---
title: "FAQ: NIS2 essential vs important entity classification and registration obligations"
canonical_url: "https://www.sorena.io/artifacts/eu/nis2-directive/faq/essential-vs-important-entities"
source_url: "https://www.sorena.io/artifacts/eu/nis2-directive/faq/essential-vs-important-entities"
author: "Sorena AI"
description: "Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "NIS2 essential entities"
  - "NIS2 important entities"
  - "NIS2 Article 3"
  - "NIS2 supervision"
  - "NIS2 Article 21"
  - "NIS2 Article 23"
  - "NIS2 FAQ"
  - "EU NIS2 Directive"
  - "NIS2"
  - "Article 3"
  - "Article 21"
  - "Article 23"
  - "Article 32"
  - "Article 33"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# FAQ: NIS2 essential vs important entity classification and registration obligations

Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.

*FAQ* *EU NIS2*

## NIS2 essential vs important entities What changes in classification, supervision, and evidence

Essential and important entities both carry NIS2 cybersecurity risk-management and significant-incident reporting duties. The practical distinction is how Article 3 classifies the entity and how national authorities supervise and enforce the tier.

Use this FAQ to classify the entity, keep the shared Article 21 and Article 23 obligations visible, and prepare the right evidence for proactive or ex post supervisory checks.

NIS2 does not create a light-duty category where important entities can ignore cybersecurity controls or incident reporting. Article 3 separates covered entities into essential and important tiers; Articles 20, 21, and 23 then apply core governance, risk-management, and reporting duties to both tiers, while Articles 32 and 33 set different supervisory routes.

## NIS2 essential entities vs important entities

The same core NIS2 obligations often apply to both tiers. The comparison turns on Article 3 classification and the supervisory model that follows.

- **Essential entities**: Higher NIS2 tier for specified Annex I, critical, public administration, trust, DNS, TLD, communications, and Member-State-designated entities under Article 3(1).
- **Important entities**: Covered Annex I or Annex II entities that do not qualify as essential entities, including specified Member-State-identified entities under Article 3(2).

| Dimension | Essential entities | Important entities | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope and covered activity | Essential entities are in scope through Article 3(1): large Annex I entities, qualified trust service providers, TLD registries, DNS service providers, certain communications providers, public administration entities, CER critical entities, and Member-State-identified essential entities. | Important entities are in scope through Article 3(2): covered Annex I or Annex II entities that do not qualify as essential entities under Article 3(1), including entities identified by Member States under the Article 2(2) special-risk grounds. | Keep the sector, subsector, entity type, size analysis, special-case analysis, and Member State activity in the classification file because the same organisation may be essential in one jurisdiction and important in another. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 3(2) defines important entities by reference to covered Annex I or II entities that are not essential.<br>[European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/NIS2-directive?ref=sorena.io) - Commission overview of the wider sector scope and two-tier classification. |
| Who must act | Essential entities include the management body, which must approve, oversee, and follow training on cybersecurity risk-management measures, and the operational teams responsible for Article 21 controls, Article 23 incident reporting, and supplier-risk records. | Important entities carry the same management-body, Article 21, and Article 23 obligation chains. The actor structure is the same; the difference is the supervisory route the competent authority follows when reviewing compliance. | Assign Article 21 control ownership and Article 23 reporting ownership at the entity level, not at the tier level; both essential and important entities need named owners for each obligation family. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Articles 20, 21, and 23 apply to both essential and important entities.<br>[European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/NIS2-directive?ref=sorena.io) - Commission overview of management accountability under NIS2. |
| Trigger or threshold | Essential-entity status is triggered by meeting Article 3(1) criteria: large entity in an Annex I sector, specific digital or critical-infrastructure entity type regardless of size, public administration entity covered by Article 3(1)(f), or Member State identification. | Important-entity status is triggered by being a covered Annex I or Annex II entity that does not meet the Article 3(1) essential test, including medium-sized entities in Annex I sectors and any entity covered by Annex II that falls outside the essential-entity criteria. | Run the essential-entity test first; important-entity status is not a separate opt-in but is the result of being in scope without satisfying Article 3(1). | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 2 scope threshold applies before Article 3 classification. |
| Core obligations | Essential entities must have management-body oversight, Article 21 risk-management measures, and Article 23 significant-incident reporting. | Important entities have the same management-body, Article 21, and Article 23 obligation families. | Do not split the control baseline into strong and weak versions only because of the entity tier; calibrate proportionality to risk, size, likelihood, severity, and impact. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 21 uses proportionality factors for risk-management measures. |
| Evidence to keep | Keep the Article 3 classification memo, Annex I or II mapping, size and special-case analysis, Article 21 control evidence, Article 23 incident files, management approvals, supplier-risk records, and authority correspondence. | Keep the same evidence families, with clear labels showing why the entity is important rather than essential and where ex post review evidence would be found. | A defensible file explains the tier decision and proves the shared obligations are operating. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Articles 21, 23, 32, and 33 define the evidence a reviewer may need to reconstruct. |
| Timing and cadence | Essential entities should maintain inspection-ready evidence continuously because Article 32 allows competent authorities to conduct proactive supervision including random checks, regular and targeted audits, and security scans at any time. | Important entities can align evidence maintenance to ex post supervisory timelines, but must be able to produce evidence promptly after an incident, complaint, scan, authority signal, or suspected non-compliance indication under Article 33. | Keep Article 21 control evidence current and tag it with the review date, owner, and change trigger so it can satisfy either proactive or ex post supervisory requests without rebuilding the file. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Articles 32 and 33 distinguish the supervisory cadence between tiers. |
| Enforcement exposure | Essential-entity enforcement can include warnings, binding instructions, orders, monitoring officers, publication orders, administrative fines, and temporary suspension or management-function prohibition routes where specified measures are ineffective. | Important-entity enforcement can include warnings, binding instructions, orders, audit recommendations, publication orders, and administrative fines, with Article 32 procedural safeguards applying mutatis mutandis. | Escalate essential-entity deficiencies earlier because the available supervisory and enforcement measures are broader. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Articles 32 and 33 set tier-specific enforcement powers. |
| Overlap and reuse | Essential entities can use Article 21 controls and Article 23 incident-notification records as shared evidence, reusing the same cybersecurity baseline and incident playbook across both obligation families where the source-linked requirement is identical. | Important entities can use the same Article 21 control baseline and Article 23 incident-notification workflow as essential entities, adjusting only for proportionality and the ex post supervisory posture rather than creating a separate weaker programme. | Document the control-reuse rationale explicitly when the same measure satisfies multiple Article 21 points or supports both tiers, so the scope decision and the control evidence can be reviewed independently. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Articles 21 and 23 duties are the same for both essential and important entities.<br>[Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj?ref=sorena.io) - Implementing Regulation applies the same technical measures to specified digital entities in both tiers. |
| Practical decision rule | If Article 3(1) applies, document essential-entity status and prepare for broader supervisory touchpoints. | If the entity is covered but Article 3(1) does not apply, document important-entity status and prepare for ex post supervisory review. | The final answer should say: covered sector, size or special case, Article 3 tier, Member State authority route, Article 21 evidence owner, and Article 23 incident-reporting owner. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Articles 3, 21, 23, 32, and 33 provide the classification and operations path. |

Sources for Scope and covered activity - Essential entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 3(1) lists entities considered essential.
  - Quote: "considered to be essential entities"

Sources for Scope and covered activity - Important entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 3(2) defines important entities by reference to covered Annex I or II entities that are not essential.
  - Quote: "shall be considered to be important entities"

Sources for Scope and covered activity - operational implication:

- [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/NIS2-directive?ref=sorena.io) - Commission overview of the wider sector scope and two-tier classification.
  - Quote: "wider scope, clearer rules and stronger supervision tools"

Sources for Who must act - Essential entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 20 addresses management-body responsibilities for essential and important entities.
  - Quote: "essential and important entities"

Sources for Who must act - Important entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Articles 20, 21, and 23 apply to both essential and important entities.
  - Quote: "essential and important entities"

Sources for Who must act - operational implication:

- [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/NIS2-directive?ref=sorena.io) - Commission overview of management accountability under NIS2.
  - Quote: "accountability of the top management"

Sources for Trigger or threshold - Essential entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 3(1) trigger conditions for essential entities.
  - Quote: "regardless of their size"

Sources for Trigger or threshold - Important entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 3(2) trigger for important-entity status.
  - Quote: "do not qualify as essential entities"

Sources for Trigger or threshold - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 2 scope threshold applies before Article 3 classification.
  - Quote: "referred to in Annex I or II"

Sources for Core obligations - Essential entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Articles 20, 21, and 23 apply to essential and important entities.
  - Quote: "essential and important entities"

Sources for Core obligations - Important entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Articles 20, 21, and 23 apply to essential and important entities.
  - Quote: "essential and important entities"

Sources for Core obligations - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 21 uses proportionality factors for risk-management measures.
  - Quote: "appropriate and proportionate"

Sources for Evidence to keep - Essential entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 32 allows requests for information, documents, and evidence of policy implementation for essential entities.
  - Quote: "requests for evidence"

Sources for Evidence to keep - Important entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 33 allows ex post requests for information, documents, and implementation evidence for important entities.
  - Quote: "underlying evidence"

Sources for Evidence to keep - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Articles 21, 23, 32, and 33 define the evidence a reviewer may need to reconstruct.
  - Quote: "cybersecurity risk-management measures"

Sources for Timing and cadence - Essential entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 32 authorises proactive supervisory actions including random checks and regular audits.
  - Quote: "off-site supervision"

Sources for Timing and cadence - Important entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 33 frames important-entity supervision around ex post action.
  - Quote: "ex post supervisory measures"

Sources for Timing and cadence - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Articles 32 and 33 distinguish the supervisory cadence between tiers.
  - Quote: "Supervisory and enforcement measures"

Sources for Enforcement exposure - Essential entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 32(4) and 32(5) list enforcement measures for essential entities.
  - Quote: "monitoring officer"

Sources for Enforcement exposure - Important entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 33(4) lists enforcement measures for important entities.
  - Quote: "issue warnings"

Sources for Enforcement exposure - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Articles 32 and 33 set tier-specific enforcement powers.
  - Quote: "effective, proportionate and dissuasive"

Sources for Overlap and reuse - Essential entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 21 proportionality applies to both tiers, supporting a shared control baseline.
  - Quote: "appropriate and proportionate"

Sources for Overlap and reuse - Important entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Articles 21 and 23 duties are the same for both essential and important entities.
  - Quote: "essential and important entities take appropriate"

Sources for Overlap and reuse - operational implication:

- [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj?ref=sorena.io) - Implementing Regulation applies the same technical measures to specified digital entities in both tiers.
  - Quote: "technical and methodological requirements"

Sources for Practical decision rule - Essential entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 3(1) controls essential-entity classification.
  - Quote: "essential entities"

Sources for Practical decision rule - Important entities:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 3(2) controls important-entity classification.
  - Quote: "important entities"

Sources for Practical decision rule - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Articles 3, 21, 23, 32, and 33 provide the classification and operations path.
  - Quote: "Articles 21 and 23"

### How should teams decide whether they are essential or important under NIS2?

- Identify the legal entity, Member States, services, sectors, and Annex I or II entity type.
- Apply Article 2 scope, including size and size-independent special cases.
- Apply Article 3(1) to decide whether the entity is essential.
- If covered but not essential, record important-entity status under Article 3(2).
- Assign Article 21 control evidence, Article 23 reporting ownership, and the national authority or CSIRT route.

Sources for the practical decision rule:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Binding source for the classification and obligation workflow.
  - Quote: "Essential and important entities"
- [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/NIS2-directive?ref=sorena.io) - Commission overview for sector scope, reporting, supervision, enforcement, and management accountability.
  - Quote: "critical sectors"

## What is the difference between NIS2 essential and important entities?

Essential entities are the higher NIS2 tier. They include large entities in Annex I high-criticality sectors, qualified trust service providers, TLD registries, DNS service providers, medium-sized public electronic communications providers, central-government public administration entities, critical entities under the CER Directive, and other entities that Member States identify as essential under the Article 3 rules.

Important entities are covered Annex I or Annex II entities that do not qualify as essential entities under Article 3(1), including entities that Member States identify under the specified Article 2(2) special-risk grounds. They are still in scope and still need cybersecurity risk-management, management-body oversight, and significant-incident reporting.

- Run the Article 3(1) essential-entity test first.
- If the entity is covered by Annex I or Annex II but does not meet Article 3(1), treat it as important under Article 3(2).
- Do not use the word important to mean optional or low priority.
- Check national transposition rules because Member States establish and update entity lists and may identify additional entities.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Binding source for Article 2 scope, Article 3 classification, Article 20 governance, Article 21 measures, and Article 23 reporting.
- [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/NIS2-directive?ref=sorena.io) - Commission overview explaining the wider NIS2 sector scope, reporting duties, supervision, enforcement, and management accountability.

## What obligations are the same for both tiers?

Both essential and important entities need management-body involvement. NIS2 requires management bodies to approve cybersecurity risk-management measures, oversee implementation, and follow training, with Member States deciding the national liability framework.

Both tiers also need appropriate and proportionate technical, operational, and organisational measures under Article 21. The listed measures cover risk analysis and security policies, incident handling, business continuity, supply-chain security, secure acquisition and maintenance, control effectiveness, cyber hygiene, cryptography, access control and asset management, and authentication or secure communications where appropriate.

For significant incidents, both tiers follow Article 23 notification duties, including the 24-hour early warning, 72-hour incident notification, status updates on request, and final reporting route.

- Keep one shared Article 21 control map, but tag which legal entity and tier it supports.
- Keep one incident-notification playbook, but confirm the national CSIRT or competent authority route for each Member State.
- Keep management approvals, training evidence, and supplier-risk records with the classification memo.
- Use the Commission implementing regulation where it applies to covered digital and trust-service entities.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Binding source for shared governance, risk-management, and significant-incident reporting obligations for both tiers.
- [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj?ref=sorena.io) - Technical and methodological requirements for specified digital infrastructure, digital provider, managed service, managed security service, and trust-service entities.

## What changes in supervision and enforcement?

Essential entities can face stronger ongoing supervision. Article 32 lists on-site inspections, off-site supervision, random checks, regular and targeted audits, ad hoc audits, security scans, information requests, document access, and evidence requests. Essential-entity enforcement can also include a monitoring officer and, where specified measures are ineffective, temporary suspension or temporary management-function prohibition routes under national law.

Important entities are mainly supervised ex post. Article 33 says competent authorities act when they have evidence, indication, or information that an important entity allegedly does not comply, especially with Articles 21 and 23. Ex post tools still include inspections, targeted audits, scans, information requests, document access, evidence requests, warnings, binding instructions, orders, and fines.

Administrative fine maxima also differ for Article 21 or 23 infringements: NIS2 sets at least EUR 10 million or 2 percent of worldwide annual turnover for essential entities, and at least EUR 7 million or 1.4 percent for important entities, whichever is higher in each tier.

- Prepare essential-entity evidence as if a competent authority may ask before an incident.
- Prepare important-entity evidence so it can withstand ex post review after an incident, complaint, scan, audit, or suspected non-compliance.
- Do not treat important-entity status as low enforcement exposure.
- Confirm national law before quoting final procedure, authority, remedy, or fine details to a customer or board.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Binding source for Article 32 essential-entity supervision, Article 33 important-entity supervision, and Article 34 administrative fine conditions.

## Primary sources

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Binding source for the classification and obligation workflow.
  - Quote: "Essential and important entities"
- [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/NIS2-directive?ref=sorena.io) - Commission overview for sector scope, reporting, supervision, enforcement, and management accountability.
  - Quote: "critical sectors"
- [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj?ref=sorena.io) - Implementing Regulation applies the same technical measures to specified digital entities in both tiers.
  - Quote: "technical and methodological requirements"

## Topic Guides

- [Are managed service providers in scope of NIS2?](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md): NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
- [EU NIS2 Directive applicability test for entity scope](/artifacts/eu/nis2-directive/applicability-test.md): Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
- [EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks](/artifacts/eu/nis2-directive/deadlines-and-compliance-calendar.md): source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
- [NIS2 24-hour early warning: what to send and when](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md): Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
- [NIS2 72-hour incident notification FAQ](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md): Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
- [NIS2 Annex I and Annex II Sector Scoping Guide](/artifacts/eu/nis2-directive/annex-i-and-ii-sector-scoping.md): Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
- [NIS2 Article 21 control baseline and evidence checklist](/artifacts/eu/nis2-directive/article-21-control-baseline.md): Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
- [NIS2 Article 21 control-by-control evidence checklist](/artifacts/eu/nis2-directive/article-21-control-by-control-evidence.md): Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
- [NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners](/artifacts/eu/nis2-directive/article-21-gap-assessment-workflow.md): Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
- [NIS2 Article 23 incident notification workflow](/artifacts/eu/nis2-directive/article-23-notification.md): Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
- [NIS2 Compliance Checklist: scope, controls, reporting](/artifacts/eu/nis2-directive/checklist.md): Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
- [NIS2 Compliance Guide: scope, controls, reporting, and evidence](/artifacts/eu/nis2-directive/compliance.md): A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
- [NIS2 Country Transposition Tracker: EU Status Workflow](/artifacts/eu/nis2-directive/country-transposition-tracker.md): Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
- [NIS2 Entity Classifier Workflow: essential vs important entity scoping](/artifacts/eu/nis2-directive/entity-classifier-workflow.md): Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
- [NIS2 essential vs important entities: Article 3 scope and supervision guide](/artifacts/eu/nis2-directive/scope-essential-vs-important.md): Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
- [NIS2 essential vs important entities: supervision regime and audit evidence requirements](/artifacts/eu/nis2-directive/essential-vs-important-supervision.md): Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
- [NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties](/artifacts/eu/nis2-directive/faq.md): source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
- [NIS2 incident clock triage workflow](/artifacts/eu/nis2-directive/incident-clock-triage-workflow.md): Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
- [NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps](/artifacts/eu/nis2-directive/incident-reporting-workflow.md): Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
- [NIS2 Management Body Accountability: board duties, training, and evidence](/artifacts/eu/nis2-directive/management-body-accountability.md): source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
- [NIS2 Member State Transposition: What Teams Must Check](/artifacts/eu/nis2-directive/faq/member-state-transposition.md): How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
- [NIS2 National Transposition Tracker: EU Member State Evidence Register](/artifacts/eu/nis2-directive/national-transposition-tracker.md): Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
- [NIS2 penalties and fines: Article 34 caps for essential and important entities](/artifacts/eu/nis2-directive/penalties-and-fines.md): NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
- [NIS2 Registration and Authority Notification Guide](/artifacts/eu/nis2-directive/registration-and-authority-notification.md): Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
- [NIS2 Requirements: scope, Article 21 controls, reporting, and evidence](/artifacts/eu/nis2-directive/requirements.md): Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
- [NIS2 Size Cap Rule and Special Scope Cases](/artifacts/eu/nis2-directive/size-cap-and-special-cases.md): Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
- [NIS2 size-cap rule: when medium and large entities are in scope](/artifacts/eu/nis2-directive/faq/size-cap-rule.md): Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
- [NIS2 supply chain security program: Article 21 controls, contracts, and evidence](/artifacts/eu/nis2-directive/supply-chain-security-program.md): Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
- [NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience](/artifacts/eu/nis2-directive/nis2-vs-cerc.md): Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
- [NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance](/artifacts/eu/nis2-directive/nis2-vs-dora.md): Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
- [NIS2 vs GDPR breach reporting: EU deadlines and overlap](/artifacts/eu/nis2-directive/nis2-vs-gdpr-breach-reporting.md): Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
- [NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27001.md): Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
- [NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27017.md): Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
- [NIS2 vs NIS1: what changed in EU cybersecurity compliance](/artifacts/eu/nis2-directive/nis2-vs-nis1.md): Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.

*Recommended next step*

*Placement: before sources*

## Use this NIS2 FAQ as a classification and supervision workflow

Sorena can help convert the Article 3 tier decision into owner assignments, Article 21 evidence requests, Article 23 incident-reporting steps, and national-supervision readiness checks.

- [Open Research Copilot for NIS2](/solutions/research-copilot.md): Ask source-linked questions about entity classification, Article 21 controls, Article 23 notification, supervision, and evidence using the cited NIS2 sources.
- [Talk through implementation](/contact.md): Review your NIS2 classification memo, national authority routing, evidence gaps, and supervision-readiness plan with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/nis2-directive/faq/essential-vs-important-entities