FAQEU

NIS2 size-cap rule medium and large entity scope

Use the NIS2 size-cap rule to decide whether an Annex I or Annex II entity is covered because it is medium-sized or larger.

Check the sector first, then employee and financial thresholds, then the regardless-of-size exceptions and Member State classification rules.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
4

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

The NIS2 size-cap rule is the default scoping filter for many private and public entities: an entity in an Annex I or Annex II sector is generally in scope when it is medium-sized or larger and provides services or carries out activities in the Union. Small and micro entities are not automatically out of the analysis, because NIS2 also contains regardless-of-size and Member State identification rules.

Search this module

Find a question or answer quickly

4 of 4 questions
Question 1

What is the NIS2 size-cap rule?

Article 2(1) of NIS2 applies the directive to public or private entities of a type listed in Annex I or Annex II when they qualify as medium-sized enterprises under Recommendation 2003/361/EC, or exceed the medium-sized-enterprise ceilings, and provide services or carry out activities in the Union.

In practice, do not start with headcount alone. First confirm the entity type is in an Annex I or Annex II sector, then test the Recommendation 2003/361 employee and financial ceilings, then check whether NIS2 applies regardless of size under Article 2(2), Article 2(3), or Article 2(4).

  • Start with the sector: confirm the entity is in Annex I or Annex II before you apply any size test.
  • Check whether the entity is medium-sized or larger by using the employee, turnover, and balance-sheet ceilings together, not headcount alone.
  • Confirm that the entity provides services or carries out activities in the Union.
  • Escalate small or micro entities when a regardless-of-size rule, critical-entity designation, domain-name-registration-service rule, or Member State rule may apply.
Citations
Directive (EU) 2022/2555 (NIS2)

Article 2(1) sets the default NIS2 scope test for Annex I and Annex II entities that are medium-sized or exceed the medium-sized-enterprise ceilings.

Question 2

Which employee, turnover, and balance-sheet thresholds should teams check?

Recommendation 2003/361/EC defines the SME category as enterprises with fewer than 250 persons and annual turnover not exceeding EUR 50 million, and/or annual balance sheet total not exceeding EUR 43 million. It also defines small enterprises as fewer than 50 persons with turnover and/or balance sheet total not exceeding EUR 10 million, and microenterprises as fewer than 10 persons with turnover and/or balance sheet total not exceeding EUR 2 million.

For a NIS2 scope record, keep the latest approved headcount, annual turnover, annual balance sheet total, group or linked-enterprise analysis, sector mapping, and the legal entity that provides the covered service. NIS2 also states that Article 3(4) of the Annex to Recommendation 2003/361/EC does not apply for NIS2 purposes, so do not import that status-change rule into the NIS2 decision without local legal review.

  • Confirm the latest approved headcount, then check it together with turnover and balance-sheet figures.
  • Use the same legal entity or group analysis for turnover and balance-sheet total, and keep the supporting finance evidence together.
  • Map the entity to the relevant Annex I or Annex II sector and the covered service it actually provides.
  • Explain why the entity is medium-sized, exceeds the medium-sized-enterprise ceilings, or is escalated as a small or micro special case.
  • Keep the reviewer, approval date, source citation, and reassessment trigger with the decision record.
Citations
Question 3

Which NIS2 entities can be covered regardless of size?

The size cap is not the end of the NIS2 scope analysis. Article 2(2) applies NIS2 regardless of size to certain Annex I or Annex II entities, including providers of public electronic communications networks or publicly available electronic communications services, trust service providers, top-level domain name registries, DNS service providers, sole providers of essential services in a Member State, entities whose disruption could significantly affect public safety, public security, or public health, entities whose disruption could induce significant systemic risk, nationally or regionally critical entities, and certain public administration entities.

Article 2(3) also applies NIS2 regardless of size to entities identified as critical entities under Directive (EU) 2022/2557, and Article 2(4) applies it regardless of size to entities providing domain name registration services. Member States may also apply NIS2 to local public administration entities and some education institutions, so the final answer may depend on national transposition.

  • Check electronic communications, trust-service, TLD registry, DNS, and domain-name-registration-service roles first.
  • Check whether the entity is a sole essential provider, creates a public-safety or public-health impact, creates systemic risk, or has national or regional criticality.
  • Check whether the entity is identified as a critical entity under Directive (EU) 2022/2557.
  • Check local public administration, education, and Member State implementation rules before treating a small or micro entity as out of scope.
Citations
Directive (EU) 2022/2555 (NIS2)

Article 2(2), Article 2(3), and Article 2(4) list regardless-of-size scope rules and Article 2(5) permits some Member State extensions.

Question 4

What evidence should prove a NIS2 size-cap decision?

A defensible size-cap decision should let legal, security, finance, compliance, and operations reviewers repeat the conclusion without guessing. Keep the source rule, entity facts, sector mapping, thresholds, exception checks, and national-law routing together.

Reopen the decision when headcount, turnover, balance sheet total, group structure, covered service, sector classification, Member State footprint, or critical-entity status changes.

  • Keep the Article 2 rule and the exact sector or exception that made the entity in scope.
  • Attach the Recommendation 2003/361/EC threshold evidence and finance-approved headcount, turnover, and balance-sheet figures.
  • Include linked-enterprise or group evidence only where it affects the size test, so reviewers can see the basis for aggregation.
  • Record the Annex I or Annex II mapping, covered service description, operating country, and any Member State routing note.
  • Name the decision owner, reviewer, approval date, and the trigger that will force a reassessment.
Citations
Recommended next step

Use this NIS2 FAQ as a cited entity-classification workflow

Sorena can help turn the NIS2 size-cap rule into entity-classification records, threshold evidence requests, special-case checks, and reusable review steps.

Research workflow
Open Research Copilot for EU NIS2 Directive

Ask source-linked questions about NIS2 scope, SME thresholds, essential entities, important entities, and special cases using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through NIS2 scope implementation

Review your size-cap evidence, sector mapping, exception checks, and Member State routing with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Binding source for NIS2 scope, essential and important entity classification, and regardless-of-size rules.
"entities of a type referred to in Annex I or II"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.