ApplicabilityEU

EU NIS2 Directive (EU) 2022/2555 Applicability Test

Decide scope and entity status with defensible reasoning.

Output: a scope memo + essential/important classification + jurisdiction mapping + next-step control plan.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

NIS2 scoping errors are expensive: teams build the wrong control baseline, report to the wrong authority, or miss transposition-specific requirements. Use this page to produce a defensible scope memo per legal entity: what sector you match, why you match it, whether the size-cap applies, whether a regardless-of-size trigger applies, and whether you are treated as an essential or important entity under the directive framework.

Section 1

Before you start: capture the minimum facts (so the result survives review)

A defensible NIS2 applicability decision depends on stable facts. Scope should be decided per legal entity and per service line, then consolidated into one group view.

Output: a 1-2 page scope memo per legal entity, with annex mappings and size-cap reasoning.

  • Legal entities and EU establishments: where services are provided and where decisions are made.
  • Services and sectors: map each service to a candidate Annex I/II sector entry (don't use marketing categories).
  • Size profile: employees + turnover/balance sheet for the legal entity (and group, where relevant).
  • Digital infrastructure roles: cloud/MSP/MSSP/CDN/DNS/TLD, online marketplace/search/social platform, trust service provider.
  • Criticality flags: sole provider, systemic risk, public safety/health impacts (used in certain regardless-of-size cases).
Section 2

Step 1 - Does NIS2 scope apply to your type of entity? (Annex I/II + size-cap rule)

NIS2 applies to entities of a type referred to in Annex I or Annex II that are medium-sized enterprises or larger, unless a regardless-of-size rule applies.

Control: cite the exact Annex entry you match and the reasoning for the match.

  • Map the entity to the closest Annex I or Annex II entry and record the service-level reasoning, not just a business label.
  • Apply the size-cap rule using the SME framework and the NIS2-specific adjustments in Article 2(2).
  • Document borderline cases, mixed portfolios, and shared service models so the scope decision can be defended later.
Section 3

Step 2 - Regardless-of-size triggers (the common "surprise scope" cases)

Even if you're small, NIS2 can still apply to specific categories (notably certain digital infrastructure and trust services) and to certain public administration entities. Treat these as explicit checks.

Control: record whether each regardless-of-size trigger applies or not, with a one-paragraph rationale.

  • Providers of public electronic communications networks or publicly available electronic communications services, trust service providers, TLD name registries, DNS service providers, and domain name registration service providers can be in scope regardless of size.
  • Public administration entities listed in the directive, and certain entities identified as critical under the CER framework, can also be pulled in regardless of size.
  • Member States can extend national coverage to additional public administration entities or sectors, so check national law before concluding you are out of scope.
Section 4

Step 3 - Essential vs important (changes supervision and enforcement posture)

NIS2 distinguishes essential and important entities. This affects supervision intensity and the compliance posture you should design for.

Output: a classification note with the Article 3 category you match and the consequences for supervision and evidence.

  • Essential status can attach to the categories listed in Article 3(1), including specific digital infrastructure and trust-service categories regardless of size in some cases.
  • Entities in scope that do not qualify as essential are treated as important under Article 3(2).
  • Keep the classification note versioned and rerun it whenever services, group structure, or national transposition changes.
Section 5

Step 4 - Jurisdiction and transposition (where you'll be supervised and how obligations get specified)

NIS2 is a directive: obligations are transposed into national law and operationalised by competent authorities and CSIRTs. You need a jurisdiction map for where you provide services and where reporting will occur.

Output: a "competent authority and CSIRT map" and an incident reporting contact list.

  • Identify the Member States where you provide services or have establishments relevant to NIS2 supervision.
  • Track national transposition status and country-specific requirements (registration, reporting portals, formats).
  • Set up a governance owner for maintaining the transposition tracker and authority contact list.
Section 6

If in scope: the next three artifacts to build

Once you're in scope, move directly to execution: control baseline, reporting workflow, and evidence pack.

Use the linked pages to convert this into owners, evidence, and acceptance criteria.

  • Article 21 control baseline mapped to your services and risk exposure.
  • Incident reporting workflow and templates aligned to 24h/72h/1 month obligations.
  • Audit-ready evidence pack: policies, risk register, third-party controls, training, and governance minutes.
Recommended next step

Turn EU NIS2 Directive (EU) 2022/2555 Applicability Test into an operational assessment

Assessment Autopilot can take EU NIS2 Directive (EU) 2022/2555 Applicability Test from deciding whether these obligations apply in practice to a reusable workflow inside Sorena. Teams working on EU NIS2 Directive (EU) 2022/2555 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU NIS2 Directive (EU) 2022/2555 Applicability Test

Start from EU NIS2 Directive (EU) 2022/2555 Applicability Test and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU NIS2 Directive (EU) 2022/2555

Review your current process, evidence gaps, and next steps for EU NIS2 Directive (EU) 2022/2555 Applicability Test.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

Article 21 Control Baseline | EU NIS2 Directive (EU) 2022/2555 | Cybersecurity Risk Management Measures
A practical Article 21 control baseline for NIS2: translate Article 21(2)(a) to (j) into owned controls, KPIs, tests, and evidence.
Checklist | EU NIS2 Directive (EU) 2022/2555 | Audit-Ready Owners, Evidence, Acceptance Criteria
An audit-ready EU NIS2 compliance checklist: scope (Annex I/II + size-cap rules), essential vs important classification, Article 21 control baseline.
Compliance Guide | EU NIS2 Directive (EU) 2022/2555 | Build an Audit-Ready Program
A practical EU NIS2 compliance guide: how to run scope and classification, build Article 21 controls, implement Article 23 reporting workflows.
Deadlines and Compliance Calendar | EU NIS2 Directive (EU) 2022/2555 | 16 January 2023, 17 October 2024, 17 April 2025
A practical EU NIS2 deadlines and compliance calendar with the legal anchor dates that matter: entry into force on 16 January 2023.
FAQ | EU NIS2 Directive (EU) 2022/2555 | Scope, Essential vs Important, Article 21, Article 23 (24h/72h)
High-intent EU NIS2 FAQ: who is in scope, how essential vs important works, what Article 21 requires.
Incident Reporting Workflow | EU NIS2 Directive (EU) 2022/2555 | 24h Early Warning, 72h Notification, Final Report (1 Month)
A practical NIS2 incident reporting workflow grounded in Article 23 and Commission Implementing Regulation (EU) 2024/2690: define significant incidents.
Management Body Accountability | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Training, Liability
A practical Article 20 governance guide for EU NIS2: what the management body must approve and oversee, how liability and training work.
National Transposition Tracker | EU NIS2 Directive (EU) 2022/2555 | How to Track Local Laws, Authorities, Portals
A practical NIS2 national transposition tracker: monitor Member State implementation, find competent authority and CSIRT routes.
NIS2 vs ISO/IEC 27001 | How to Reuse Your ISMS for EU NIS2 Directive (EU) 2022/2555
A practical NIS2 vs ISO/IEC 27001 mapping: how to reuse an ISMS (risk assessment, policies, internal audits, management review.
NIS2 vs ISO/IEC 27017 | Cloud Security Mapping for EU NIS2 Directive (EU) 2022/2555
A practical mapping for cloud teams: how NIS2 Article 21 controls and Article 23 reporting apply to cloud service providers and cloud-dependent organisations.
NIS2 vs NIS1 | Directive (EU) 2022/2555 vs Directive (EU) 2016/1148 | Scope, Supervision, Reporting
A practical comparison of NIS2 vs NIS1: what changed in scope and sectors, how essential vs important works.
Penalties and Fines | EU NIS2 Directive (EU) 2022/2555 | Article 32-34 Enforcement + Fine Thresholds
A practical NIS2 enforcement guide: how supervision works for essential vs important entities (Articles 32-33), what enforcement measures authorities can use.
Requirements | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Article 21 Controls, Article 23 Reporting
A practical EU NIS2 requirements breakdown grounded in Articles 20 to 23, the Article 3 and Article 4 guidelines, and Implementing Regulation (EU) 2024/2690.
Scope: Essential vs Important | EU NIS2 Directive (EU) 2022/2555 | Article 3 Classification + What Changes
A practical guide to NIS2 scope classification: how essential vs important entities work (Article 3).
Supply Chain Security Program | EU NIS2 Directive (EU) 2022/2555 | Article 21(d) Supplier Risk + Evidence
A practical NIS2 supply chain security program (Article 21(d)): vendor tiering, security requirements, onboarding/offboarding controls, continuous assurance.