectors. The deadline varies by country -- some have already passed. Register as soon as possible and document your registration attempt and date of submission.
Does NIS2 apply to non-EU companies serving EU customers?
Yes, with conditions. If your organisation provides services covered by NIS2 in the EU but is not established in the EU, you must designate a representative in an EU member state (Art. 26). The representative becomes the point of contact for national authorities. The size thresholds still apply based on the EU-facing operation.