Nistoo

Essential vs Important Entities: Complete Classification Guide

Entities & Scope
The Nistoo Team
10 min read
5 March 2024
Back to Help Center

Learn the difference between Essential and Important entities under NIS2, how size thresholds work, and what obligations apply to each tier.

NIS2 introduces a two-tier classification system that determines the level of scrutiny and obligation an organisation faces. Understanding which category your organisation falls into is the essential first step in your NIS2 compliance journey. The classification affects your reporting obligations, supervision model, and the fines you face if you are non-compliant.

The Two-Tier System

NIS2 divides covered entities into Essential Entities (EE) and Important Entities (IE). Essential Entities face stricter ex-ante supervision — meaning regulators can proactively audit and inspect them — while Important Entities are subject to ex-post supervision, meaning regulators typically act only after receiving evidence of non-compliance. Both tiers must implement the same 10 security measures under Article 21, but the consequences of failing differ significantly.

Is your organisation active in the EU?

No

NOT IN SCOPE

Yes

Operate in an Annex I sector?

Yes

Large entity? (250+ / €50M+)

Yes

ESSENTIAL ENTITY

No (Medium)

IMPORTANT ENTITY

Always Essential sectors?

Digital infra, ICT services, Public admin

Yes → Essential Entity
No

Annex II sector?

Yes + Medium/Large

IMPORTANT ENTITY

No / Micro/Small

NOT IN SCOPE*

* Some exceptions apply — see special cases in the full guide

Decision flowchart for determining your entity classification under NIS2

Annex I — Highly Critical Sectors

Large and medium organisations operating in Annex I sectors are classified as Essential Entities. The Annex I sectors are:

  • Energy — electricity, district heating/cooling, oil, gas, hydrogen
  • Transport — air, rail, water, road
  • Banking — credit institutions
  • Financial market infrastructure — trading venues, central counterparties
  • Health — healthcare providers, EU reference laboratories, pharmaceutical manufacturers, medical device manufacturers
  • Drinking water — suppliers and distributors
  • Waste water — collection and treatment operators
  • Digital infrastructure — DNS providers, TLD registries, cloud providers, datacentre operators, content delivery networks, trust service providers, public electronic communications networks
  • ICT service management — managed service providers (MSPs) and managed security service providers (MSSPs)
  • Public administration — central and regional government
  • Space — operators of ground-based infrastructure

Always Essential

Organisations in the digital infrastructure, ICT service management, and public administration sectors are always classified as Essential Entities regardless of their size. The standard medium/large size thresholds do not apply to these sectors.

Annex II — Other Critical Sectors

Medium and large organisations in Annex II sectors are classified as Important Entities. Annex II covers:

  • Postal and courier services
  • Waste management
  • Manufacture, production and distribution of chemicals
  • Production, processing and distribution of food
  • Manufacturing — medical devices (including in-vitro diagnostic), electronic and optical products, electrical equipment, machinery and equipment, motor vehicles and trailers, other transport equipment
  • Digital providers — online marketplaces, online search engines, social networking services platforms
  • Research organisations

Size Thresholds

For most sectors, NIS2 applies only to medium and large enterprises. Microenterprises and small enterprises are generally exempt, unless they meet specific criteria or operate in sectors where size thresholds do not apply.

Entity SizeEmployeesAnnual Turnover OR Balance Sheet TotalNIS2 Relevance
Micro enterprise< 10≤ €2 millionGenerally EXEMPT
Small enterprise10–49≤ €10 millionGenerally EXEMPT
Medium enterprise50–249≤ €50 million turnover OR ≤ €43 million balance sheetIn scope as Important Entity (Annex I or II)
Large enterprise≥ 250> €50 million turnover OR > €43 million balance sheetIn scope as Essential Entity (Annex I) or Important Entity (Annex II)

Obligations by Entity Type

While the core security requirements are identical, supervision and sanctions differ between the two tiers:

ObligationEssential EntityImportant Entity
Security measures (Art. 21)RequiredRequired
Incident reporting (Art. 23)RequiredRequired
RegistrationRequiredRequired
Supervision modelEx-ante (proactive)Ex-post (reactive)
Regular auditsYes — can be mandatedOnly following incidents or complaints
On-site inspectionsAuthorities can mandateOnly after evidence of non-compliance
Maximum fine€10M or 2% of global turnover€7M or 1.4% of global turnover
Management liabilityYes — personal sanctions possibleYes — personal sanctions possible

Special Cases and Edge Scenarios

Several special cases exist where the standard classification rules do not apply. Sole point of failure entities — organisations whose disruption would significantly impact public security, safety, or the economy — may be classified as Essential regardless of size. Critical dependency entities, where another Essential Entity critically depends on them, may also be brought into scope. Member States have discretion to extend coverage to additional organisations they deem critical at a national level.

Microenterprises Are Not Always Exempt

If your organisation is a microenterprise but operates as a trust service provider, TLD name registry, public electronic communications network provider, or DNS resolver, you are in scope for NIS2 regardless of your size. Always check sector-specific rules before concluding you are exempt.

#entities#classification#essential#important#scope#thresholds
Back to Help Center