Directive (EU) 2022/2555 entered into force 16 January 2023. Transposition deadline: 17 October 2024. National laws and competent-authority designations diverge across the 27 Member States.

Does NIS2 apply to your organisation?

Pick a sector, declare size and EU footprint. The tool maps your answer to the directive's scope rules, lists the obligations that would attach, and surfaces the competent authority and CSIRT in your primary Member State.

NIS2 scope at a glance

NIS2 (Directive (EU) 2022/2555) entered into force on 16 January 2023, with a Member-State transposition deadline of 17 October 2024. It applies to entities in the 18 Annex I and Annex II sectors that are medium or large — except that DNS providers, TLD registries, trust service providers, providers of public electronic communications, and public administration entities are in scope regardless of size (Article 2(2)). A non-EU entity offering those services in the Union is also in scope through a designated representative under Article 26(3), with the full obligations and Article 34 fines (essential: ≥ €10M / 2%; important: ≥ €7M / 1.4%). Use the checker below to map your sector, size and EU footprint to a verdict and the competent authority in your Member State.

Sources: EUR-Lex — Directive (EU) 2022/2555 (CELEX 32022L2555) · Article 2 — scope and size-independent categories · Article 26 — non-EU entities · Article 34 — fines.

Last updated 12 Jun 2026 · Scope logic verified 12 Jun 2026 against the European Commission NIS2 page and the directive text (dataset v1.1.0).

NIS2 entity scope decision form

Step 1 — Sector

Annex I lists the high-criticality sectors (essential by default at large size). Annex II lists the other critical sectors (important by default at large size). Choose 'none' if neither annex describes you.

Step 2 — Size

Article 2(1) anchors scope to the Annex to the Recommendation 2003/361/EC (medium = 50–249 employees AND turnover ≤ €50M OR balance ≤ €43M; large = ≥ 250 employees OR turnover > €50M).

Step 3 — EU footprint

An entity is in scope if it is established in the EU. Non-EU providers of certain services (DNS, TLD registry, cloud, data centre, CDN, managed services, online marketplace, search engine, social network) must designate a representative under Article 26.

Used to flag Article 26 representative-designation obligations for non-EU entities.

Step 4 — Primary Member State

Used to surface the competent authority + CSIRT designated under Articles 8 and 10. For multi-country providers Article 26(2) routes jurisdiction to a single MS.

Step 5 — NIS1 history (optional)

NIS1 OES / DSP designations grandfather scope considerations under NIS2 transitional rules (Article 41).

Last verified: 2026-06-12

Frequently asked questions

Is my small DNS / TLD / trust-service / public-comms business exempt because it is under 50 employees?

No. Article 2(2) of Directive (EU) 2022/2555 puts DNS service providers, top-level-domain name registries, trust service providers, and providers of public electronic communications networks or services in scope regardless of size. The micro/small exclusion in Article 2(1) does not apply to those categories — a small DNS provider is an essential entity with the full obligation stack.

I'm a non-EU company (e.g. a US cloud or SaaS provider) serving EU customers — am I out of scope?

No. Under Article 26(3), a non-EU entity that offers the listed services in the Union is in scope through a designated EU representative. It carries the full Article 21 risk-management, Article 23 incident-reporting and Article 32 management-accountability duties and is subject to Article 34 fines — not merely a “designate a representative and register” duty.

What's the difference between an essential and an important entity?

Annex I (high-criticality) sectors at large size are essential entities (Article 3(1)(a)); Annex I at medium size, and all Annex II (other-critical) sectors, are important entities (Article 3(2)). Essential entities face proactive supervision; important entities face ex-post supervision. The classification also sets the Article 34 fine ceiling.

What are the maximum NIS2 fines?

Under Article 34, essential entities face at least €10,000,000 or 2% of total worldwide annual turnover, whichever is higher; important entities face at least €7,000,000 or 1.4%, whichever is higher. National transposing law sets the actual penalty regime on top.

When did NIS2 take effect and when was it due to be transposed?

The directive entered into force on 16 January 2023 and Member States were required to transpose it into national law by 17 October 2024. Many Member States missed that deadline, so the precise rules and the competent authority depend on your national transposing act — verify with the authority surfaced in the result panel.

Does this tool give me a binding compliance opinion?

No. It walks the scope tests in Articles 2, 3 and 26 of the directive and is a free orientation aid, not legal advice. National transposition adds specifics, and edge cases (sole providers of an essential service, group-level thresholds) need a lawyer. Confirm with your competent authority before reporting under Article 23.

Related tools

Cyber Resilience Act (CRA) applicability checkerNIS2 covers your organisation; the CRA covers the products you sell. Check whether your hardware or software with digital elements must carry CE marking and meet the CRA's cybersecurity essential requirements.Digital Services Act (DSA) applicability checkerIf you run an online marketplace, hosting service or platform, the DSA stacks separate transparency and notice-and-action duties on top of NIS2. See which DSA tier your service falls into.ESRS / CSRD applicability checkerLarge EU companies in NIS2 scope are often also caught by the Corporate Sustainability Reporting Directive. Check whether you must report under the European Sustainability Reporting Standards.