Artifact GuideEU

NIS2 Annex I and II Sector Scoping

Decide whether an entity belongs in a NIS2 Annex I or Annex II sector, then classify it as essential, important, or out of scope.

Use the Directive, Commission Article 3(4) guidance, and the SME recommendation to record the sector, subsector, entity type, size-cap analysis, Member State registration facts, and reassessment trigger.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

NIS2 sector scoping starts with Article 2 and the Annex I and Annex II tables. The practical question is not simply whether a company works in a critical industry. Teams need to identify the exact sector, subsector, and type of entity, test the size-cap rule and special cases, then decide whether Article 3 treats the entity as essential or important.

Section 1

What should a NIS2 Annex I and Annex II scoping decision answer?

A useful scoping record should answer four questions: which Annex I or Annex II row applies, whether the entity meets the Article 2 scope rule, whether any regardless-of-size or Member State identification rule applies, and whether Article 3 classifies the entity as essential or important.

Do not treat the Annex labels as broad industry tags. Annex I and Annex II name specific types of entities, and several rows include exclusions or references to other EU definitions. Record the exact row used and the facts that support it.

  • Identify the sector, subsector, and type of entity from Annex I or Annex II.
  • Apply the Article 2 size-cap rule for medium-sized enterprises or larger entities before relying on general sector language.
  • Check Article 2 special cases that apply regardless of size, including certain communications, trust, DNS, domain registration, critical-entity, sole-provider, systemic-risk, and public-administration cases.
  • Classify the result under Article 3 as essential, important, or out of scope, and save the reason.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Primary NIS2 legal text for Article 2 scope, Article 3 classification, and Annex I and II sector tables.
European Commission - NIS2 Directive overview
Commission policy overview describing NIS2 as a framework for cybersecurity across 18 critical sectors.
Commission Recommendation 2003/361/EC on SME definitions
SME definition referenced by NIS2 Article 2 for the medium-sized enterprise size-cap analysis.
Section 2

How do Annex I and Annex II divide the sectors?

Annex I covers sectors of high criticality: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management for business-to-business services, public administration, and space.

Annex II covers other critical sectors: postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, specified manufacturing activities, digital providers, and research organisations.

  • Use Annex I first when the service is in energy, transport, finance, health, water, digital infrastructure, managed services, public administration, or space.
  • Use Annex II when the activity fits postal and courier services, waste, chemicals, food, listed manufacturing categories, online marketplace/search/social networking providers, or research organisations.
  • Preserve exclusions from the Annex row, such as non-principal waste management activity or non-essential water and waste-water activities.
  • When a business has multiple services, scope each service line separately instead of forcing one company-wide sector label.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Annex I lists sectors of high criticality and Annex II lists other critical sectors.
Commission Guidelines on NIS2 Article 3(4)
Commission template repeats Annex I and Annex II sector categories for Member State entity-list collection.
European Commission - NIS2 Directive overview
Commission overview for NIS2 scope and sector policy context.
Section 3

When is an Annex I or Annex II entity essential or important?

Article 3 treats some entities as essential and leaves the remaining in-scope Annex I or Annex II entities as important. Annex I entities that exceed the medium-sized enterprise ceilings are essential. Qualified trust service providers, top-level domain name registries, and DNS service providers are essential regardless of size.

Other Article 3 essential-entity paths include medium-sized public electronic communications network or service providers, central-government public administration entities, Member State identification under Article 2(2)(b) to (e), entities identified as critical entities under Directive (EU) 2022/2557, and, if a Member State provides for it, former operators of essential services identified before 16 January 2023.

  • Classify Annex I entities above the medium-sized enterprise ceilings as essential unless a more specific rule changes the analysis.
  • Classify in-scope Annex I or Annex II entities that do not meet an essential-entity path as important.
  • Track national implementation because Member States can identify additional essential or important entities under Article 2(2)(b) to (e).
  • Do not assume a small or micro entity is out of scope until Article 2 regardless-of-size and Member State identification rules have been checked.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 3 defines essential and important entities and links classification to Annex I, Annex II, size, and special cases.
Commission Recommendation 2003/361/EC on SME definitions
Provides the SME size thresholds referenced by NIS2 Article 2 and Article 3.
Commission Guidelines on NIS2 Article 3(4)
Explains information collection for Member State lists of essential and important entities.
Section 4

What evidence should teams keep for sector scoping?

The evidence should let a reviewer reconstruct the classification without guessing. Keep the legal entity name, establishment and service countries, business service description, Annex row, customer-facing service, size-cap data, special-case analysis, and final classification.

Article 3(4) guidance points to practical registration data: entity name, address, contact details, email addresses, IP ranges, telephone numbers, relevant sector and subsector, and Member States where in-scope services are provided. Use that list as a minimum evidence model even when the local registration process asks for more.

  • Store the Annex row, the service facts, and the source quote beside the classification decision.
  • Keep size-cap support separate from sector support so finance, legal, and compliance reviewers can verify their own parts.
  • Record whether Article 27 registration concepts are relevant for DNS, TLD, domain registration, cloud, data centre, CDN, managed service, managed security, marketplace, search, or social networking providers.
  • Add a reassessment trigger for new countries, new service lines, acquisitions, size-threshold changes, and Member State authority requests.
Sources for this answer
Commission Guidelines on NIS2 Article 3(4)
Source for information Member States should collect when establishing and updating essential and important entity lists.
Directive (EU) 2022/2555 (NIS2)
Article 3 requires Member States to establish and update lists of essential and important entities.
European Commission - NIS2 transposition in EU countries
Commission country transposition hub for national implementation context and authority follow-up.
Section 5

Implementation checklist for NIS2 Annex I and Annex II scoping

Use this checklist before relying on a NIS2 sector classification in a control plan, registration response, customer answer, or board report.

The goal is a narrow, source-linked classification that survives later changes in service scope, Member State implementation, and corporate size.

Does being in an Annex I or Annex II sector automatically make an entity subject to NIS2?

No. Article 2 still requires the entity to meet the size-cap rule or a specific regardless-of-size or Member State identification path. The Annex row identifies the sector and type of entity; it does not complete the scope analysis by itself.

What is the difference between essential and important entities for Annex I and Annex II scoping?

Article 3 lists the essential-entity paths, including Annex I entities above the medium-sized enterprise ceilings and several special categories. In-scope Annex I or Annex II entities that do not qualify as essential are treated as important entities.

  • Annex I or Annex II sector, subsector, and type of entity are named exactly.
  • Medium-sized enterprise status or larger size is supported with the SME recommendation data points.
  • Regardless-of-size and Member State identification rules have been checked before marking an entity out of scope.
  • Essential versus important classification is recorded with the Article 3 paragraph relied on.
  • Registration evidence includes legal entity, address, contacts, IP ranges where applicable, service countries, and authority submission status.
  • Reassessment triggers are defined for service, country, acquisition, corporate-size, authority, and sector-specific legal changes.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Primary legal source for the checklist's scope and classification steps.
Commission Guidelines on NIS2 Article 3(4)
Registration and entity-list template source for evidence fields.
Commission Recommendation 2003/361/EC on SME definitions
SME definition source for headcount, turnover, and balance-sheet evidence.
Recommended next step

Use this NIS2 Annex I and II guide as a cited scoping workflow

Sorena can turn Annex I and Annex II scoping into cited entity classifications, evidence requests, registration data checks, and review triggers for NIS2 implementation work.

Research workflow
Open Research Copilot for NIS2

Ask source-linked questions about Annex I and Annex II sectors, Article 2 scope, Article 3 classification, and registration evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your NIS2 sector scoping, entity classification, country registration questions, and evidence gaps with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Primary legal source for the checklist's scope and classification steps.
"entities of a type referred to in Annex I or II"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.