Skip to content
TECHNOMATON | Docs SAI Certified Trainers

NIS2 | Scope Determination

Guide for determining whether your organisation falls under NIS2 and in which category.

Decision Tree

Annex I --- Essential Entities

Detailed Sector Overview

#SectorSub-sectorsExample entities
1EnergyElectricityGenerators, distributors, suppliers, exchanges
OilPipeline operators, refineries
GasDistributors, LNG terminals, storage
HydrogenProducers, infrastructure operators
HeatDistrict heating
2TransportAviationAirports, airlines, handling
RailInfrastructure managers, carriers
MaritimePorts, ferries, inland waterways
RoadMotorway managers, ITS
3BankingCredit institutions
4Financial marketsExchanges, clearing houses, trade repositories
5HealthcareHospitals, laboratories, pharmaceutical manufacturers, medical device manufacturers
6Drinking waterDrinking water suppliers
7Waste waterWaste water treatment operators
8Digital infrastructureDNS, TLD, cloud computing, data centres, CDN, IXP
9ICT services B2BManaged services, managed security services
10Public administrationCentral bodies, regional (above threshold)
11SpaceSatellite operators

Annex II --- Important Entities

#SectorSub-sectorsExample entities
1Postal servicesCouriers, postal operators
2WasteCollection, processing, recycling
3ChemicalsManufacturing, distribution
4FoodProduction, processing, distribution
5ManufacturingMedical devicesMedical device manufacturers
Computers/electronicsComputer and electronics manufacturers
MachineryMachine and equipment manufacturers
Motor vehiclesAutomotive manufacturers
Transport equipmentOther transport equipment
6Digital servicesOnline marketplace, search engines, social networks
7ResearchResearch organisations

Size Criteria

Rules

CriterionEssential (Annex I)Important (Annex II)
Employees>50>50
OR Turnover>EUR 10M>EUR 10M
OR Balance sheet>EUR 10M>EUR 10M

Exceptions (Automatically IN SCOPE regardless of size)

  • DNS service providers
  • TLD name registries
  • Cloud computing providers
  • Data centre providers
  • CDN providers
  • Qualified trust service providers
  • Public administration (central bodies)
  • Critical suppliers of essential entities

Self-Assessment Checklist

Step 1: Sector Identification

  • We are in an Annex I sector
  • We are in an Annex II sector
  • We are not in any regulated sector

Step 2: Size Verification

CriterionYour valueMet?
Number of employees[ ] >50
Annual turnoverEUR______[ ] >EUR 10M
Annual balance sheetEUR______[ ] >EUR 10M

Step 3: Exceptions

  • We are automatically IN SCOPE (DNS, cloud, DC, TLD, CDN)
  • We are a critical supplier of an essential entity
  • We are the sole provider in the region

Step 4: Conclusion

ResultYour situation
[ ] Essential EntityAnnex I + size criteria met
[ ] Important EntityAnnex II + size criteria met
[ ] Out of ScopeCriteria not met

Differences Between Essential and Important

AspectEssentialImportant
SupervisionProactive (ex-ante)Reactive (ex-post)
AuditsRegularIncident-based
PenaltiesHigher (up to EUR 10M / 2%)Lower (up to EUR 7M / 1.4%)
ReportingStricterStandard
Management liabilityHigherStandard

Scope Determination Record

Next Steps

  1. Scope determined
  2. ISMS requirements
  3. Compliance checklist
  4. Register with national authority (if applicable)