--- title: "NIS2 essential vs important entities: supervision regime and audit evidence requirements" canonical_url: "https://www.sorena.io/artifacts/eu/nis2-directive/essential-vs-important-supervision" source_url: "https://www.sorena.io/artifacts/eu/nis2-directive/essential-vs-important-supervision" author: "Sorena AI" description: "Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties." published_at: "2026-05-09" updated_at: "2026-05-27" keywords: - "EU NIS2 Directive" - "NIS2" - "NIS2 essential entities vs NIS2 important entities" - "essential entities" - "important entities" - "Article 21" - "Article 23" - "incident notification" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # NIS2 essential vs important entities: supervision regime and audit evidence requirements Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties. *Artifact Guide* *EU* ## EU NIS2 Directive NIS2 essential entities vs NIS2 important entities Compare how NIS2 treats essential and important entities: who falls in each tier, which duties overlap, and where supervision and enforcement differ. Use the grounded distinctions to build classification memos, Article 21 control evidence, Article 23 incident records, authority-response playbooks, and board-ready risk notes. This page compares NIS2 essential entities and important entities for teams that need to classify an organisation and plan evidence. Both tiers can share Article 21 cybersecurity risk-management measures and Article 23 incident reporting duties, but NIS2 separates how competent authorities supervise and enforce them. ## NIS2 essential vs important entities: practical compliance differences Use this comparison to classify the entity tier, preserve shared Article 21 and Article 23 evidence, and plan the different Article 32 and Article 33 supervisory routes. - **NIS2 essential entities**: Essential entities sit in the higher supervisory tier. Use this side to plan proactive and ex post authority engagement, stronger evidence readiness, and the higher Article 34 fine ceiling. - **NIS2 important entities**: Important entities remain covered by NIS2. Use this side to plan the same core risk-management and reporting duties while preserving the ex post supervision model and lower Article 34 fine ceiling. | Dimension | NIS2 essential entities | NIS2 important entities | Operational implication | Sources | | --- | --- | --- | --- | --- | | Scope and covered activity | Essential entities are covered entities that NIS2 places in the higher criticality tier, including specified Annex I cases, certain special categories, and entities designated by Member States. | Important entities are covered entities that are not essential but still fall within NIS2, including many Annex I or Annex II activities when the applicable size and national rules are met. | Classify the tier before building the evidence pack; the same operational service can carry different authority expectations depending on the classification. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for separating entity classification from later supervision and enforcement duties. | | Who must act | Management bodies must approve and oversee cybersecurity risk-management measures, while security, incident-response, procurement, operations, and legal teams maintain the evidence. | The same management-body, security, incident-response, procurement, operations, and legal functions usually own the work, even though supervision is generally ex post. | Do not split owners just because the tier changes; split the authority-response playbook and evidence-readiness cadence. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for shared governance duties despite different supervisory regimes. | | Trigger or threshold | Typical triggers include covered Annex I activities above the applicable size threshold, critical-entity status under the CER Directive, selected digital or trust-service categories, and Member State designation. | Typical triggers include covered Annex I or Annex II activities that meet the applicable size or national implementation rules but do not fall into the essential-entity category. | Keep sector, size, special-case, and national-designation facts in the classification memo so later control work does not obscure the legal basis. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for applying size, sector, and Member State designation facts before obligations are assigned. | | Core obligations | Apply Article 21 cybersecurity risk-management measures, Article 23 significant-incident reporting, management-body oversight, and the evidence needed for Article 32 supervision. | Apply Article 21 cybersecurity risk-management measures, Article 23 significant-incident reporting, management-body oversight, and the evidence needed if Article 33 ex post supervision is triggered. | Build one control baseline where the duties are identical, then add separate supervision procedures for essential and important entities. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for shared Article 21 and Article 23 duties plus tier-specific supervision. | | Evidence and records | Keep the classification memo, Article 21 control evidence, Article 23 incident files, management-body approvals, supplier-risk records, registration data, and supervisory-response log. | Keep the same classification, control, incident, supplier, management-body, and registration records, with an ex post response file ready if the authority requests evidence. | Use one evidence library where practical, but tag records by tier, jurisdiction, and authority-response status. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for maintaining evidence across shared duties and different supervisory triggers. | | Timing and cadence | Plan for registration and Member State list updates, supervisory requests, and Article 23 incident clocks: early warning without undue delay and within 24 hours, notification within 72 hours, and a final report within one month. | Track the same incident-reporting clocks and registration facts, but expect authority engagement mainly after evidence, information, or indications of non-compliance. | Run one incident clock process for both tiers, then separate proactive supervision calendars from ex post response readiness. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for preserving common incident deadlines while separating supervisory cadence. | | Enforcement or assurance route | Essential entities can face Article 32 ex ante and ex post supervision, including audits, checks, security scans, information requests, and orders under national implementation. | Important entities are supervised under Article 33 on an ex post basis when competent authorities receive evidence, an indication, or information suggesting non-compliance. | Prepare essential-entity packs for proactive review; prepare important-entity packs for fast production after an ex post trigger. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for supervisory tools such as audits, checks, scans, and information requests. | | Overlap and reuse | Essential entities can reuse the same policies, incident workflows, supplier files, and control tests as important entities when those artifacts satisfy Article 21 and Article 23. | Important entities can reuse those same artifacts, but the file should not imply proactive Article 32 supervision unless the entity is also classified as essential. | Reuse controls; do not reuse the tier conclusion, supervision narrative, or penalty analysis without checking the classification. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for preserving tier-specific supervision while reusing common evidence. | | Practical decision rule | For an essential entity, record the classification basis, Article 21 and Article 23 evidence owners, Article 32 supervision pack, jurisdiction facts, and penalty exposure. | For an important entity, record the classification basis, Article 21 and Article 23 evidence owners, Article 33 ex post response pack, jurisdiction facts, and penalty exposure. | Classify first, reuse shared duties second, and keep supervision and sanction analysis tier-specific. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for classifying first and then applying tier-specific supervision and sanctions. | Sources for Scope and covered activity - NIS2 essential entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for essential-entity classification and Member State designation rules. - Quote: "essential entities" Sources for Scope and covered activity - NIS2 important entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for important-entity classification and Annex I or Annex II scope. - Quote: "important entities" Sources for Scope and covered activity - operational implication: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for separating entity classification from later supervision and enforcement duties. - Quote: "classified into two categories" Sources for Who must act - NIS2 essential entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for management-body approval, oversight, and accountability duties. - Quote: "management bodies" Sources for Who must act - NIS2 important entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source applying management-body obligations to essential and important entities. - Quote: "management bodies" Sources for Who must act - operational implication: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for shared governance duties despite different supervisory regimes. - Quote: "essential and important entities" Sources for Trigger or threshold - NIS2 essential entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for essential-entity triggers, including designation and critical-entity status. - Quote: "shall be considered to be essential entities" Sources for Trigger or threshold - NIS2 important entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for important entities that are not classified as essential entities. - Quote: "shall be considered to be important entities" Sources for Trigger or threshold - operational implication: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for applying size, sector, and Member State designation facts before obligations are assigned. - Quote: "size-cap rule" Sources for Core obligations - NIS2 essential entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for risk-management, reporting, management-body, and essential-entity supervision duties. - Quote: "cybersecurity risk-management measures" Sources for Core obligations - NIS2 important entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for risk-management, reporting, management-body, and important-entity supervision duties. - Quote: "significant incidents" Sources for Core obligations - operational implication: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for shared Article 21 and Article 23 duties plus tier-specific supervision. - Quote: "differentiated supervisory regime" Sources for Evidence and records - NIS2 essential entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for records that may be requested during essential-entity supervision. - Quote: "access to data, documents and information" Sources for Evidence and records - NIS2 important entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for important-entity evidence that may be requested during ex post supervision. - Quote: "request information" Sources for Evidence and records - operational implication: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for maintaining evidence across shared duties and different supervisory triggers. - Quote: "documents or evidence" Sources for Timing and cadence - NIS2 essential entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for incident-reporting timing and essential-entity supervisory cadence. - Quote: "within 24 hours" Sources for Timing and cadence - NIS2 important entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for incident-reporting timing and important-entity ex post supervision. - Quote: "within 72 hours" Sources for Timing and cadence - operational implication: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for preserving common incident deadlines while separating supervisory cadence. - Quote: "final report" Sources for Enforcement or assurance route - NIS2 essential entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for Article 32 essential-entity supervision and enforcement powers. - Quote: "ex ante and ex post supervisory regime" Sources for Enforcement or assurance route - NIS2 important entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for Article 33 important-entity ex post supervision. - Quote: "ex post supervisory regime" Sources for Enforcement or assurance route - operational implication: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for supervisory tools such as audits, checks, scans, and information requests. - Quote: "regular and targeted security audits" Sources for Overlap and reuse - NIS2 essential entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for shared risk-management and reporting duties across entity tiers. - Quote: "essential and important entities" Sources for Overlap and reuse - NIS2 important entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for shared duties and important-entity supervision limits. - Quote: "essential and important entities" Sources for Overlap and reuse - operational implication: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for preserving tier-specific supervision while reusing common evidence. - Quote: "differentiation of supervisory regime" Sources for Practical decision rule - NIS2 essential entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for the essential-entity decision record and higher sanction ceiling. - Quote: "EUR 10 000 000" Sources for Practical decision rule - NIS2 important entities: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for the important-entity decision record and sanction ceiling. - Quote: "EUR 7 000 000" Sources for Practical decision rule - operational implication: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for classifying first and then applying tier-specific supervision and sanctions. - Quote: "fair balance" ### How should teams decide between NIS2 essential and important entities? - Start with sector, service, size, jurisdiction, and designation facts. - Record whether the entity is essential, important, or outside this classification decision. - Reuse Article 21 and Article 23 evidence where the duties match. - Keep Article 32 supervision, Article 33 supervision, and Article 34 sanction analysis separate. Sources for the practical decision rule: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for classification, shared duties, differentiated supervision, and sanctions. - Quote: "differentiation of supervisory regime" ## What is the practical difference between NIS2 essential and important entities? Start with the classification test, then separate obligations from supervision. NIS2 classifies covered entities as essential or important based on sector, service type, size, and Member State designation rules. The common mistake is to treat important entities as out of scope. They remain subject to NIS2 duties, but competent authorities generally supervise them after evidence, information, or indications suggest non-compliance. - Use the entity tier to decide whether Article 32 or Article 33 supervision planning is needed. - Keep Article 21 controls and Article 23 incident-reporting evidence reusable where the duties are the same. - Record Member State jurisdiction and registration facts separately from the control evidence. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for entity classification, Article 21 and Article 23 duties, and Article 32 and 33 supervision. ## What decision should teams document first? Document the tier decision before assigning controls. A useful record names the sector or service, size-cap or special-case reasoning, Member State jurisdiction, and whether a national authority has designated the entity. After classification, map the shared NIS2 duties and then add the tier-specific supervision route, evidence readiness, and penalty exposure. - Name the Annex I or Annex II activity, if one is used. - Record whether the entity is essential, important, or outside this specific NIS2 classification. - Tie the answer to a durable artifact: classification memo, registration record, control register, incident workflow, or authority-response log. - Escalate national-law differences instead of assuming the directive text alone answers every operational question. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 directive text for classification, management-body accountability, risk measures, notification, supervision, and sanctions. - [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission overview for NIS2 scope, sectors, obligations, transposition timing, and policy context. - [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Commission implementing regulation for technical and methodological cybersecurity risk-management requirements in covered digital and ICT service sectors. ## When should teams run the essential-versus-important classification? Run the comparison when a service enters an Annex I or Annex II sector, when size or group facts change, when a Member State designation arrives, or when a cross-border operating model changes jurisdiction. Also rerun it before acquisitions, new EU launches, managed-service changes, incident-response redesigns, and supplier changes that affect network and information systems. - Separate Annex I high-criticality sectors from Annex II other critical sectors. - Do not treat classification as a one-time paperwork or internal policy label; it drives supervision planning. - Keep country, service, legal establishment, representative, and main-establishment facts with the decision. - Use material-change triggers so new activities reopen the classification. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 directive text for Article 3 entity categories, Member State lists, jurisdiction, and annex sectors. - [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission overview for covered sectors, national transposition, and NIS2 policy context. - [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Commission implementing regulation for technical requirements that apply to specified digital, infrastructure, ICT service, and trust-service entities. - [ENISA - NIS2 technical implementation guidance](https://www.enisa.europa.eu/publications/NIS2-technical-implementation-guidance?ref=sorena.io) - ENISA implementation guidance with practical advice, examples of evidence, and mappings for covered digital and ICT service sectors. ## Who should own the classification and supervision evidence? Legal or regulatory owners should own the classification memo; security and resilience owners should own Article 21 evidence; incident-response owners should own Article 23 clocks; management-body evidence should be reviewable by board or senior-management stakeholders. For essential entities, evidence should be ready for proactive supervisory measures such as audits, checks, information requests, and access to documents. For important entities, evidence should still be complete, but the authority route is generally ex post. - Assign one owner for the tier decision and one owner for operational evidence retrieval. - Keep classification, registration, jurisdiction, Article 21, Article 23, supplier-risk, and management-body records linked. - Preserve rejected classifications and reassessment triggers with the final memo. - Make authority-response packs usable without exposing irrelevant private working notes. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 directive text for management-body accountability, cybersecurity risk-management measures, reporting, and supervision. - [European Commission - NIS2 Directive FAQs](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding supervisory tools, incident-reporting sequence, jurisdiction context, and differentiated sanctions. - [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Commission implementing regulation for technical and methodological requirements in specified covered sectors. *Recommended next step* *Placement: before sources* ## Use this NIS2 guide as a cited supervision workflow Sorena can turn the essential-versus-important decision into cited classification records, owner assignments, control evidence requests, incident clock checks, and authority-response steps. - [Open Research Copilot for EU NIS2 Directive](/solutions/research-copilot.md): Ask source-linked questions about NIS2 entity tiering, Article 21 controls, Article 23 reporting, supervision, jurisdiction, and evidence using the cited sources on this page. - [Talk through NIS2 implementation](/contact.md): Review your NIS2 classification workflow, supervision evidence, source gaps, and next implementation steps with Sorena. ## Primary sources - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 source for classification, shared duties, differentiated supervision, and sanctions. - Quote: "differentiation of supervisory regime" ## Related Topic Guides - [Are managed service providers in scope of NIS2?](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md): NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence. - [EU NIS2 Directive applicability test for entity scope](/artifacts/eu/nis2-directive/applicability-test.md): Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence. - [EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks](/artifacts/eu/nis2-directive/deadlines-and-compliance-calendar.md): source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items. - [FAQ: NIS2 essential vs important entity classification and registration obligations](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md): Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep. - [NIS2 24-hour early warning: what to send and when](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md): Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident. - [NIS2 72-hour incident notification FAQ](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md): Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence. - [NIS2 Annex I and Annex II Sector Scoping Guide](/artifacts/eu/nis2-directive/annex-i-and-ii-sector-scoping.md): Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources. - [NIS2 Article 21 control baseline and evidence checklist](/artifacts/eu/nis2-directive/article-21-control-baseline.md): Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations. - [NIS2 Article 21 control-by-control evidence checklist](/artifacts/eu/nis2-directive/article-21-control-by-control-evidence.md): Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication. - [NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners](/artifacts/eu/nis2-directive/article-21-gap-assessment-workflow.md): Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review. - [NIS2 Article 23 incident notification workflow](/artifacts/eu/nis2-directive/article-23-notification.md): Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence. - [NIS2 Compliance Checklist: scope, controls, reporting](/artifacts/eu/nis2-directive/checklist.md): Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence. - [NIS2 Compliance Guide: scope, controls, reporting, and evidence](/artifacts/eu/nis2-directive/compliance.md): A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records. - [NIS2 Country Transposition Tracker: EU Status Workflow](/artifacts/eu/nis2-directive/country-transposition-tracker.md): Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls. - [NIS2 Entity Classifier Workflow: essential vs important entity scoping](/artifacts/eu/nis2-directive/entity-classifier-workflow.md): Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive. - [NIS2 essential vs important entities: Article 3 scope and supervision guide](/artifacts/eu/nis2-directive/scope-essential-vs-important.md): Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split. - [NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties](/artifacts/eu/nis2-directive/faq.md): source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for. - [NIS2 incident clock triage workflow](/artifacts/eu/nis2-directive/incident-clock-triage-workflow.md): Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks. - [NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps](/artifacts/eu/nis2-directive/incident-reporting-workflow.md): Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records. - [NIS2 Management Body Accountability: board duties, training, and evidence](/artifacts/eu/nis2-directive/management-body-accountability.md): source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence. - [NIS2 Member State Transposition: What Teams Must Check](/artifacts/eu/nis2-directive/faq/member-state-transposition.md): How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details. - [NIS2 National Transposition Tracker: EU Member State Evidence Register](/artifacts/eu/nis2-directive/national-transposition-tracker.md): Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers. - [NIS2 penalties and fines: Article 34 caps for essential and important entities](/artifacts/eu/nis2-directive/penalties-and-fines.md): NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep. - [NIS2 Registration and Authority Notification Guide](/artifacts/eu/nis2-directive/registration-and-authority-notification.md): Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines. - [NIS2 Requirements: scope, Article 21 controls, reporting, and evidence](/artifacts/eu/nis2-directive/requirements.md): Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records. - [NIS2 Size Cap Rule and Special Scope Cases](/artifacts/eu/nis2-directive/size-cap-and-special-cases.md): Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists. - [NIS2 size-cap rule: when medium and large entities are in scope](/artifacts/eu/nis2-directive/faq/size-cap-rule.md): Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep. - [NIS2 supply chain security program: Article 21 controls, contracts, and evidence](/artifacts/eu/nis2-directive/supply-chain-security-program.md): Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks. - [NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience](/artifacts/eu/nis2-directive/nis2-vs-cerc.md): Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work. - [NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance](/artifacts/eu/nis2-directive/nis2-vs-dora.md): Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs. - [NIS2 vs GDPR breach reporting: EU deadlines and overlap](/artifacts/eu/nis2-directive/nis2-vs-gdpr-breach-reporting.md): Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap. - [NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27001.md): Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse. - [NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27017.md): Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits. - [NIS2 vs NIS1: what changed in EU cybersecurity compliance](/artifacts/eu/nis2-directive/nis2-vs-nis1.md): Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/nis2-directive/essential-vs-important-supervision