Does NIS2 Apply to My Organisation? How to Find Out in 5 Minutes

Thousands of organisations across the EU are now covered by the NIS2 Directive — many without realising it. The scope is significantly wider than the original NIS Directive, and the consequences of non-compliance are severe: fines up to €10 million and personal liability for board members.

In this article, we walk you through the exact criteria so you can determine whether NIS2 applies to your organisation.

---

Quick check: does NIS2 apply to you?

Use this decision tree to get a quick answer:

Does NIS2 Apply to Your Organisation?
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes▼
No▼
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
✗
NIS2 does not directly apply to your organisation.
Yes▼
No▼
✓
NIS2 applies to your organisation as an Essential or Important Entity.
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes▼
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes ↓No →
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
Yes ↓No →
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes ↓No →
✗
NIS2 does not directly apply to your organisation.
✓
NIS2 applies to your organisation as an Essential or Important Entity.
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
Applies
Possibly applies
Does not apply

---

The 18 NIS2 sectors

NIS2 does not apply to every organisation automatically. The directive covers 18 sectors divided across two annexes. Your organisation must operate in one of these sectors to fall under the regulation.

Diagram laden...

What counts as a sector?

Even if your primary activity falls within one of the 18 sectors, your organisation must also meet the size thresholds (medium-sized enterprise or above) or be explicitly designated by your national authority. Organisations in Annex I sectors face stricter requirements and higher fines than those in Annex II.

---

Fines and enforcement

Non-compliance with NIS2 can lead to significant fines. Essential entities face fines of up to €10 million or 2% of global annual turnover (whichever is higher), while important entities face fines of up to €7 million or 1.4% of global annual turnover.

Diagram laden...

	Essential entities	Important entities
Max fine (fixed)	€10 million	€7 million
Max fine (% turnover)	2% of global annual turnover	1.4% of global annual turnover
Supervision model	Proactive — audits at any time	Reactive — after incidents only
Board liability	Yes — personal	Yes — personal

The fine is whichever amount is higher — the fixed amount or the percentage of turnover.

---

Common misconceptions

"We're too small for NIS2"

If you have 50+ employees or €10M+ turnover/balance sheet, you meet the size threshold. Many mid-sized companies don't realise this includes them.

"NIS2 is only for IT companies"

NIS2 covers 18 sectors including food, manufacturing, waste management, and postal services. It's not just about tech.

"We're not 'essential' so we don't need to worry"

Both essential and important entities must implement the same 10 measures from Article 21. The difference is only in how strictly you're supervised and the maximum fine amounts.

"Our country hasn't implemented NIS2 yet, so we have time"

The EU directive has been in force since January 2023. Even if your national law is delayed, the direction is clear and many customers and partners are already requiring NIS2-level security.

"We already have ISO 27001, so we're covered"

ISO 27001 covers much of what NIS2 requires, but not everything. NIS2 adds specific requirements around incident reporting (24-hour notifications), board liability, and supply chain security that ISO 27001 doesn't fully address.

---

How to determine your NIS2 status — step by step

Here's a practical checklist:

1. Count your employees — do you have 50 or more? If yes → continue to step 2
2. Check your financials — is your annual turnover or balance sheet above €10 million? If yes → continue to step 2
3. Identify your sector — do you operate in any of the 18 covered sectors? If yes → NIS2 applies to you
4. Check for exceptions — are you a DNS provider, TLD registry, or trust service provider regardless of size? If yes → NIS2 applies to you
5. Check supply chain exposure — do your customers fall under NIS2? If yes → expect indirect compliance requirements

---

Not sure? Take our free quickscan

Still uncertain whether NIS2 applies to your organisation — or how ready you are? Our free NIS2 quickscan helps you find out in just a few minutes.

The scan assesses your organisation against all 10 Article 21 measure categories and gives you a clear picture of where you stand — completely free, no strings attached.

---

Read also

• What is NIS2? — The complete overview of the EU cybersecurity directive
• NIS2 supply chain security — Why NIS2 affects you even as a supplier
• NIS2 implementation timeline per country — Where does every EU country stand?

---

Take the free quickscan →