--- title: "NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties" canonical_url: "https://www.sorena.io/artifacts/eu/nis2-directive/faq" source_url: "https://www.sorena.io/artifacts/eu/nis2-directive/faq/items" author: "Sorena AI" description: "source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for." published_at: "2026-05-09" updated_at: "2026-05-27" keywords: - "NIS2 FAQ" - "EU NIS2 Directive" - "essential entities" - "important entities" - "Article 21 cybersecurity measures" - "Article 23 incident reporting" - "NIS2 penalties" - "Article 21" - "Article 23" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for. *Artifact Guide* *EU* ## NIS2 FAQ Scope, controls, reporting, and evidence Answers to recurring NIS2 questions about entity scope, essential versus important classification, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, management-body accountability, registration, and penalties. Use the cited EU and ENISA sources to turn each answer into an auditable decision record before assigning control owners or reporting workflows. Use this NIS2 FAQ to resolve practical compliance questions with a source, a fact pattern, and an evidence owner. The directive sets the EU framework, but implementation and supervision run through Member State law and competent authorities, so every answer should record the relevant country, sector, service, entity type, supplier dependency, and incident workflow. ## Browse sub-FAQ modules ### [Are managed service providers in scope of NIS2?](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md) NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence. - 3 items ### [FAQ: NIS2 essential vs important entity classification and registration obligations](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md) Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep. - 3 items ### [NIS2 24-hour early warning: what to send and when](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md) Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident. - 3 items ### [NIS2 72-hour incident notification FAQ](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md) Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence. - 3 items ### [NIS2 Member State Transposition: What Teams Must Check](/artifacts/eu/nis2-directive/faq/member-state-transposition.md) How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details. - 3 items ### [NIS2 size-cap rule: when medium and large entities are in scope](/artifacts/eu/nis2-directive/faq/size-cap-rule.md) Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep. - 4 items Browse all indexed questions: [/artifacts/eu/nis2-directive/faq/items](/artifacts/eu/nis2-directive/faq/items.md) ## All FAQ items *Page 1 of 1. Showing 19 of 19 items.* ### [Short answer](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md#short-answer) *Module: [Are managed service providers in scope of NIS2?](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md)* A managed service provider can be in NIS2 scope because Annex I lists ICT service management (business-to-business), including managed service providers and managed security service providers. Article 6 defines an MSP as an entity providing installation, management, operation, or maintenance of ICT products, networks, infrastructure, applications, or other network and information systems through assistance or active administration, on customer premises or remotely. - Start with the legal entity, not the brand name or product line. - Confirm the activity is managed service or managed security service activity, not only advisory, resale, staffing, or one-off project work. - Check whether the service is provided or carried out within the Union. - Apply the size-cap and any Article 2 special-case rule before deciding the entity is outside NIS2. - Classify the result as essential, important, outside current scope, or escalated for Member State legal review. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Article 6 defines managed service provider and managed security service provider, Article 2 supplies the size and special-case scope rule, and Annex I lists MSPs and MSSPs under ICT service management. - [Commission Recommendation 2003/361/EC on SME definitions](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32003H0361&ref=sorena.io) - NIS2 Article 2 points to this Recommendation for the medium-sized enterprise size test used in the general scope rule. - [European Commission NIS2 FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ context confirms NIS2 replaced the old OES/DSP split with essential and important entity categories and lists ICT service management among high-criticality sectors. ### [Evidence to keep for an MSP or MSSP scope decision](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md#evidence-to-keep-for-an-msp-or-mssp-scope-decision) *Module: [Are managed service providers in scope of NIS2?](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md)* The classification file should show why the service meets, or does not meet, the NIS2 MSP or MSSP definition. A sales category is not enough; the record should explain the actual installation, management, operation, maintenance, active administration, or cybersecurity risk-management activity provided to customers. - Covered service evidence: service catalogue entry, statement of work, managed platform description, runbook, customer responsibility matrix, or remote administration model. - MSSP evidence where relevant: incident response, monitoring, security administration, penetration testing, security audit, consultancy, or other cybersecurity risk-management services. - Scope evidence: Union service footprint, customer country list, establishment details, size-cap analysis, and any special-case rule considered under Article 2. - Classification evidence: whether the entity is essential, important, out of current scope, or escalated for country-specific interpretation. - Jurisdiction evidence: main establishment in the Union, representative if not established in the Union, and the Member State registration or authority route used. - Governance evidence: accountable business owner, legal reviewer, security reviewer, approval date, and trigger for reassessment after service, corporate, country, or national-law changes. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Article 3 requires Member States to keep lists of essential and important entities and requires entity details such as contact information, sector, subsector, and Member States where services are provided. - [Commission Guidelines on Article 3(4) of NIS2](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A324%3AFULL&ref=sorena.io) - Commission guidelines support consistent submission of information for Member State lists of essential and important entities. - [NIS2 Technical Implementation Guidance](https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance?ref=sorena.io) - ENISA guidance supports implementation of the NIS2 implementing regulation for digital infrastructure, ICT service management, and digital providers, including evidence examples and mappings. ### [Common scope traps for managed services](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md#common-scope-traps-for-managed-services) *Module: [Are managed service providers in scope of NIS2?](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md)* A provider can be an MSP or MSSP even when the customer owns the environment, because the NIS2 definition includes assistance or active administration carried out on customer premises or remotely. Conversely, a supplier is not necessarily an MSP merely because it sells software, cloud capacity, hardware, professional services, or staff augmentation. - Do not classify only from a marketing label such as MSP, MSSP, SOC, cloud partner, or IT outsourcer. - Separate project implementation from ongoing installation, management, operation, maintenance, active administration, or cybersecurity risk-management service. - Check each legal entity in a group; one affiliate's status does not automatically settle another affiliate's NIS2 classification. - Keep cloud, data centre, content delivery, trust service, and electronic communications classifications separate when the same group offers multiple NIS2-relevant services. - Escalate country-specific questions because Member States transpose and operate NIS2 through national competent authorities and registration mechanisms. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Recitals 113-117 and Article 26 explain jurisdiction, main establishment, Union representative, and ENISA registry considerations for cross-border MSPs and MSSPs. - [European Commission NIS2 FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - The Commission FAQ highlights ICT service management as a high-criticality sector and explains the differentiated supervisory regime for essential and important entities. - [Commission Implementing Regulation (EU) 2024/2690](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - The implementing regulation sets technical and methodological cybersecurity-risk-management requirements for covered digital and ICT service management entities, including MSPs and MSSPs. ### [What is the difference between NIS2 essential and important entities?](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md#what-is-the-difference-between-nis2-essential-and-important-entities) *Module: [FAQ: NIS2 essential vs important entity classification and registration obligations](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md)* Essential entities are the higher NIS2 tier. They include large entities in Annex I high-criticality sectors, qualified trust service providers, TLD registries, DNS service providers, medium-sized public electronic communications providers, central-government public administration entities, critical entities under the CER Directive, and other entities that Member States identify as essential under the Article 3 rules. - Run the Article 3(1) essential-entity test first. - If the entity is covered by Annex I or Annex II but does not meet Article 3(1), treat it as important under Article 3(2). - Do not use the word important to mean optional or low priority. - Check national transposition rules because Member States establish and update entity lists and may identify additional entities. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Binding source for Article 2 scope, Article 3 classification, Article 20 governance, Article 21 measures, and Article 23 reporting. - [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/NIS2-directive?ref=sorena.io) - Commission overview explaining the wider NIS2 sector scope, reporting duties, supervision, enforcement, and management accountability. ### [What obligations are the same for both tiers?](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md#what-obligations-are-the-same-for-both-tiers) *Module: [FAQ: NIS2 essential vs important entity classification and registration obligations](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md)* Both essential and important entities need management-body involvement. NIS2 requires management bodies to approve cybersecurity risk-management measures, oversee implementation, and follow training, with Member States deciding the national liability framework. - Keep one shared Article 21 control map, but tag which legal entity and tier it supports. - Keep one incident-notification playbook, but confirm the national CSIRT or competent authority route for each Member State. - Keep management approvals, training evidence, and supplier-risk records with the classification memo. - Use the Commission implementing regulation where it applies to covered digital and trust-service entities. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Binding source for shared governance, risk-management, and significant-incident reporting obligations for both tiers. - [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj?ref=sorena.io) - Technical and methodological requirements for specified digital infrastructure, digital provider, managed service, managed security service, and trust-service entities. ### [What changes in supervision and enforcement?](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md#what-changes-in-supervision-and-enforcement) *Module: [FAQ: NIS2 essential vs important entity classification and registration obligations](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md)* Essential entities can face stronger ongoing supervision. Article 32 lists on-site inspections, off-site supervision, random checks, regular and targeted audits, ad hoc audits, security scans, information requests, document access, and evidence requests. Essential-entity enforcement can also include a monitoring officer and, where specified measures are ineffective, temporary suspension or temporary management-function prohibition routes under national law. - Prepare essential-entity evidence as if a competent authority may ask before an incident. - Prepare important-entity evidence so it can withstand ex post review after an incident, complaint, scan, audit, or suspected non-compliance. - Do not treat important-entity status as low enforcement exposure. - Confirm national law before quoting final procedure, authority, remedy, or fine details to a customer or board. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Binding source for Article 32 essential-entity supervision, Article 33 important-entity supervision, and Article 34 administrative fine conditions. ### [What does the NIS2 24-hour early warning require?](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md#what-does-the-nis2-24-hour-early-warning-require) *Module: [NIS2 24-hour early warning: what to send and when](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md)* Under NIS2 Article 23, essential and important entities notify their CSIRT or competent authority of significant incidents. The first required step is an early warning submitted without undue delay and, in any event, within 24 hours of becoming aware of the significant incident. - Start with the Article 23 significance test: severe operational disruption, financial loss, or considerable material or non-material damage to others. - Record the point at which the entity became aware that the incident was significant. - Send the early warning through the national route designated for the entity, usually the CSIRT or competent authority. - Keep the 72-hour incident notification, requested intermediate reports, and final report linked to the same incident record. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02022L2555-20221227&ref=sorena.io) - Article 23 sets the significant-incident notification duty and the 24-hour early-warning deadline. - [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission overview of NIS2 scope, sectors, and policy context for covered entities. - [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Further specifies significant-incident cases and awareness timing for listed digital and trust-service providers. ### [What evidence should teams keep for the NIS2 24-hour early warning?](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md#what-evidence-should-teams-keep-for-the-nis2-24-hour-early-warning) *Module: [NIS2 24-hour early warning: what to send and when](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md)* The evidence file should prove both the trigger and the timing. Keep the detection record, initial assessment, awareness timestamp, affected services, notification route, warning payload, submission receipt, and escalation approvals together. - Article 23 citation, national authority route, and the exact notification channel used. - Awareness timestamp, significance assessment, incident commander, legal reviewer, authority-contact owner, and approval time. - Affected network and information systems, service, country, supplier, customer group, and known or possible cross-border impact. - Submitted early-warning text, submission receipt, acknowledgement, and any CSIRT or competent-authority request. - Links to the 72-hour notification, requested intermediate updates, final report, mitigation actions, and lessons learned. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02022L2555-20221227&ref=sorena.io) - Article 23 defines the staged reporting sequence and the contents of the later incident notification and final report. - [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Explains timely assessment of suspicious events and awareness for the listed relevant entities. - [ENISA - NIS2 technical implementation guidance](https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance?ref=sorena.io) - ENISA guidance provides implementation and evidence examples for entities subject to Regulation 2024/2690. ### [Which edge cases can affect the NIS2 24-hour early-warning clock?](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md#which-edge-cases-can-affect-the-nis2-24-hour-early-warning-clock) *Module: [NIS2 24-hour early warning: what to send and when](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md)* The hardest cases are usually about awareness, significance, and routing. Decide when the entity had enough certainty to treat the event as a significant incident, which Member State route applies, and whether the incident may affect recipients in more than one Member State. - A group incident may require separate routing if different legal entities, sectors, or Member States are affected. - A supplier or managed-service-provider alert may start triage, but the covered entity still needs its own NIS2 significance assessment. - A possible criminal incident should be flagged because Article 23 expects guidance on law-enforcement reporting where the incident appears criminal. - A country implementation step can add portal, language, acknowledgement, or sector-authority details beyond the EU-level text. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02022L2555-20221227&ref=sorena.io) - Article 23 covers cross-border notifications, CSIRT or authority feedback, and criminal-reporting guidance. - [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission overview for understanding whether NIS2 scope and sector obligations are likely to apply. - [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Gives horizontal and provider-specific significant-incident criteria for the covered relevant entities. ### [What does the NIS2 72-hour incident notification require?](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md#what-does-the-nis2-72-hour-incident-notification-require) *Module: [NIS2 72-hour incident notification](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md)* Submit the incident notification without undue delay and in any event within 72 hours of becoming aware of a significant incident. It should update the 24-hour early warning and include the entity's initial assessment of the significant incident, including severity, impact, and indicators of compromise where those are available. - Confirm that the incident is significant because it has caused, or is capable of causing, severe operational disruption, financial loss, or considerable material or non-material damage to others. - Start the 72-hour clock from awareness of the significant incident, and preserve the awareness timestamp separately from detection and submission timestamps. - Send the notification to the CSIRT or, where applicable, competent authority for the relevant Member State route. - Update the early warning with severity, impact, affected services, cross-border indicators, and available indicators of compromise. - Keep the submission receipt, report version, approver, and known uncertainty in the incident file. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2), Article 23](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Primary legal source for the 72-hour incident notification, the significant-incident threshold, and the required initial severity, impact, and indicator-of-compromise content. - [NIS2 recital 102 on staged reporting](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Explains the purpose of the staged reporting sequence and clarifies that reporting should not divert resources from significant incident handling. ### [What should the 72-hour notification record contain?](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md#what-should-the-72-hour-notification-record-contain) *Module: [NIS2 72-hour incident notification](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md)* The record should be operational enough for incident responders and defensible enough for later legal, management, audit, or authority review. It should show why the incident met the significance threshold, when the organization became aware, what was submitted, and what remains open. - Entity and service: the essential or important entity, affected service, affected systems, and Member State reporting route. - Clock evidence: awareness time, early-warning submission, 72-hour notification submission, authority acknowledgement, and any missed or delayed step rationale. - Impact assessment: operational disruption, financial-loss indicators, affected recipients or third parties, and material or non-material damage indicators. - Technical facts: incident timeline, available indicators of compromise, suspected unlawful or malicious activity, and known cross-border impact. - Follow-up plan: requested intermediate reports, mitigation work, recipient communications, final-report owner, and final-report deadline. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2), Article 23](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Identifies the staged notification content and authority route for significant incidents. - [ENISA - NIS2 technical implementation guidance](https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance?ref=sorena.io) - Provides practical implementation guidance and examples of evidence for NIS2 cybersecurity risk-management requirements for entities covered by the implementing regulation. ### [What happens after the 72-hour notification?](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md#what-happens-after-the-72-hour-notification) *Module: [NIS2 72-hour incident notification](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md)* After the 72-hour notification, be ready to provide intermediate reports if the CSIRT or competent authority requests status updates. The final report is due not later than one month after the incident notification and should include the detailed incident description, severity and impact, likely threat type or root cause, mitigation measures, and cross-border impact where applicable. - Track authority requests for intermediate reports and assign a status-update owner. - Keep root-cause language qualified until the investigation supports it. - Update mitigation evidence as containment, eradication, recovery, and longer-term remediation work progresses. - Escalate suspected criminal conduct through the guidance path offered by the CSIRT or competent authority. - Document cross-border and recipient-impact decisions separately from the authority submission. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2), Article 23](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Sets the intermediate-report, final-report, ongoing-incident progress-report, law-enforcement guidance, and cross-border sharing rules. - [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission overview for NIS2 scope, reporting requirements, national authorities, and incident-response cooperation. ### [What does Member State transposition mean for NIS2 compliance?](/artifacts/eu/nis2-directive/faq/member-state-transposition.md#what-does-member-state-transposition-mean-for-nis2-compliance) *Module: [NIS2 Member State Transposition: What Teams Must Check](/artifacts/eu/nis2-directive/faq/member-state-transposition.md)* NIS2 is an EU directive, so Member States had to adopt and publish national measures to comply with it by 17 October 2024 and apply those measures from 18 October 2024. For an organization, that means the EU text is the starting point, not the final operational answer. - Use Article 41 to anchor the EU-level deadline and application date. - Use the Commission transposition page to find the official state-of-play and national implementation links. - Use national law or competent-authority guidance for country-specific routing, registrations, reporting channels, and sector details. - Record the source date reviewed, because the Commission page describes a state-of-play and does not supersede formal legal assessment. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2), Article 41](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding EU directive source for the transposition deadline and application date. - [European Commission - NIS2 Directive transposition in EU countries](https://digital-strategy.ec.europa.eu/en/policies/nis-transposition?ref=sorena.io) - Official Commission state-of-play page for national NIS2 transposition information and country implementation links. ### [What country checks should be completed before closing the answer?](/artifacts/eu/nis2-directive/faq/member-state-transposition.md#what-country-checks-should-be-completed-before-closing-the-answer) *Module: [NIS2 Member State Transposition: What Teams Must Check](/artifacts/eu/nis2-directive/faq/member-state-transposition.md)* The same EU obligation can require different practical steps once national law, competent authorities, portals, and supervisory structures are applied. A central NIS2 policy should therefore keep one EU baseline and a country appendix for each relevant Member State. - Countries in scope: where the entity is established, provides the relevant service, or has reporting or supervisory exposure. - National source: implementing law, government page, regulator page, or competent-authority guidance used for the decision. - Authority routing: competent authority, CSIRT, single point of contact, registration portal, or incident-reporting channel. - Operational delta: any national detail that changes owner assignments, timelines, forms, language, evidence, or escalation paths. - Review trigger: change in national law, Commission transposition page, authority guidance, service footprint, sector classification, or incident workflow. Sources for this answer: - [European Commission - NIS2 Directive transposition in EU countries](https://digital-strategy.ec.europa.eu/en/policies/nis-transposition?ref=sorena.io) - Commission transposition page last updated in the grounding on 1 July 2025, including national implementation links and infringement state-of-play. - [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission overview explaining NIS2 scope, Member State capabilities, cooperation, supervision, and enforcement context. ### [What should the evidence record say?](/artifacts/eu/nis2-directive/faq/member-state-transposition.md#what-should-the-evidence-record-say) *Module: [NIS2 Member State Transposition: What Teams Must Check](/artifacts/eu/nis2-directive/faq/member-state-transposition.md)* A defensible transposition record should separate EU baseline facts from country-specific implementation facts. This prevents a team from accidentally using an EU article number as a substitute for national authority instructions or a national form. - EU baseline cited: directive article, obligation area, and EU-level date or rule. - National source cited: title, URL, access date or review date, and short note on what it proves. - Decision made: in scope or out of scope, authority route, reporting or registration step, and affected service or entity. - Owner trail: accountable business owner, legal reviewer, security owner, and incident-response owner where relevant. - Open questions: unsupported country-specific facts, pending legal interpretation, or authority guidance still required. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2), Article 41](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Primary legal source for the requirement that Member States adopt, publish, and apply transposition measures. - [European Commission - NIS2 Directive transposition in EU countries](https://digital-strategy.ec.europa.eu/en/policies/nis-transposition?ref=sorena.io) - Commission source for country transposition state-of-play, including the 7 May 2025 reasoned opinions noted in the grounding. ### [What is the NIS2 size-cap rule?](/artifacts/eu/nis2-directive/faq/size-cap-rule.md#what-is-the-nis2-size-cap-rule) *Module: [NIS2 size-cap rule: when medium and large entities are in scope](/artifacts/eu/nis2-directive/faq/size-cap-rule.md)* Article 2(1) of NIS2 applies the directive to public or private entities of a type listed in Annex I or Annex II when they qualify as medium-sized enterprises under Recommendation 2003/361/EC, or exceed the medium-sized-enterprise ceilings, and provide services or carry out activities in the Union. - Start with the sector: confirm the entity is in Annex I or Annex II before you apply any size test. - Check whether the entity is medium-sized or larger by using the employee, turnover, and balance-sheet ceilings together, not headcount alone. - Confirm that the entity provides services or carries out activities in the Union. - Escalate small or micro entities when a regardless-of-size rule, critical-entity designation, domain-name-registration-service rule, or Member State rule may apply. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 2(1) sets the default NIS2 scope test for Annex I and Annex II entities that are medium-sized or exceed the medium-sized-enterprise ceilings. - [Commission Recommendation 2003/361/EC on SME definitions](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32003H0361&ref=sorena.io) - Defines the employee, turnover, and balance-sheet ceilings that NIS2 references for the size-cap test. - [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission overview summarizing NIS2 as applying risk-management and incident-notification duties to medium-sized and large entities in covered sectors. ### [Which employee, turnover, and balance-sheet thresholds should teams check?](/artifacts/eu/nis2-directive/faq/size-cap-rule.md#which-employee-turnover-and-balance-sheet-thresholds-should-teams-check) *Module: [NIS2 size-cap rule: when medium and large entities are in scope](/artifacts/eu/nis2-directive/faq/size-cap-rule.md)* Recommendation 2003/361/EC defines the SME category as enterprises with fewer than 250 persons and annual turnover not exceeding EUR 50 million, and/or annual balance sheet total not exceeding EUR 43 million. It also defines small enterprises as fewer than 50 persons with turnover and/or balance sheet total not exceeding EUR 10 million, and microenterprises as fewer than 10 persons with turnover and/or balance sheet total not exceeding EUR 2 million. - Confirm the latest approved headcount, then check it together with turnover and balance-sheet figures. - Use the same legal entity or group analysis for turnover and balance-sheet total, and keep the supporting finance evidence together. - Map the entity to the relevant Annex I or Annex II sector and the covered service it actually provides. - Explain why the entity is medium-sized, exceeds the medium-sized-enterprise ceilings, or is escalated as a small or micro special case. - Keep the reviewer, approval date, source citation, and reassessment trigger with the decision record. Sources for this answer: - [Commission Recommendation 2003/361/EC on SME definitions](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32003H0361&ref=sorena.io) - Primary source for the SME employee and financial thresholds referenced by NIS2. - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - NIS2 Article 2 references Recommendation 2003/361/EC and excludes Article 3(4) of that Recommendation's Annex for NIS2 purposes. ### [Which NIS2 entities can be covered regardless of size?](/artifacts/eu/nis2-directive/faq/size-cap-rule.md#which-nis2-entities-can-be-covered-regardless-of-size) *Module: [NIS2 size-cap rule: when medium and large entities are in scope](/artifacts/eu/nis2-directive/faq/size-cap-rule.md)* The size cap is not the end of the NIS2 scope analysis. Article 2(2) applies NIS2 regardless of size to certain Annex I or Annex II entities, including providers of public electronic communications networks or publicly available electronic communications services, trust service providers, top-level domain name registries, DNS service providers, sole providers of essential services in a Member State, entities whose disruption could significantly affect public safety, public security, or public health, entities whose disruption could induce significant systemic risk, nationally or regionally critical entities, and certain public administration entities. - Check electronic communications, trust-service, TLD registry, DNS, and domain-name-registration-service roles first. - Check whether the entity is a sole essential provider, creates a public-safety or public-health impact, creates systemic risk, or has national or regional criticality. - Check whether the entity is identified as a critical entity under Directive (EU) 2022/2557. - Check local public administration, education, and Member State implementation rules before treating a small or micro entity as out of scope. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Article 2(2), Article 2(3), and Article 2(4) list regardless-of-size scope rules and Article 2(5) permits some Member State extensions. - [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission policy page for NIS2 sector scope, obligations, and Member State transposition context. ### [What evidence should prove a NIS2 size-cap decision?](/artifacts/eu/nis2-directive/faq/size-cap-rule.md#what-evidence-should-prove-a-nis2-size-cap-decision) *Module: [NIS2 size-cap rule: when medium and large entities are in scope](/artifacts/eu/nis2-directive/faq/size-cap-rule.md)* A defensible size-cap decision should let legal, security, finance, compliance, and operations reviewers repeat the conclusion without guessing. Keep the source rule, entity facts, sector mapping, thresholds, exception checks, and national-law routing together. - Keep the Article 2 rule and the exact sector or exception that made the entity in scope. - Attach the Recommendation 2003/361/EC threshold evidence and finance-approved headcount, turnover, and balance-sheet figures. - Include linked-enterprise or group evidence only where it affects the size test, so reviewers can see the basis for aggregation. - Record the Annex I or Annex II mapping, covered service description, operating country, and any Member State routing note. - Name the decision owner, reviewer, approval date, and the trigger that will force a reassessment. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Binding source for NIS2 scope, essential and important entity classification, and regardless-of-size rules. - [Commission Recommendation 2003/361/EC on SME definitions](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32003H0361&ref=sorena.io) - Primary source for the employee, turnover, and balance-sheet thresholds used in the size-cap evidence file. *Recommended next step* *Placement: before sources* ## Convert scope, control, and reporting answers into evidence-backed NIS2 work Sorena can help turn NIS2 FAQ answers into cited decisions, owner assignments, Article 21 control evidence, Article 23 incident workflow checks, and reusable review triggers. - [Open Research Copilot for NIS2](/solutions/research-copilot.md): Ask source-linked questions about NIS2 scope, obligations, reporting, penalties, and evidence using the cited sources on this page. - [Talk through NIS2 implementation](/contact.md): Review your NIS2 scope decisions, Article 21 control evidence, Article 23 reporting workflow, and unresolved national implementation questions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/nis2-directive/faq/items