Applicability TestEU NIS2

EU NIS2 Directive Applicability Test

Decide whether an entity, service, or planned EU operation falls within NIS2 before assigning cybersecurity and reporting work.

Use the test to map Annex I or Annex II sector coverage, size and size-independent triggers, essential or important classification, Member State jurisdiction, and the evidence needed for review.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

The NIS2 applicability test should answer a practical classification question: does the entity provide an Annex I or Annex II activity in the Union, does it meet the size-cap rule or a size-independent trigger, and should it be treated as an essential or important entity. Keep the result as a cited scope record that can be reused for registration, authority notification, risk-management, incident-reporting, and management-body accountability work.

Section 2

Step 2: map the activity to Annex I or Annex II sectors

The sector map is the core of the applicability test. Annex I covers sectors of high criticality such as energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, and space. Annex II covers other critical sectors such as postal and courier services, waste management, chemicals, food, manufacturing categories, digital providers, and research organisations.

Use the defined entity types inside each annex, not only the sector heading. For example, the digital-infrastructure section distinguishes DNS service providers, TLD registries, cloud computing service providers, data centre service providers, content delivery network providers, trust service providers, and public electronic communications providers.

  • Classify the exact sector, subsector, and entity type; keep a no-match explanation where the sector label is close but the defined entity type does not fit.
  • For digital and ICT service operations, distinguish digital infrastructure, ICT service management, and digital provider categories because they can route to different jurisdiction and registration facts.
  • For manufacturing, food, chemicals, waste, health, water, and transport, attach the operational activity evidence that proves the entity type rather than relying on marketing descriptions.
  • Where one entity runs multiple services, classify each service separately and then record the entity-level conclusion.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Annex I and Annex II provide the sector, subsector, and type-of-entity lists used to decide whether the activity is potentially in scope.
European Commission - NIS2 Directive FAQs
Commission FAQ summarises the Annex I and Annex II sector coverage and explains that NIS2 expands the prior NIS framework.
Section 3

Step 3: apply the size-cap rule and size-independent triggers

For most Annex I and Annex II entity types, Article 2 starts with the size-cap rule: the Directive applies where the entity qualifies as a medium-sized enterprise under the Annex to Commission Recommendation 2003/361/EC, or exceeds the ceilings for medium-sized enterprises, and provides the relevant services or activities in the Union.

That is not the end of the test. Article 2 also applies regardless of size to listed cases, including providers of public electronic communications networks or publicly available electronic communications services, trust service providers, TLD registries and DNS service providers, sole providers of essential services in a Member State, entities whose service disruption could have specified public-safety, systemic, or national or regional importance effects, certain public administration entities, critical entities under Directive (EU) 2022/2557, and entities providing domain name registration services.

  • Record the headcount, turnover, balance-sheet, linked-enterprise, and partner-enterprise basis used for the size conclusion; if the facts are missing, mark the test incomplete.
  • Test size-independent categories even where the entity is small or micro, especially for public electronic communications, trust services, DNS, TLD, domain name registration, sole-provider, public administration, and critical-entity facts.
  • Do not use SME status as a blanket exclusion; the Directive expressly includes several categories regardless of size.
  • If Member State law identifies additional small or micro entities because of key societal, economic, sectoral, or service importance, record the national-law source separately.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 2 provides the size-cap rule and the size-independent applicability cases that must be tested before excluding an entity.
Commission Recommendation 2003/361/EC on SME definition
Referenced by Article 2 of NIS2 for the medium-sized-enterprise definition used in the size-cap rule.
European Commission - NIS2 Directive FAQs
Commission FAQ explains that NIS2 introduced a clear size threshold while leaving Member States discretion to identify smaller entities with a high security-risk profile.
Section 4

Step 4: classify essential, important, excluded, or blocked

After scope is established, Article 3 determines whether the entity is essential or important. Essential entities include large Annex I entities, qualified trust service providers, TLD registries, DNS service providers, medium-sized providers of public electronic communications networks or publicly available electronic communications services, central government public administration entities, Member State-identified essential entities under specific Article 2 triggers, critical entities under the CER Directive, and, where a Member State so provides, entities previously identified as operators of essential services.

Important entities are the in-scope Annex I or Annex II entities that do not qualify as essential. If facts are missing, classify the test as blocked rather than forcing an essential or important label.

  • Essential: cite the Article 3 basis, such as large Annex I status, qualified trust service provider, TLD registry, DNS service provider, medium-sized public electronic communications provider, public administration, critical-entity status, or Member State identification.
  • Important: cite the Annex I or Annex II activity and explain why no essential-entity basis applies.
  • Excluded: cite the reason, such as no Annex I or II activity, no Union activity, no size or special-case trigger, or a public-administration exclusion for national security, public security, defence, or law-enforcement activity.
  • Blocked: list the missing facts, such as entity size, linked-enterprise data, sector mapping, Member State identification, public-administration status, critical-entity status, or service disruption impact.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 3 defines essential and important entities and Article 2 provides exclusions and special application rules.
European Commission - NIS2 Directive FAQs
Commission FAQ explains the replacement of the NIS1 OES/DSP distinction with essential and important entity categories.
Section 5

Step 5: identify jurisdiction, registration facts, and downstream obligations

The applicability record should identify the authority path before teams start implementation. As a rule, essential and important entities fall under the jurisdiction of the Member State where they are established. The Commission FAQ identifies exceptions for public electronic communications services, public administration entities, and certain cross-border digital and ICT entities, including DNS, TLD, domain name registration, cloud, data centre, content delivery network, managed service, managed security service, online marketplace, online search engine, and social networking platform providers.

Article 3 also requires Member States to establish a list of essential and important entities and entities providing domain name registration services by 17 April 2025 and to update it at least every two years. The evidence record should therefore preserve the facts needed for national registration or authority notification, not only the internal scope conclusion.

What is the first practical step in a NIS2 applicability test?

Identify the legal entity and map each service or activity to Annex I or Annex II. Only then apply the size-cap rule, size-independent triggers, and Article 3 essential or important classification.

Can a small entity still be in scope of NIS2?

Yes. Article 2 applies regardless of size to several categories, including certain public electronic communications providers, trust service providers, TLD registries, DNS service providers, critical entities under Directive (EU) 2022/2557, entities providing domain name registration services, and other listed special cases.

What evidence should teams keep for a NIS2 applicability decision?

Keep the legal entity, Member States, Annex I or II mapping, size basis, size-independent trigger analysis, essential or important classification, jurisdiction path, authority-registration facts, source URLs, reviewer, approver, and reassessment triggers.

  • Record establishment Member State, service-provision Member States, main establishment in the Union where relevant, non-EU representative facts where relevant, and public-administration establishing Member State.
  • Capture the information Article 3 expects Member States to require: entity name, address, up-to-date contact details, IP ranges and phone numbers, sector or subsector, and Member States where in-scope services are provided.
  • Link the scope conclusion to the next obligations: Article 21 cybersecurity risk-management measures, Article 23 significant-incident reporting, management-body oversight, supplier-risk work, and national registration or notification.
  • Add reassessment triggers for new Member State operations, new Annex I or II services, size changes, M&A, linked-enterprise changes, critical-entity designation, domain-registration activity, and national transposition changes.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 3 supports the evidence fields for Member State lists, entity information, sector and subsector data, service Member States, and update duties.
European Commission - NIS2 Directive FAQs
Commission FAQ explains jurisdiction rules and exceptions for public communications, public administration, and certain cross-border digital and ICT entities.
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
Implementation source for technical and methodological cybersecurity risk-management requirements relevant after covered digital-sector entities pass the applicability test.
Recommended next step

Use this NIS2 test to classify entity scope and evidence

Sorena can help convert the NIS2 applicability facts on this page into cited intake questions, owner assignments, authority-registration evidence, and reassessment workflow.

Research workflow
Open Research Copilot for EU NIS2

Ask source-linked questions about NIS2 scope, Annex I and II sectors, size-cap rules, essential or important classification, jurisdiction, and evidence.

Explore next step
Talk to Sorena
Talk through implementation

Review a NIS2 applicability test, registration evidence gap, or next-step workflow with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Article 3 supports the evidence fields for Member State lists, entity information, sector and subsector data, service Member States, and update duties.
"establish a list of essential and important entities"
ENISA - NIS2 technical implementation guidance
enisa.europa.eu
Referenced sections
  • ENISA guidance source for implementation context once an entity is classified as covered by NIS2 and technical control work begins.
"Technical Implementation Guidance"
European Commission - NIS2 Directive FAQs
digital-strategy.ec.europa.eu
Referenced sections
  • Commission FAQ explains jurisdiction rules and exceptions for public communications, public administration, and certain cross-border digital and ICT entities.
"under the jurisdiction of the Member State"
European Commission - NIS2 Directive overview
digital-strategy.ec.europa.eu
Referenced sections
  • Commission overview used for the widened sector scope and the practical distinction between essential and important entities.
"wider scope, clearer rules and stronger supervision tools"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.