Classifier WorkflowEU NIS2

NIS2 entity classifier workflow

Decide whether a legal entity and service line is out of scope, an important entity, an essential entity, or an escalation case under NIS2.

Use the directive text, Annex I and Annex II sector lists, SME size rules, Article 3 category rules, and registration guidance before assigning security, reporting, or evidence work.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

This workflow helps a compliance, legal, or security owner classify an entity under the NIS2 Directive before building a control plan. It separates the facts that determine scope from the later work of implementing cybersecurity risk-management measures and incident reporting.

Section 1

Classifier goal: record the NIS2 scope decision before control work starts

The first output is a classification record for one legal entity and one service or activity. Do not classify a whole group, brand, platform, or supplier relationship unless the legal entity, EU presence, service, and sector facts are the same.

A useful record answers four questions: whether the entity provides services or carries out activities in the Union, whether the activity appears in Annex I or Annex II, whether a size or regardless-of-size rule applies, and whether Article 3 makes the entity essential or important.

  • Decision states: out of scope, important entity, essential entity, or national-authority review required.
  • Minimum inputs: legal entity name, establishment or representative, Member States served, service description, sector and subsector, size evidence, and any critical-entity or public-administration status.
  • Classify service lines separately when one activity maps to Annex I, another maps to Annex II, or only part of the business is covered.
  • Keep national transposition notes beside the EU decision because Member States establish and update their lists of essential and important entities.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Primary directive text for NIS2 scope, Article 3 entity categories, registration information, and Annex I and II sectors.
European Commission - NIS2 Directive FAQs
Commission public explanation of the NIS2 Directive, policy background, and practical context for affected organisations.
Commission Recommendation 2003/361/EC on SME definitions
Referenced SME definition used by NIS2 for the medium-sized enterprise size-cap rule.
Section 2

Step-by-step NIS2 classifier workflow

Run the classifier in the same order each time. The workflow should first prove that the activity is the kind of entity NIS2 covers, then decide whether an essential-entity rule applies, and only then assign implementation owners.

Use the Commission Article 3 guidance and template fields to make the record reusable for national registration, customer assurance, management review, and authority questions.

  • 1. Identify the legal entity, main EU establishment or representative, countries served, and the precise service or activity being classified.
  • 2. Match the service to Annex I, Annex II, domain-name registration services, or no listed category; record the sector, subsector, and type of entity.
  • 3. Check the baseline Article 2 size rule: medium-sized enterprises and entities exceeding the medium-sized ceilings are in scope when they provide Annex I or Annex II services in the Union.
  • 4. Check regardless-of-size triggers, including public electronic communications networks or services, trust service providers, TLD registries, DNS service providers, domain-name registration services, critical entities, and Member State Article 2(2) designations.
  • 5. Apply Article 3: Annex I entities above the medium-sized ceilings and the named Article 3(1) categories are essential; covered Annex I or Annex II entities that do not qualify as essential are important.
  • 6. Save the decision, source citations, authority or national-law assumptions, owner approvals, and the next review trigger.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 2 and Article 3 provide the scope and essential-versus-important classification rules.
Commission Guidelines on NIS2 Article 3(4)
Commission guidance and template fields for establishing lists of essential and important entities.
Commission Recommendation 2003/361/EC on SME definitions
Source for the staff, turnover, and balance-sheet thresholds referenced by the NIS2 size-cap rule.
Section 3

Evidence table for the classification record

The classifier is only defensible if each decision point has evidence. Keep the table short, but make it specific enough that another reviewer can repeat the classification without asking the business team to reconstruct the facts.

Where national law, authority registration, or a Member State designation affects the answer, label the result as conditional until the country owner confirms the local rule.

  • Legal entity evidence: registered name, address, main EU establishment or representative, and any group relationship that affects SME sizing.
  • Service evidence: customer-facing service description, country coverage, systems supporting the service, and whether the activity is principal or incidental where the Annex wording requires it.
  • Sector evidence: Annex I or Annex II row, sector, subsector, type of entity, and any reason an adjacent sector was rejected.
  • Size evidence: staff headcount, annual turnover or balance-sheet data, reference period, and whether partner or linked enterprise analysis is needed.
  • Authority evidence: registration submission fields, local authority correspondence, Member State designation, critical-entity status, and date of the next review.
Sources for this answer
Commission Guidelines on NIS2 Article 3(4)
Lists the information Member States should require for entity lists, including name, address, contacts, IP ranges, sector, subsector, and Member States served.
Directive (EU) 2022/2555 (NIS2)
Requires Member States to establish and regularly update lists of essential and important entities and domain-name registration service entities.
Commission Recommendation 2003/361/EC on SME definitions
Defines SME categories and explains staff headcount and financial ceiling evidence used in the NIS2 size check.
Section 4

Quality checks before closing the classifier

Close the workflow only when the legal entity, service description, sector mapping, size evidence, Article 3 result, and national assumptions point to the same conclusion.

Reopen the classifier when a new country is served, a service changes, ownership or group sizing changes, an entity is designated by a Member State, a critical-entity decision changes, or the relevant national register asks for updated information.

  • Every public source URL is external, HTTPS, and includes the Sorena reference parameter.
  • The record names the exact Annex I or Annex II row used, or explains why no listed category fits.
  • The record distinguishes essential and important entity logic instead of using one generic in-scope label.
  • The record separates EU directive logic from Member State transposition or authority-registration assumptions.
  • The final decision assigns owners for legal review, country confirmation, security implementation, incident reporting setup, and evidence storage.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Primary source for NIS2 classification logic and later security and reporting obligations once an entity is in scope.
Commission Guidelines on NIS2 Article 3(4)
Grounding for registration templates and Member State list-maintenance evidence.
European Commission - NIS2 Directive FAQs
Commission FAQ context for why NIS2 expands coverage and strengthens cybersecurity requirements across the EU.
Recommended next step

Use this classifier before assigning NIS2 controls

Sorena can help convert a NIS2 scope question into a cited decision record with sector mapping, size evidence, national assumptions, owner assignments, and review triggers.

Research workflow
Open Research Copilot for NIS2

Ask source-linked questions about Annex I and II sectors, Article 3 classification, registration evidence, and country-specific follow-up.

Explore next step
Talk to Sorena
Talk through implementation

Review your NIS2 classification record, evidence gaps, and next implementation steps with Sorena.

Explore next step
Primary sources

References and citations

Commission Guidelines on NIS2 Article 3(4)
eur-lex.europa.eu
Referenced sections
  • Grounding for registration templates and Member State list-maintenance evidence.
"national mechanisms for entities to register themselves"
Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Primary source for NIS2 classification logic and later security and reporting obligations once an entity is in scope.
"cybersecurity risk-management measures and reporting obligations"
European Commission - NIS2 Directive FAQs
digital-strategy.ec.europa.eu
Referenced sections
  • Commission FAQ context for why NIS2 expands coverage and strengthens cybersecurity requirements across the EU.
"boost the overall level of cybersecurity"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.