NIS2 entity scope essential vs important entities

Essential entities are in scope under Article 3(1): large Annex I entities, size-independent digital actors such as TLD registries, DNS service providers, and qualified trust service providers, medium-sized public electronic communications providers, central-government public administration entities, CER critical entities, and Member-State-designated essential entities.

Important entities are in scope under Article 3(2): covered Annex I or Annex II entities that do not qualify as essential entities, including medium-sized Annex I entities and Annex II entities not already in the essential tier, plus entities Member States identify under Article 2(2)(b) to (e) special-risk criteria.

Run the essential test first, then document why the entity either falls into Article 3(1) or remains in Article 3(2).

Essential entities and their management bodies must prepare for proactive supervision and keep evidence ready for competent authority review under Article 32, including management approval of risk measures and training. Competent authorities can also act before a problem is identified.

Important entities and their management bodies must still implement the Article 21 and Article 23 duties, but the competent authorities generally act only after evidence, indication, or information suggests non-compliance under Article 33.

Assign the management-body accountability, Article 21 control owner, and Article 23 incident-reporting owner at the entity level before deciding how the national authority interaction differs between tiers.

Essential-entity status is triggered by meeting any one of the Article 3(1) criteria: exceeding the medium-sized enterprise threshold in an Annex I sector as a large entity, being a size-independent critical digital actor, public administration entity, CER critical entity, or Member-State-identified essential entity.

Important-entity status is triggered by being in scope under Article 2 but not meeting any Article 3(1) criterion. Medium-sized Annex I entities and all Annex II entities that are not essential fall here by default unless Member State identification moves them.

Keep size evidence separate from special-case evidence so a later headcount, turnover, service, or designation change can be reassessed cleanly without rebuilding the entire classification memo.

Essential entities must implement Article 21 appropriate and proportionate cybersecurity risk-management measures across the listed areas, maintain management-body oversight, and report significant incidents under Article 23 within the 24-hour early-warning and 72-hour notification clocks.

Important entities carry the same Article 21 risk-management, management-body, and Article 23 significant-incident reporting obligations. The obligation baseline is identical; the proportionality calibration reflects the entity size, sector, likelihood, and impact of risks.

Do not create a weaker control baseline for important entities; both tiers use the same Article 21 risk and proportionality framework, and both must notify significant incidents under Article 23.

Essential-entity evidence should include the Article 3(1) classification memo, Annex I sector mapping, size or special-case analysis, Member State registration, Article 21 control records, management approvals, incident notifications, and supplier-risk documentation.

Important-entity evidence should cover the same families with a clear note explaining why Article 3(1) does not apply, the Annex I or Annex II basis, registration in national entity lists, Article 21 controls, incident files, and any national-authority correspondence.

Treat classification details, contact information, sector mapping, and country footprint as maintained compliance records, not a one-time scoping exercise, because they are inputs to the national entity-list update process.

Essential entities should maintain evidence as if a proactive supervisory review could occur at any time under Article 32, which authorises regular and targeted audits, random checks, and security scans without requiring a prior incident or complaint.

Important entities should be ready to produce evidence on short notice after an incident, complaint, authority scan, or other signal of alleged non-compliance under Article 33, which triggers ex post supervisory action.

Reassess classification evidence after acquisitions, entity-size changes, service launches, new Member State operations, authority notices, or critical-entity designation because these change the tier result.

Essential-entity enforcement under Article 32 can include warnings, binding instructions, temporary suspension, management-function prohibition, and administrative fines of at least EUR 10 million or 2 percent of worldwide annual turnover for Article 21 or 23 infringements, whichever is higher.

Important-entity enforcement under Article 33 can include warnings, binding instructions, orders, audit recommendations, and administrative fines of at least EUR 7 million or 1.4 percent of worldwide annual turnover for Article 21 or 23 infringements, whichever is higher.

Use NIS2 fine thresholds only with the Article 34 context and national-implementation caveat; confirm actual fine ranges, procedure, and authority with local legal counsel before advising on exposure.

Essential entities can reuse Article 21 control evidence, incident records, and management-body documentation for multiple Member State registrations, national authority requests, and customer-assurance purposes, as long as the source-linked requirement and scope boundary are consistent.

Important entities can reuse the same Article 21 evidence framework and Article 23 incident-notification playbook as the essential tier, with proportionality adjustments for size and risk. A shared control baseline reduces duplication if the legal entity boundary and Annex coverage are the same.

Document overlap explicitly when the same control, incident record, or management approval satisfies both tiers or multiple Member States so a future reviewer can see the shared basis and the non-shared elements.

Close the essential-entity classification by recording: Article 3(1) paragraph used, Annex row, size or special-case basis, Member State evidence, national registration status, Article 21 control owner, Article 23 reporting route, and Article 32 supervision readiness.

Close the important-entity classification by recording: why Article 3(1) does not apply, the Article 3(2) and Annex basis, Member State evidence, national registration status, Article 21 control owner, Article 23 reporting route, and Article 33 ex post supervision readiness.

Close the scope review only when a future reviewer can rerun the tier decision from the cited source, entity facts, and dated evidence without relying on project memory.