Does NIS 2 apply to my company?

NIS 2 generally applies to medium-sized and larger organisations operating in the EU within one of the sectors listed in Annex I (sectors of high criticality) or Annex II (other critical sectors). Some entity types — including DNS service providers, TLD registries, trust service providers and public electronic communications providers — are in scope regardless of size. This checker walks the actual Article 2 and Article 3 logic to give you a structured starting-point classification.

What is the difference between an essential and an important entity?

Both face the same core security and incident-reporting obligations. The difference is supervision: essential entities are subject to proactive, ex-ante supervision; important entities are supervised reactively, ex-post. Broadly, large entities in Annex I sectors are essential, while medium-sized entities and Annex II entities are important — but several specific rules in Article 3 override this, which is why a checklist alone is unreliable.

Is this NIS 2 checker legal advice?

No. It is a free, structured starting point based on the directive’s text and your inputs. NIS 2 applicability depends on facts specific to your organisation, and several exceptions involve a judgement your competent national authority makes. Always confirm the result with that authority or your counsel before relying on it.

Do you store my answers?

No. The classification runs entirely in your browser. We do not gate the tool behind a form, and we do not capture or store the answers you enter.

Is NIS 2 transposed in my country yet?

NIS 2 is a directive, so it takes effect through national transposition law. The transposition deadline was 17 October 2024 and several Member States are still completing the process. The checker shows the transposition status we last verified for your country, with the date and a link to the official EU tracker so you can re-check.

We are below the size threshold — are we safe to ignore NIS 2?

Not necessarily. Size-independent exceptions can still bring small entities into scope, and even if you are genuinely out of direct scope, in-scope customers routinely pass NIS 2-aligned security and reporting obligations down their supply chain by contract.

Free tool

NIS 2 applicability checker

Find out whether the EU NIS 2 Directive applies to your organisation — and whether you would be an essential or an important entity — in about two minutes.

Classification follows Directive (EU) 2022/2555, Articles 2 & 3 and Annexes I & II, read with the SME thresholds in Commission Recommendation 2003/361/EC. This tool gives a structured starting point, not legal advice.

FAQ

Does NIS 2 apply to my company?: NIS 2 generally applies to medium-sized and larger organisations operating in the EU within one of the sectors listed in Annex I (sectors of high criticality) or Annex II (other critical sectors). Some entity types — including DNS service providers, TLD registries, trust service providers and public electronic communications providers — are in scope regardless of size. This checker walks the actual Article 2 and Article 3 logic to give you a structured starting-point classification.
What is the difference between an essential and an important entity?: Both face the same core security and incident-reporting obligations. The difference is supervision: essential entities are subject to proactive, ex-ante supervision; important entities are supervised reactively, ex-post. Broadly, large entities in Annex I sectors are essential, while medium-sized entities and Annex II entities are important — but several specific rules in Article 3 override this, which is why a checklist alone is unreliable.
Is this NIS 2 checker legal advice?: No. It is a free, structured starting point based on the directive’s text and your inputs. NIS 2 applicability depends on facts specific to your organisation, and several exceptions involve a judgement your competent national authority makes. Always confirm the result with that authority or your counsel before relying on it.
Do you store my answers?: No. The classification runs entirely in your browser. We do not gate the tool behind a form, and we do not capture or store the answers you enter.
Is NIS 2 transposed in my country yet?: NIS 2 is a directive, so it takes effect through national transposition law. The transposition deadline was 17 October 2024 and several Member States are still completing the process. The checker shows the transposition status we last verified for your country, with the date and a link to the official EU tracker so you can re-check.
We are below the size threshold — are we safe to ignore NIS 2?: Not necessarily. Size-independent exceptions can still bring small entities into scope, and even if you are genuinely out of direct scope, in-scope customers routinely pass NIS 2-aligned security and reporting obligations down their supply chain by contract.

By ISMS Copilot. Classification follows Directive (EU) 2022/2555, Articles 2 & 3 and Annexes I & II, read with the SME thresholds in Commission Recommendation 2003/361/EC. This tool gives a structured starting point, not legal advice.

Ready to streamline your compliance work?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0