Directive (EU) 2022/2555 entered into force 16 January 2023. Transposition deadline: 17 October 2024. National laws and competent-authority designations diverge across the 27 Member States.

Does NIS2 apply to your organisation?

Pick a sector, declare size and EU footprint. The tool maps your answer to the directive's scope rules, lists the obligations that would attach, and surfaces the competent authority and CSIRT in your primary Member State.

Step 1 — SectorWhich Annex applies to your activity?

Annex I lists the high-criticality sectors (essential by default at large size). Annex II lists the other critical sectors (important by default at large size). Choose 'none' if neither annex describes you.

Step 2 — SizeHeadcount and turnover

Article 2(1) anchors scope to the Annex to the Recommendation 2003/361/EC (medium = 50–249 employees AND turnover ≤ €50M OR balance ≤ €43M; large = ≥ 250 employees OR turnover > €50M).

Step 3 — EU footprintEstablished in the EU?

An entity is in scope if it is established in the EU. Non-EU providers of certain services (DNS, TLD registry, cloud, data centre, CDN, managed services, online marketplace, search engine, social network) must designate a representative under Article 26.

Provide services to EU customers?

Used to flag Article 26 representative-designation obligations for non-EU entities.

Step 4 — Primary Member StatePrimary Member State of establishment

Used to surface the competent authority + CSIRT designated under Articles 8 and 10. For multi-country providers Article 26(2) routes jurisdiction to a single MS.

Step 5 — NIS1 history (optional)Designated under NIS1 (Directive (EU) 2016/1148)?

NIS1 OES / DSP designations grandfather scope considerations under NIS2 transitional rules (Article 41).

Last verified: 2026-06-11

NIS2 classification

Essential entity

How this verdict was reached

Annex I sector at large size triggers essential-entity classification per Article 3(1)(a).

Obligations that attach

Article 21 — risk-management measures
Adopt appropriate technical, operational and organisational cybersecurity risk-management measures covering at least the ten domains in Article 21(2): risk analysis, incident handling, business continuity, supply-chain security, secure development, vulnerability handling, basic cyber hygiene, cryptography, HR security and access control, MFA / continuous authentication.
Article 23 — incident reporting
Significant incidents trigger a three-stage report to the competent CSIRT: early warning within 24 hours, incident notification within 72 hours, and a final report within one month (intermediate reports on request).
Article 32 — management body accountability
Management bodies approve the risk-management measures and oversee implementation; members must follow cybersecurity training. National law adds personal liability provisions on top.
Registration and deadlines
Entities providing DNS, TLD registry, cloud, data centre, CDN, managed services, online marketplace, search engine or social network must submit identifying information to ENISA via the competent authority (Article 27). National registrations were due by 17 January 2025 in most Member States — verify your national status.

Article 34 — maximum administrative fines

Essential entities: at least €10,000,000 OR 2% of the total worldwide annual turnover of the preceding financial year — whichever is higher.

Competent authority and CSIRT

Each Member State designates one or more competent authorities (Article 8) and at least one CSIRT (Article 10). Below is the contact point for Germany.

Federal Office for Information Security (BSI) and CERT-Bund — bsi.bund.de

Source: Directive (EU) 2022/2555 (NIS2), Annex I & II, Articles 2, 3, 8, 10, 21, 23, 26, 32, 34.

NIS2 entity scope decision form