--- title: "NIS2 Size Cap Rule and Special Scope Cases" canonical_url: "https://www.sorena.io/artifacts/eu/nis2-directive/size-cap-and-special-cases" source_url: "https://www.sorena.io/artifacts/eu/nis2-directive/size-cap-and-special-cases" author: "Sorena AI" description: "Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "NIS2 size cap" - "NIS2 scope" - "NIS2 special cases" - "essential entities" - "important entities" - "Recommendation 2003/361/EC" - "Article 2 NIS2" - "Article 3 NIS2" - "EU NIS2 Directive" - "size cap rule" - "special cases" - "SME definition" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # NIS2 Size Cap Rule and Special Scope Cases Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists. *Scope Guide* *EU* ## NIS2 size cap and special cases Use this guide to decide whether an entity falls into NIS2 because it is medium-sized or larger, because it is covered regardless of size, or because a Member State has identified it as essential or important. Grounded in Directive (EU) 2022/2555, Commission Recommendation 2003/361/EC, the Commission Article 3(4) guidelines, and the Commission NIS2 overview. The NIS2 size-cap question is not just a headcount check. Article 2 starts with medium-sized and larger entities in Annex I or Annex II sectors, then adds several categories that can be in scope regardless of size. A defensible scope record should show the entity type, sector, size calculation, special-case analysis, Member State status, and registration evidence. ## Start with the NIS2 size-cap rule Article 2(1) applies NIS2 to public or private entities of a type listed in Annex I or Annex II when they qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the medium-sized enterprise ceilings, and provide services or carry out activities within the Union. For a practical scope file, that means two questions must both be answered before relying on the general size-cap rule: does the entity match an Annex I or Annex II type, and does the entity meet or exceed the relevant SME size test? - Record the Annex I or Annex II sector, subsector, and type of entity before applying headcount or financial data. - Treat medium-sized and larger entities in covered sectors as the general NIS2 starting point, not as the whole scope analysis. - Use the latest approved accounting period for SME headcount and financial data, unless the entity is newly established and must rely on a good-faith estimate. - Document whether the entity is autonomous, partner, or linked, because Recommendation 2003/361/EC requires related enterprise data to be considered when calculating size. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2), Article 2](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Primary legal source for the NIS2 scope rule covering Annex I and Annex II entities that are medium-sized or larger. - [Commission Recommendation 2003/361/EC](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32003H0361&ref=sorena.io) - Defines SME categories, including staff headcount and financial ceilings used by the NIS2 size-cap rule. ## Apply the regardless-of-size special cases Article 2(2) brings certain Annex I or Annex II entities into NIS2 regardless of size. These cases include providers of public electronic communications networks or publicly available electronic communications services, trust service providers, top-level domain name registries, and DNS service providers. The same paragraph also captures entities where the service has a critical role: the sole provider in a Member State of a service essential for critical societal or economic activities, services whose disruption could significantly affect public safety, public security, or public health, services that could create significant systemic risk, and entities of specific national or regional importance. - Do not stop the review because the entity is small or micro if it provides a service listed in Article 2(2)(a). - Check whether a Member State has identified the entity because it is a sole provider, creates systemic risk, or is important at national or regional level. - Separate EU-level regardless-of-size categories from Member State determinations, because evidence and authority contacts may differ. - Flag trust service providers carefully: Article 2 excludes some public-sector activities, but that exclusion does not apply where the entity acts as a trust service provider. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2), Article 2(2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Lists the special cases where NIS2 applies regardless of entity size. - [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission overview describing NIS2 scope expansion and the general rule for medium-sized and large entities in critical sectors. ## Classify essential versus important after scope is established The size-cap decision answers whether NIS2 can apply; Article 3 then determines whether the scoped entity is essential or important. Annex I entities that exceed the medium-sized enterprise ceilings are essential entities, while many other in-scope entities are important unless Article 3 places them in the essential category. Several categories are essential regardless of size or through a specific rule: qualified trust service providers, top-level domain name registries, DNS service providers, central government public administration entities, entities identified as critical under Directive (EU) 2022/2557, and entities a Member State identifies as essential under Article 2(2)(b) to (e). - Use one evidence line for scope and a separate evidence line for essential or important classification. - Check whether the entity is an Annex I entity exceeding the medium-sized enterprise ceilings before treating it as essential on size grounds. - Check whether the entity is a qualified trust service provider, TLD registry, or DNS service provider, because Article 3 treats those categories as essential regardless of size. - Save the Member State source when an entity is identified as essential or important by national classification rather than by the general size rule alone. Sources for this answer: - [Directive (EU) 2022/2555 (NIS2), Article 3](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Primary legal source for essential and important entity classification after scope is determined. - [Directive (EU) 2022/2555 (NIS2), Annex I and Annex II](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Lists the high-criticality and other critical sectors that must be mapped before applying the size-cap and classification rules. ## Use the SME definition correctly Recommendation 2003/361/EC defines the SME category as enterprises with fewer than 250 persons and annual turnover not exceeding EUR 50 million and/or annual balance sheet total not exceeding EUR 43 million. Small enterprises are below 50 persons and EUR 10 million turnover and/or balance sheet total; microenterprises are below 10 persons and EUR 2 million turnover and/or balance sheet total. The calculation can change when an entity has partner or linked enterprises. Recommendation 2003/361/EC requires proportional aggregation for partner enterprises and full aggregation for linked enterprises in the situations described in Article 6 of its Annex. NIS2 also states that Article 3(4) of that Recommendation does not apply for NIS2 purposes. - Keep the source accounts, headcount method, turnover amount excluding VAT and indirect taxes, balance sheet total, and accounting period in the scope record. - Record whether the entity crossed a threshold over two consecutive accounting periods when relying on Recommendation 2003/361/EC status changes. - Include partner and linked enterprise analysis where ownership, voting rights, control, or group accounts could change the size result. - Escalate borderline group structures to legal or finance reviewers instead of treating a local subsidiary's standalone headcount as conclusive. Sources for this answer: - [Commission Recommendation 2003/361/EC, Annex Articles 2, 4, and 6](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32003H0361&ref=sorena.io) - Defines SME ceilings, reference-period rules, and aggregation rules for partner and linked enterprises. - [Directive (EU) 2022/2555 (NIS2), Article 2(1)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - States that Article 3(4) of the SME Recommendation Annex does not apply for NIS2 purposes. ## Maintain registration and list evidence Article 3 requires Member States to establish a list of essential and important entities and entities providing domain name registration services by 17 April 2025, then review and update it regularly and at least every two years. The Commission Article 3(4) guidelines explain the information that Member States should require for those lists and for related registration mechanisms. The scope record should therefore include both the entity's own legal analysis and any Member State registration, list, notification, or self-registration evidence. This is especially important for cross-border providers and for entities that may fall under Article 27 registration duties. - Store the entity name, address, current contact details, IP ranges, sector, subsector, type of entity, and Member States where services are provided when those fields are requested by national mechanisms. - Track changes to submitted information, because Article 27 entities must notify changes without delay and in any event within three months of the change. - Keep national authority correspondence separate from the EU legal basis so reviewers can distinguish directive scope from local implementation steps. - Review the size and special-case analysis when services, countries, ownership, group accounts, or sector activities materially change. Sources for this answer: - [Commission Guidelines on NIS2 Article 3(4)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A324%3AFULL&ref=sorena.io) - Commission guidance and template context for Member State lists of essential and important entities and domain name registration service providers. - [Directive (EU) 2022/2555 (NIS2), Articles 3 and 27](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Sets listing and registration-related requirements, including regular list updates and information for specified digital providers. *Recommended next step* *Placement: before sources* ## Use this NIS2 guide to classify entities and evidence special cases Sorena can help convert size data, Annex mapping, special-case triggers, and Member State registration requirements into a cited NIS2 scope workflow. - [Open Research Copilot for NIS2](/solutions/research-copilot.md): Ask source-linked questions about the size-cap rule, special scope cases, essential and important classification, and registration evidence. - [Talk through implementation](/contact.md): Review your NIS2 scope analysis, special-case evidence, and country registration workflow with Sorena. ## Primary sources - [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Primary NIS2 legal text for scope, essential and important entity classification, registration, and sector annexes. - Quote: "high common level of cybersecurity across the Union" - [Commission Recommendation 2003/361/EC](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32003H0361&ref=sorena.io) - Defines micro, small, and medium-sized enterprises, including headcount, turnover, balance sheet, partner, and linked enterprise rules. - Quote: "definition of micro, small and medium-sized enterprises" - [Commission Guidelines on NIS2 Article 3(4)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A324%3AFULL&ref=sorena.io) - Guidelines and template context for Member State lists and registration information under NIS2 Article 3(4). - Quote: "By 17 April 2025" - [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission overview of NIS2 scope, sectors, risk-management duties, reporting requirements, and implementation context. - Quote: "18 critical sectors" ## Related Topic Guides - [Are managed service providers in scope of NIS2?](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md): NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence. - [EU NIS2 Directive applicability test for entity scope](/artifacts/eu/nis2-directive/applicability-test.md): Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence. - [EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks](/artifacts/eu/nis2-directive/deadlines-and-compliance-calendar.md): source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items. - [FAQ: NIS2 essential vs important entity classification and registration obligations](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md): Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep. - [NIS2 24-hour early warning: what to send and when](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md): Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident. - [NIS2 72-hour incident notification FAQ](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md): Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence. - [NIS2 Annex I and Annex II Sector Scoping Guide](/artifacts/eu/nis2-directive/annex-i-and-ii-sector-scoping.md): Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources. - [NIS2 Article 21 control baseline and evidence checklist](/artifacts/eu/nis2-directive/article-21-control-baseline.md): Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations. - [NIS2 Article 21 control-by-control evidence checklist](/artifacts/eu/nis2-directive/article-21-control-by-control-evidence.md): Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication. - [NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners](/artifacts/eu/nis2-directive/article-21-gap-assessment-workflow.md): Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review. - [NIS2 Article 23 incident notification workflow](/artifacts/eu/nis2-directive/article-23-notification.md): Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence. - [NIS2 Compliance Checklist: scope, controls, reporting](/artifacts/eu/nis2-directive/checklist.md): Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence. - [NIS2 Compliance Guide: scope, controls, reporting, and evidence](/artifacts/eu/nis2-directive/compliance.md): A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records. - [NIS2 Country Transposition Tracker: EU Status Workflow](/artifacts/eu/nis2-directive/country-transposition-tracker.md): Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls. - [NIS2 Entity Classifier Workflow: essential vs important entity scoping](/artifacts/eu/nis2-directive/entity-classifier-workflow.md): Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive. - [NIS2 essential vs important entities: Article 3 scope and supervision guide](/artifacts/eu/nis2-directive/scope-essential-vs-important.md): Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split. - [NIS2 essential vs important entities: supervision regime and audit evidence requirements](/artifacts/eu/nis2-directive/essential-vs-important-supervision.md): Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties. - [NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties](/artifacts/eu/nis2-directive/faq.md): source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for. - [NIS2 incident clock triage workflow](/artifacts/eu/nis2-directive/incident-clock-triage-workflow.md): Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks. - [NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps](/artifacts/eu/nis2-directive/incident-reporting-workflow.md): Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records. - [NIS2 Management Body Accountability: board duties, training, and evidence](/artifacts/eu/nis2-directive/management-body-accountability.md): source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence. - [NIS2 Member State Transposition: What Teams Must Check](/artifacts/eu/nis2-directive/faq/member-state-transposition.md): How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details. - [NIS2 National Transposition Tracker: EU Member State Evidence Register](/artifacts/eu/nis2-directive/national-transposition-tracker.md): Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers. - [NIS2 penalties and fines: Article 34 caps for essential and important entities](/artifacts/eu/nis2-directive/penalties-and-fines.md): NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep. - [NIS2 Registration and Authority Notification Guide](/artifacts/eu/nis2-directive/registration-and-authority-notification.md): Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines. - [NIS2 Requirements: scope, Article 21 controls, reporting, and evidence](/artifacts/eu/nis2-directive/requirements.md): Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records. - [NIS2 size-cap rule: when medium and large entities are in scope](/artifacts/eu/nis2-directive/faq/size-cap-rule.md): Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep. - [NIS2 supply chain security program: Article 21 controls, contracts, and evidence](/artifacts/eu/nis2-directive/supply-chain-security-program.md): Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks. - [NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience](/artifacts/eu/nis2-directive/nis2-vs-cerc.md): Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work. - [NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance](/artifacts/eu/nis2-directive/nis2-vs-dora.md): Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs. - [NIS2 vs GDPR breach reporting: EU deadlines and overlap](/artifacts/eu/nis2-directive/nis2-vs-gdpr-breach-reporting.md): Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap. - [NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27001.md): Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse. - [NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27017.md): Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits. - [NIS2 vs NIS1: what changed in EU cybersecurity compliance](/artifacts/eu/nis2-directive/nis2-vs-nis1.md): Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/nis2-directive/size-cap-and-special-cases