Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends February 29, 2024
Use promo code:
EXAM20

Which companies must comply with NIS 2? Essential vs. important entities

The NIS 2 Directive clearly lists all the sectors and subsectors (industries) that need to comply with this European cybersecurity directive. However, there are many exceptions to this list, and the line between essential and important entities is not very easy to understand — in this article, I present a clear explanation of who needs to be compliant, and in what status.

Mid-size and large companies from the following sectors must comply with NIS2: energy; transport; banking; financial market infrastructures; health; drinking water; wastewater; digital infrastructure; ICT service management (business-to-business); public administration; space; postal and courier services; waste management; manufacture, production, and distribution of chemicals; production, processing, and distribution of food; manufacturing; digital providers; and research.

Criteria that determine which companies must comply with NIS2

There are three general criteria that define which organizations must comply with NIS 2:

  • 1) Location — if they provide services or carry out activities in any country in the European Union (no matter if they are based in the EU or not), and
  • 2) Size — if they are categorized as mid-sized or large organizations (see the criteria in the section below), and
  • 3) Industry — if they operate in any of the 18 sectors listed in the table below.

However, there are some exceptions to these rules — see the table in the section below for further explanation.

What are essential and important entities?

“Essential entities” and “important entities” are what NIS 2 calls companies and other organizations that need to comply with NIS 2.

NIS 2 defines essential entities as follows:

  • Companies that are categorized as large enterprises (see the criteria in the next section) and are in one of the 11 critical sectors (listed in the table below)
  • Trust service providers
  • DNS service providers
  • Public electronic communication networks
  • Public administration entities
  • Any critical entity according to Critical Entities Resilience (CER) Directive (EU) 2022/2557
  • Other entities specified by Member States

Important entities are all other organizations that are not categorized as essential entities, but that fall under the 3 criteria mentioned in the previous section.

Which companies must comply with NIS 2? Essential vs. important entities - Advisera

Breakdown of sectors & essential and important entities

Since the above explanation from NIS 2 is a bit confusing, I made the table below to show which organizations need to comply with NIS 2, and if they are classified as essential or important entities.

For clarification, here’s how the EU classifies companies according to their size:

  • Micro and small organizations — if they have fewer than 50 employees and less than 10 million euros in annual revenue.
  • Mid-size organizations — if they have 50 to 250 employees and 10 to 50 million euros in annual revenue.
  • Large organizations — if they have more than 250 employees and more than 50 million euros in annual revenue.
Sector Subsector Type of entity Micro and small organizations* Mid-sized organizations Large organizations
Sectors of high criticality
1. Energy (a) Electricity Electricity undertakings which carry out the function of ‘supply’ (NIS 2 compliance not required) Important entity Essential entity
Distribution system operators (NIS 2 compliance not required) Important entity Essential entity
Transmission system operators (NIS 2 compliance not required) Important entity Essential entity
Producers (NIS 2 compliance not required) Important entity Essential entity
Nominated electricity market operators
Market participants
Operators of a recharging point
(NIS 2 compliance not required) Important entity Essential entity
(b) District heating and cooling Operators of district heating or district cooling (NIS 2 compliance not required) Important entity Essential entity
(c) Oil Operators of oil transmission pipelines (NIS 2 compliance not required) Important entity Essential entity
Operators of oil production, refining and treatment facilities, storage and transmission (NIS 2 compliance not required) Important entity Essential entity
Central stockholding entities (NIS 2 compliance not required) Important entity Essential entity
(d) Gas Supply undertakings (NIS 2 compliance not required) Important entity Essential entity
Distribution system operators (NIS 2 compliance not required) Important entity Essential entity
Transmission system operators (NIS 2 compliance not required) Important entity Essential entity
Storage system operators (NIS 2 compliance not required) Important entity Essential entity
LNG system operators (NIS 2 compliance not required) Important entity Essential entity
Natural gas undertakings (NIS 2 compliance not required) Important entity Essential entity
Operators of natural gas refining and treatment facilities (NIS 2 compliance not required) Important entity Essential entity
(e) Hydrogen Operators of hydrogen production, storage and transmission (NIS 2 compliance not required) Important entity Essential entity
2.Transport (a) Air Air carriers used for commercial purposes (NIS 2 compliance not required) Important entity Essential entity
Airport managing bodies, airports, including the core airports, and entities operating ancillary installations contained within airports (NIS 2 compliance not required) Important entity Essential entity
Traffic management control operators providing air traffic control (ATC) services (NIS 2 compliance not required) Important entity Essential entity
(b) Rail Infrastructure managers (NIS 2 compliance not required) Important entity Essential entity
Railway undertakings, including operators of service facilities (NIS 2 compliance not required) Important entity Essential entity
(c) Water Inland, sea and coastal passenger and freight water transport companies, not including the individual vessels operated by those companies (NIS 2 compliance not required) Important entity Essential entity
Managing bodies of ports, including their port facilities, and entities operating works and equipment contained within ports (NIS 2 compliance not required) Important entity Essential entity
Operators of vessel traffic services (VTS) (NIS 2 compliance not required) Important entity Essential entity
(d) Road Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity (NIS 2 compliance not required) Important entity Essential entity
Operators of Intelligent Transport Systems (NIS 2 compliance not required) Important entity Essential entity
3. Banking (Subsector not specified) Credit institutions (NIS 2 compliance not required) Important entity Essential entity
4. Financial market infrastructures (Subsector not specified) Operators of trading venues (NIS 2 compliance not required) Important entity Essential entity
Central counterparties (CCPs) (NIS 2 compliance not required) Important entity Essential entity
5. Health (Subsector not specified) Healthcare providers (NIS 2 compliance not required) Important entity Essential entity
EU reference laboratories (NIS 2 compliance not required) Important entity Essential entity
Entities carrying out research and development activities of medicinal products
Entities manufacturing basic pharmaceutical products and pharmaceutical preparations
Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list)
(NIS 2 compliance not required) Important entity Essential entity
6. Drinking water (Subsector not specified) Suppliers and distributors of water intended for human consumption, excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods (NIS 2 compliance not required) Important entity Essential entity
7. Waste water (Subsector not specified) Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity (NIS 2 compliance not required) Important entity Essential entity
8. Digital infrastructure (Subsector not specified) Internet Exchange Point providers (NIS 2 compliance not required) Important entity Essential entity
DNS service providers, excluding operators of root name servers Essential entity Essential entity Essential entity
TLD name registries Essential entity Essential entity Essential entity
Domain name registration services Important entity Important entity Important entity
Cloud computing service providers (NIS 2 compliance not required) Important entity Essential entity
Data centre service providers (NIS 2 compliance not required) Important entity Essential entity
Content delivery network providers (NIS 2 compliance not required) Important entity Essential entity
Trust service providers Essential entity Essential entity Essential entity
Providers of public electronic communications networks Important entity Essential entity Essential entity
Providers of publicly available electronic communications services Important entity Essential entity Essential entity
9. ICT service management (business-to-business) (Subsector not specified) Managed service providers
Managed security service providers
(NIS 2 compliance not required) Important entity Essential entity
10. Public administration (Subsector not specified) Public administration entities of central governments as defined by a Member State in accordance with national law Essential entity Essential entity Essential entity
Public administration entities at regional level as defined by a Member State in accordance with national law Essential entity Essential entity Essential entity
Public administration entities at local level (if a Member State decides) (if a Member State decides) (if a Member State decides)
11. Space (Subsector not specified) Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks (NIS 2 compliance not required) Important entity Essential entity
Other critical sectors
1. Postal and courier services (Subsector not specified) Postal service providers, including providers of courier services (NIS 2 compliance not required) Important entity Important entity
2. Waste management (Subsector not specified) Undertakings carrying out waste management, excluding undertakings for whom waste management is not their principal economic activity (NIS 2 compliance not required) Important entity Important entity
3. Manufacture, production and distribution of chemicals (Subsector not specified) Undertakings carrying out the manufacture of substances and the distribution of substances or mixtures, and undertakings carrying out the production of articles from substances or mixtures (NIS 2 compliance not required) Important entity Important entity
4. Production, processing and distribution of food (Subsector not specified) Food businesses which are engaged in wholesale distribution and industrial production and processing (NIS 2 compliance not required) Important entity Important entity
5. Manufacturing (a) Manufacture of medical devices and in vitro diagnostic medical devices Entities manufacturing medical devices, and entities manufacturing in vitro diagnostic medical devices with the exception of entities manufacturing medical devices (NIS 2 compliance not required) Important entity Important entity
(b) Manufacture of computer, electronic and optical products Undertakings carrying out any of the economic activities (NIS 2 compliance not required) Important entity Important entity
(c) Manufacture of electrical equipment Undertakings carrying out any of the economic activities (NIS 2 compliance not required) Important entity Important entity
(d) Manufacture of machinery and equipment n.e.c. Undertakings carrying out any of the economic activities (NIS 2 compliance not required) Important entity Important entity
(e) Manufacture of motor vehicles, trailers and semi-trailers Undertakings carrying out any of the economic activities (NIS 2 compliance not required) Important entity Important entity
(f) Manufacture of other transport equipment Undertakings carrying out any of the economic activities (NIS 2 compliance not required) Important entity Important entity
6. Digital providers (Subsector not specified) Providers of online marketplaces (NIS 2 compliance not required) Important entity Important entity
Providers of online search engines (NIS 2 compliance not required) Important entity Important entity
Providers of social networking services platforms (NIS 2 compliance not required) Important entity Important entity
7. Research (Subsector not specified) Research organisations (NIS 2 compliance not required) Important entity Important entity
Education institutions, in particular where they carry out critical research activities (if a Member State decides) (if a Member State decides) (if a Member State decides)

*Micro and small organizations also need to be compliant with NIS 2 in the following cases:

  • If, according to NIS2 Article 2 paragraph 2:
    • “(b) the entity is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities;
    • (c) disruption of the service provided by the entity could have a significant impact on public safety, public security or public health;
    • (d) disruption of the service provided by the entity could induce a significant systemic risk, in particular for sectors where such disruption could have a cross-border impact;
    • (e) the entity is critical because of its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State;”
  • If a Member State has defined that entity as a “critical entity” according to Critical Entities Resilience (CER) Directive (EU) 2022/2557

What is different for essential and important entities in NIS2?

Here are the most important differences in how NIS 2 treats essential and important entities:

  • Article 32 specifies stricter supervisory and enforcement measures for essential entities than those specified in Article 33 for important entities.
  • Article 32 also specifies that senior management of essential entities can be held liable for breach of their duties to ensure compliance with NIS 2; this requirement does not exist for important entities.
  • Article 34 specifies higher fines for essential entities:
    • For essential entities – the fines are up to 10 million euro or 2% of the total annual turnover.
    • For important entities – the fines are up to 7 million euro or 1.4% of the total annual turnover.

A much wider reach than the old NIS Directive

It is estimated that at least 100,000 companies need to be compliant with NIS 2 – this is a much larger number than the old NIS Directive required. On top of this, NIS2 covers also important and essential entities that provide services in any EU country, even if these companies are based outside of the European Union.

So, there will be lots of work for cybersecurity professionals.

For more information about NIS2, download this free white paper: Comprehensive guide to the NIS 2 Directive.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic