The global community for Corporate Sustainability Leaders

by osapiens
Ask question
Home | NIS 2 | Critical sectors & affected entities
What are you looking for?

Critical sectors & affected entities

 Criteria that determine which companies must comply with NIS2

To fulfil its objective, the NIS2 Directive focuses on organizations that operate in critical sectors, as they are essential for the proper functioning of society and, for this reason, are often the primary target of cyber-attacks.

It is estimated that the NIS2 Directive will impact over 100.000 organizations across the EU in addition to those already within the scope of the first NIS Directive.

 Criteria that determine which companies must comply with NIS2

There are three general criteria that define which organizations must comply with NIS 2:

  1. Location: If they provide services or carry out activities in any country in the European Union (no matter if they are based in the EU or not).
  2. Size: If they are categorized as mid-sized or large organizations. That means:
    • Mid-size (50 to 250 employees and 10 to 50 million euros in annual revenue).
    • Large (more than 250 employees and 50 million euros in annual revenue).
  3. Industry: If they operate in any of the 18 sectors listed below.

Essential critical sectors:

  1. Energy
  2. Transport
  3. Banking
  4. Financial market infrastructures
  5. Health
  6. Drinking wáter
  7. Waste water
  8. Digital infrastructure
  9. ICT service management (business-to-business)
  10. Public administration
  11. Space

Other critical sectors:

  1. Postal and courier services
  2. Waste management
  3. Manufacture, production and distribution of chemicals
  4. Production, processing and distribution of food
  5. Manufacturing
  6. Digital providers
  7. Research

What are essential and important entities?

“Essential entities” and “important entities” are what NIS 2 calls companies and other organizations that need to comply with NIS 2.

NIS 2 defines essential entities as follows:

  • Companies that are categorized as large and are in one of the 11 essential critical sectors.
  • Trust service providers/ DNS service providers/ Public electronic communication networks/ Public administration entities/ Other entities specified by Member States

Important entities are all other organizations that are not categorized as essential entities, but that fall under the 3 criteria of location, size and Industry.

By 17 April 2025, Member States shall establish a list of essential and important entities as well as entities providing domain name registration services. Member States shall review and, where appropriate, update that list on a regular basis and at least every two years thereafter.

Asked questions 0 Answered questions 0 Opened questions 0 Documents 0 Videos 0
ESG Peers
ESG Regulations
EUDR
EUDR Commodities
CBAM
CBAM Goods
CCF
Scope 3 – Supply Chain emissions
CSRD
CSRD Reporting Standards and Disclosure Requirements
ESG Cross-Cutting Standards
Topical Standards
CSDDD
WHISTLEBLOWER
SANCTION LISTS
EU TAXONOMY
PCF
How to calculate a Product Carbon Footprint?
DPP
NIS 2
Knowledge Base