NIS2 Scope Demystified: How to Determine If Your Organisation Is In Scope
Who should read this: Compliance officers, legal teams, sector managers, and anyone responsible for determining regulatory obligations for their organisation.
One of the most frequent questions we hear is straightforward: "Is my organisation in scope for NIS2?" The answer depends on two factors that often create confusion: what type of organisation you are, and how large you are. Yet the Directive also contains escape hatches, exceptions, and Member State discretion that can shift an organisation from out-of-scope to essential overnight.
This guide walks through the scope rules step by step. By the end, you will be able to determine definitively whether NIS2 applies to your organisation, what category you fall into, and what obligations follow. You will also understand the grey areas where Member States have discretion -- because scope is not always a yes-or-no question.
The Two-Part Test: Sector and Size
NIS2 scope rests on a simple two-part test in Article 2. First, is your organisation a type listed in Annex I or Annex II? Second, does it meet the size threshold?
If both answers are yes, your organisation is in scope -- as either an essential or important entity, depending on additional criteria.
If you fail the sector test (your entity type is not in Annex I or II), the size test is irrelevant. You are out of scope, at least for now.
If you pass the sector test but fail the size test, you are still in scope as an important entity unless your Member State designates you as essential for other reasons.
Understanding this logic is the foundation. Let us walk through each part.
Part One: The Sector Test -- Annex I and Annex II
Article 2(1) specifies that NIS2 applies to "public or private entities of a type referred to in Annex I or II." Annex I lists eleven sectors; Annex II is for digital service providers.
The eleven Annex I sectors are: energy, transport, water, health, digital infrastructure, public administration, space, chemical production and waste management, food, manufacturing, and postal services. These are broad categories, but within each are specific entity types.
For example, under energy, Annex I covers electricity undertakings, distribution system operators, transmission system operators, producers, district heating operators, oil and gas operators, and hydrogen operators. A small solar panel installer who does not operate infrastructure is not listed. A regional electricity distribution operator is.
The Annex text is prescriptive. If your organisation's type is not explicitly listed, or does not fall within the scope of a listed description, you are not in Annex I. This is strictly construed.
Annex II covers digital services providers: cloud computing service providers, data centre service providers, DNS service providers, top-level domain (TLD) name registries, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines, social networking service platforms, and trust service providers (such as certificate authorities).
A technology company providing custom software to enterprises does not fall within Annex II unless it also provides one of these specific services. A company providing cloud infrastructure almost certainly does.
The first task is simple: locate your organisation in Annexes I and II. If you cannot find it, or if your entity type is not listed, you are likely out of scope under the sector test. Skip to the section on exceptions.
Understanding Annex I and II Definitions
The Annexes use references to other EU legislation to define entity types. For instance, Annex I, sector 1 (energy) references "electricity undertakings as defined in Article 2, point (57), of Directive (EU) 2019/944." This means you must consult that directive to understand who qualifies.
This layering of definitions can create ambiguity. A practical approach: if your organisation operates critical infrastructure in energy, transport, water, health, or digital services, consult both the NIS2 Directive's Annex and the underlying sectoral legislation. A lawyer familiar with that sector can usually determine scope with certainty.
One important note: the Annexes describe types of services, not ownership. A private-sector operator of district heating is in scope if listed. A state-owned energy company is in scope. Scope is function-based, not organisational-structure-based.
Part Two: The Size Test
If your organisation passes the sector test, the size rule determines whether you are in or out, and whether you are essential or important.
Article 2(1) states that the Directive applies to entities of a type in Annex I or II "which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article."
This means: you are in scope if you are a medium-sized enterprise or larger. The EU's definition of medium-sized enterprises is found in Recommendation 2003/361/EC. Under that definition:
A medium-sized enterprise has fewer than 250 employees and annual turnover not exceeding EUR 50 million, or a balance sheet total not exceeding EUR 25 million.
In other words, if you have 250+ employees, or turnover of EUR 50 million or more, or a balance sheet of EUR 25 million or more, you are at least medium-sized and in scope. If you fall below all three thresholds, you are a small enterprise or microenterprise and are out of scope -- unless Article 2(2) exceptions apply.
A critical detail: Article 2(1) of NIS2 incorporates the EU's SME definition "as is." It states: "Article 3(4) of the Annex to that Recommendation shall not apply for the purposes of this Directive." This carve-out is important: it means organisations cannot argue that they are exempt based on special circumstances recognised in the SME definition. The size thresholds are strictly applied.
Calculating Your Size
To determine your size, look at the most recent three financial years. If your organisation has been operating fewer than three years, look at the years you have operated. You must meet the thresholds for two consecutive years to qualify as the smaller category.
For turnover and balance sheet, use consolidated figures if you are part of a group. This prevents large multinational groups from escaping scope by creating small subsidiary entities.
If you are uncertain of your size, consult your financial officer and your auditor. The calculation is straightforward but must be correct.
The Essential vs Important Distinction
Once you confirm you are in scope, Article 3 determines whether you are essential or important.
An entity is essential under Article 3(1) if: (a) it is Annex I, medium-sized or larger; or (b) it is Annex I and designated by its Member State as essential; or (c) it is Annex II and exceeds certain turnover thresholds; or (d) it is Annex II and designated by its Member State as essential.
All other in-scope entities are important entities.
The practical distinction is governance and supervision intensity (discussed further in a later post). Governance obligations under Article 20 apply to both essential and important entities equally. Supervisory intensity, particularly regarding proactive audits, weighs more heavily on essential entities.
The Member State role here is critical. A small health facility might not be essential by the raw size rule, but if your Member State designates it as essential due to its role in regional healthcare, it becomes essential. This is discretionary and varies by Member State.
Critical Exceptions: When Scope Does Not Apply
There are important exceptions where organisations in Annex I or II sectors may be out of scope.
First, organisations below the size threshold are out of scope unless designated as essential by their Member State. This is clear from Article 2(1) read together with Article 2(2)(b)-(e).
Second, Article 2(2) creates Member State discretion. Member States may identify entities of a type in Annex I or II that do not meet the size threshold but are critical to the functioning of society and designate them as essential. This means a small water utility, a regional electricity cooperative, or a specialised cloud provider could become essential despite failing the size test.
Third, Annex I explicitly carves out certain subsectors in some Member States. For instance, certain gas undertakings are excluded if they do not meet specific criteria. Annex I, sector 1 (energy) specifically excludes some hydrogen operators below certain production thresholds in some Member States. These carve-outs are narrow but matter if you operate in that space.
Fourth, the Directive does not apply to entities that provide their services or carry out activities outside the Union. Article 2(1) specifies "entities...which provide their services or carry out their activities within the Union." A US-based cloud provider with no customers or infrastructure in the EU is out of scope. A European-registered entity is in scope regardless of where its headquarters are.
Member State Designation: The Wildcard
The most significant source of uncertainty is Member State designation under Article 2(2). Every Member State has discretion to identify additional entities -- beyond the size thresholds -- as essential if those entities are critical to the functioning of society or the supply of essential services.
This is not a free-for-all. Member States must act proportionately and are subject to EU oversight. But it does mean that scope is not entirely determined by the Directive itself; it also depends on your Member State's regulatory decisions.
A practical implication: even if you are below the size threshold and believe yourself out of scope, monitor your Member State's designation announcements. Many Member States are still in the process of identifying essential entities. If your organisation operates critical infrastructure, there is a non-zero risk of designation.
Conversely, if you are in scope, you should engage with your Member State regulator. Scope classifications can sometimes be challenged or clarified through dialogue.
How to Determine Your Scope Status: A Practical Workflow
Here is a step-by-step approach:
Check Annexes I and II: Is your organisation's entity type explicitly listed or described? If no, you are likely out of scope. If yes, move to step two.
Check your size: Calculate employees, turnover, and balance sheet based on the most recent completed financial year (or average of three years if available). Do you meet or exceed the medium-sized enterprise threshold? If no, move to step three. If yes, you are in scope as at least an important entity.
Check for Member State designation: Has your Member State identified you as essential despite failing the size test? Contact your competent authority to confirm. If designated, you are essential. If not, you are out of scope unless step four applies.
Check for future risk: Even if out of scope today, could your Member State designate you as essential in the future? If you operate critical infrastructure, monitor regulatory announcements. If there is significant risk, begin compliance planning now rather than waiting for designation.
For in-scope organisations, verify essential vs important status. Consult your Member State regulator or your national competent authority.
Sector-Specific Scope Nuances
Some sectors deserve special mention because scope can be counterintuitive.
Energy: NIS2 covers electricity, oil, gas, district heating/cooling, and hydrogen. But subsectors vary. A microgrid operator that does not meet the supply or distribution definition might be out of scope. An aggregator providing demand response services is in scope. The key is matching your exact function to Annex I descriptions.
Transport: Airlines, airports, and port authorities are covered. But a logistics company providing ground transport without owning port or airport infrastructure may be out of scope. Road transport operators are notably excluded entirely (though this may change).
Digital services: Annex II is broad, but deliberately so. If you provide one of the listed services (cloud, DNS, CDN, etc.) at any scale within the EU, you are likely in scope unless you fall below the size threshold or have no EU customers.
Health: Hospitals and healthcare providers are in scope if they meet the size threshold. But private practitioners, pharmacies, and smaller clinics may be out of scope unless designated as essential by their Member State.
Public administration: Public bodies at national, regional, and local level are in scope if they meet the size threshold. However, many public administration entities also fall under the Critical Entities Directive (2022/2557), which has its own scope rules that may differ slightly.
Key Takeaways
- NIS2 scope depends on two tests: sector (is your organisation type listed in Annex I or Annex II?) and size (are you medium-sized or larger?); you must pass both tests to be in scope, unless your Member State designates you as essential.
- Annex I covers eleven sectors (energy, transport, water, health, digital infrastructure, public administration, space, chemicals, food, manufacturing, postal); Annex II covers digital service providers; careful review of Annex text and referenced legislation is required for accurate scope determination.
- The size threshold follows the EU's SME definition: 250+ employees, or turnover of EUR 50 million+, or balance sheet of EUR 25 million+; organisations below all three thresholds are generally out of scope unless designated essential by their Member State.
- Member States have discretion under Article 2(2) to identify additional entities as essential despite failing the size test; scope is thus not entirely Directive-determined but also depends on each Member State's regulatory decisions.
- Even out-of-scope organisations should monitor Member State designation announcements, particularly if they operate critical infrastructure; the compliance deadline of 12 May 2025 is fixed, so early engagement with regulators reduces compliance risk.
