Is this a legal certification?

No. This tool provides readiness guidance only. It is not legal advice, certification, or a formal compliance audit. Always consult with a qualified legal professional for definitive compliance status.

How long does the assessment take?

Most users complete the assessment in under 10 minutes, depending on the complexity of your organization.

Yes. All answers are processed locally in your browser. We do not store your responses on any server.

Do I need to be an expert to answer these questions?

No. The questions are designed for business owners and managers. If you don't know an answer, you can indicate your confidence level.

Back to blog

NIS26 min readFebruary 28, 2026

NIS2 Scope Decoded: Which SMEs Fall Under the Directive — and What It Means for Your Business

By Anna Bergström

The NIS2 Directive dramatically expanded the scope of EU cybersecurity obligations. Thousands of medium-sized enterprises now fall under its requirements without realising it. This guide clarifies which organisations are in scope, what "essential" and "important" entity classifications mean in practice, and what you need to implement before your national transposition deadline.

Who Falls Under NIS2?

NIS2 applies to entities in 18 sectors classified as either "essential" or "important." Essential entities include energy, transport, banking, health, water, digital infrastructure, and public administration. Important entities cover postal services, waste management, manufacturing, food production, and digital providers.

The size thresholds are generally: medium-sized enterprises (50+ employees or 10M+ annual turnover) in covered sectors. However, some entities are captured regardless of size, including DNS service providers, TLD registries, and qualified trust service providers.

Key Obligations

NIS2 requires covered entities to implement cybersecurity risk management measures proportionate to their risk. Article 21 specifies minimum measures including risk analysis policies, incident handling procedures, business continuity management, supply chain security, and basic cyber hygiene practices.

Incident Reporting Requirements

Significant incidents must be reported to your national CSIRT or competent authority. The timeline is structured: an early warning within 24 hours, a detailed incident notification within 72 hours, and a final report within one month.

Management Accountability

NIS2 introduces personal accountability for management bodies. Senior management must approve cybersecurity risk management measures, oversee their implementation, and undergo appropriate cybersecurity training. Failure can result in personal liability.

Penalties

Essential entities face fines up to 10 million euros or 2% of global annual turnover. Important entities face up to 7 million euros or 1.4% of global turnover. Member states may also impose temporary management bans for repeated non-compliance.

How to Prepare

Determining your NIS2 scope classification is the essential first step. Our assessment includes a NIS2 scope classifier that evaluates your sector, size, and service profile against the Directive's criteria, then benchmarks your cybersecurity controls against Article 21 requirements.

Ready to check your compliance?

Run our free GDPR & NIS2 readiness assessment and get personalized recommendations in minutes.

Start Free Assessment