NIS2 divides in-scope entities into two categories: essential entities and important entities. The classification determines the intensity of regulatory supervision you face, the penalties for non-compliance, and the priority with which national authorities will engage with you. Both categories have the same substantive security and incident reporting requirements — the difference is primarily in how you are supervised.
Essential Entities (Annex I)
Essential entities are organisations in the most critical sectors. They face proactive, ongoing supervision — meaning authorities can initiate audits and investigations without waiting for evidence of non-compliance.
The sectors:
| Sector | Examples |
|---|---|
| Energy | Electricity generators and distributors, oil and gas operators, district heating |
| Transport | Airlines, airports, rail infrastructure, shipping, road transport operators |
| Banking | Credit institutions (banks), payment institutions |
| Financial market infrastructure | Trading venues, clearing houses, central counterparties |
| Health | Hospitals, clinical labs, diagnostic centres, medical device manufacturers |
| Drinking water | Water supply and distribution companies |
| Waste water | Wastewater treatment companies above threshold |
| Digital infrastructure | Cloud computing, data centres, CDNs, DNS, TLD registries, internet exchange points, trust service providers, telecoms |
| ICT service management | Managed service providers (MSPs), managed security service providers (MSSPs) |
| Public administration | Central government entities |
| Space | Ground infrastructure operators |
Size threshold for essential entities: Large enterprises — more than 250 employees OR annual turnover over €50 million OR balance sheet total over €43 million. Some categories (digital infrastructure) have no size threshold.
Important Entities (Annex II)
Important entities face reactive supervision — authorities investigate when evidence of potential non-compliance emerges, but do not conduct routine proactive audits at the same rate.
The sectors:
| Sector | Examples |
|---|---|
| Postal and courier services | Postal operators, delivery companies |
| Waste management | Waste treatment and collection companies |
| Manufacture of chemicals | Chemical manufacturers above threshold |
| Food production and distribution | Large food producers and distributors |
| Manufacturing | Medical devices, computers and electronics, machinery, transport equipment, motor vehicles |
| Digital providers | Online marketplaces, search engines, social networks |
| Research | Research organisations |
Size threshold for important entities: Medium enterprises — more than 50 employees AND annual turnover/balance sheet over €10 million.
Some sectors have national implementation variations — member states can expand scope to include smaller entities or additional sectors.
Supervision Differences in Practice
| Aspect | Essential Entities | Important Entities |
|---|---|---|
| Supervision model | Proactive — regular audits regardless of compliance status | Reactive — audits triggered by incidents or complaints |
| On-site inspections | Permitted at any time | Generally only after evidence of non-compliance |
| Regular audits | Yes — by national authority or accredited body | Less frequent, evidence-based |
| Management liability | Personal liability for managers of essential entities explicitly stated | Personal liability provisions may apply but less emphasis |
Management Accountability Under NIS2
NIS2 Article 20 explicitly requires management bodies of both essential and important entities to:
- Approve cybersecurity risk management measures
- Oversee implementation of those measures
- Bear responsibility for non-compliance
For essential entities, this is particularly firm. Management of an essential entity can be personally held liable for violations of NIS2 obligations, and the directive explicitly requires individuals in management positions to undertake regular cybersecurity training.
This creates a governance requirement that goes beyond delegating security to the IT team. The board or senior management must be actively involved in approving and overseeing cybersecurity governance.
Penalty Differences
| Entity type | Administrative fines |
|---|---|
| Essential entities | Up to €10 million or 2% of global annual turnover (whichever higher) |
| Important entities | Up to €7 million or 1.4% of global annual turnover (whichever higher) |
Registration Requirements
Both essential and important entities must register with the national NIS2 competent authority in their member state. Registration deadlines vary by member state — most are aligned with or shortly after the NIS2 transposition deadline of October 2024.
The registration process typically requires:
- Organisation name and contact details
- Sector classification
- Member states in which you operate
- IP address ranges of internet-facing systems
If You Are Unsure of Your Classification
Common classification ambiguities:
Cloud providers: IaaS and PaaS providers are essential entities under digital infrastructure. Pure SaaS providers may be important entities (as digital providers) or not in scope — depends on whether the SaaS meets the definition of a digital service under the directive.
MSPs and MSSPs: Explicitly essential entities under NIS2 — the ICT service management category was specifically added to capture managed service providers.
Healthcare SaaS: Clinical systems serving hospitals are likely essential entities (part of the healthcare sector supply chain). Non-clinical health SaaS depends on the specific service.