NIS2 Art.1–4: Scope, Essential vs Important Entities, and Sector-Specific Acts — Complete Developer Guide (2026)
The NIS2 Directive (EU) 2022/2555 is the foundational cybersecurity regulation for the European Union. Before you implement any NIS2 obligation — risk management measures under Art.21, incident reporting under Art.23, or supply chain security under Art.21(2)(d) — you must answer a prior question: does NIS2 apply to your organisation at all, and if so, in which category?
Articles 1 through 4 answer that question. They define NIS2's subject matter, its scope, the two-tier entity classification (essential vs important), and the relationship to sector-specific Union law. This guide covers all four articles with practical developer-facing analysis, a Python implementation for entity classification, and a readiness checklist.
Art.1: Subject Matter — What NIS2 Creates
Article 1 sets out NIS2's legislative purpose. The Directive does not simply impose security obligations — it establishes an entire governance architecture across the Union.
The Five Pillars of Art.1
Pillar 1 — Minimum cybersecurity obligations for entities: Art.1(1)(a) requires member states to oblige essential and important entities to take appropriate and proportionate technical, operational and organisational measures under Art.21. This is the risk management obligation familiar from Art.21(2)(a)–(j).
Pillar 2 — National cybersecurity strategies: Art.1(1)(b) requires each member state to adopt a national cybersecurity strategy. Germany has the "Nationale Cyber-Sicherheitsstrategie 2021–2026"; the Netherlands has the "NCSS 2022–2028"; Austria operates the "Österreichische Cyber-Sicherheitsstrategie 2021+."
Pillar 3 — Competent authorities and CSIRT network: Art.1(1)(c)–(d) establish national competent authorities (NCAs) with supervisory and enforcement powers, and a network of Computer Security Incident Response Teams (CSIRTs). The CSIRTs network provides the technical backbone for cross-border incident coordination.
Pillar 4 — Cooperation Group: Art.1(1)(e) creates the NIS Cooperation Group, a strategic-level body connecting national representatives, the Commission, and ENISA to exchange best practices and develop policy.
Pillar 5 — Coordinated vulnerability disclosure: Art.1(1)(f) establishes a Union-level framework for responsible/coordinated vulnerability disclosure under Art.12, with ENISA as the coordinating body.
What Art.1 Does Not Do
Art.1(3) preserves the primacy of Regulation (EU) 2016/679 (GDPR) in matters of personal data protection. NIS2 does not modify GDPR's requirements — it adds parallel obligations. When a cybersecurity incident also involves a personal data breach, both NIS2 Art.23 (incident reporting to the NCA) and GDPR Art.33 (notification to the supervisory authority) apply concurrently.
Art.1(7) clarifies that NIS2 does not affect Directive 2002/58/EC (ePrivacy) or Regulation (EU) 2018/1725 (data protection in EU institutions).
Art.2: Scope — The Three-Layer Test
Determining whether your organisation falls within NIS2's scope requires applying a three-layer test. Failing any layer means NIS2 does not apply.
Layer 1: Sector Test (Annex I or Annex II)
Your organisation must operate in a sector listed in Annex I (highly critical sectors) or Annex II (other critical sectors).
Annex I — Highly Critical Sectors:
| Sector | Examples |
|---|---|
| Energy | Electricity, oil, gas, hydrogen production/transmission/distribution |
| Transport | Air, rail, water, road transport operators |
| Banking | Credit institutions |
| Financial market infrastructure | Trading venues, central counterparties |
| Health | Healthcare providers, reference laboratories, medical device manufacturers |
| Drinking water | Suppliers and distributors |
| Wastewater | Operators of wastewater collection/treatment |
| Digital infrastructure | IXPs, DNS providers, TLD registries, cloud computing, data centres, CDNs, trust service providers, public electronic communications networks |
| ICT service management (B2B) | Managed service providers, managed security service providers |
| Public administration | Central and regional government bodies |
| Space | Operators of ground-based infrastructure supporting space-based services |
Annex II — Other Critical Sectors:
| Sector | Examples |
|---|---|
| Postal and courier services | Postal service providers under Directive 97/67/EC |
| Waste management | Operators of waste collection, transport, recovery or disposal |
| Manufacture, production and distribution of chemicals | REACH-regulated manufacturers |
| Food production, processing and distribution | Manufacturers with significant market share |
| Manufacturing | Medical devices, computers, electronics, machinery, motor vehicles, other transport equipment |
| Digital providers | Online marketplaces, online search engines, social networking services |
| Research | Research organisations (optional designation by member states) |
Key insight for SaaS/cloud developers: If your organisation provides cloud computing services, data centre services, content delivery networks, or managed service/security service offerings, you fall in Annex I (digital infrastructure). This is the highest-risk category — essential entity status applies if you also meet the size threshold below.
Layer 2: Size Threshold Test
Art.2(1) applies NIS2 to entities that are at least medium-sized enterprises under the EU SME definition (Commission Recommendation 2003/361/EC).
| Category | Employees | AND/OR | Annual Turnover | AND | Balance Sheet Total |
|---|---|---|---|---|---|
| Large enterprise | ≥ 250 | — | > €50M | OR | > €43M |
| Medium enterprise | ≥ 50 and < 250 | — | ≤ €50M | AND | ≤ €43M |
| Small enterprise (out of scope) | < 50 | — | ≤ €10M | AND | ≤ €10M |
| Micro enterprise (out of scope) | < 10 | — | ≤ €2M | AND | ≤ €2M |
Important: The employee count and financial thresholds are cumulative. An entity with 300 employees but only €8M turnover meets the "large" employee criterion — it falls within scope.
Linked enterprise calculation: Under EU SME rules, employee counts and turnover must be calculated on a consolidated basis when an entity is part of a corporate group (Art.3(2)–(4) of Recommendation 2003/361/EC). A startup with 40 employees but owned by a large corporation may be treated as a large enterprise for NIS2 purposes.
Layer 3: Special Cases Regardless of Size
Art.2(2) lists categories of entities that fall within NIS2's scope regardless of size:
Art.2(2)(a): Providers of public electronic communications networks or publicly available electronic communications services under Directive 2018/1972 (EECC). A small ISP with 15 employees is in scope.
Art.2(2)(b): Trust service providers under Regulation (EU) 910/2014 (eIDAS). Qualified trust service providers are always in scope.
Art.2(2)(c): Top-level domain (TLD) name registries and domain name system (DNS) service providers. Operators of country-code TLDs (ccTLDs) such as .de, .nl, .at are always in scope.
Art.2(2)(d): Entities designated as critical under Directive 2022/2557 (CER Directive — critical entities resilience). If you have been identified as a critical entity under CER, NIS2 applies automatically.
Art.2(2)(e): Sole providers in a member state of an essential service, or providers whose service disruption would have significant systemic impact.
Art.2(3): Member states may extend NIS2 scope to additional entities beyond these categories — they may designate further entities as essential or important.
Art.2(4): Member states may apply NIS2 to public administration entities at local level and public education institutions (optional).
The Exclusion: State Security and Law Enforcement
Art.2(7) explicitly excludes entities in national security, public security, defence, and law enforcement activities. A Ministry of Defence or intelligence service is not a NIS2-regulated entity — different national frameworks apply.
Art.3: Essential vs Important — The Two-Tier Classification
Once your organisation passes the scope test, Art.3 determines its classification: essential entity or important entity. This distinction matters because enforcement intensity differs (Art.32 vs Art.33) and the supervisory regime differs (ex ante vs ex post in several member states).
Essential Entities (Art.3(1))
An entity is classified as essential if it meets one of these criteria:
Category A — Large entities in Annex I: Large enterprises (≥250 employees or >€50M turnover/€43M balance sheet) operating in Annex I sectors.
Category B — Qualified trust service providers: All qualified trust service providers under eIDAS Regulation are essential entities, regardless of size.
Category C — TLD registries and DNS providers at Union level: TLD name registries and DNS service providers specified in Art.2(1) that serve the Union level.
Category D — Sole providers of essential services: Entities that are the sole provider of a service essential for critical societal or economic activities in a member state.
Category E — Cross-border systemic impact: Entities whose disruption would have significant systemic effects across member states.
Category F — Critical entity under CER Directive: Entities designated as critical under Directive 2022/2557.
Category G — Designated by member states for national security: Entities that a member state has specifically designated as essential for national security, public safety, or comparable reasons.
Important Entities (Art.3(2))
An entity is classified as important if it is in scope but does not qualify as essential:
- Medium or large enterprises in Annex I sectors that do not meet essential entity criteria
- Medium or large enterprises in Annex II sectors
- Qualified trust service providers that are not otherwise designated as essential
- DNS service providers, TLD registries, and public electronic communications providers not already classified as essential
The Registration Obligation (Art.3(3)–(5))
By 17 April 2025, essential and important entities were required to self-register with their national competent authority. Registration includes:
- Entity name, relevant sector and subsector
- Type of entity (essential/important), member states where services are provided
- Contact details including IP ranges and email addresses
Member states that established registers are using them as the basis for supervisory prioritisation.
Python Entity Classifier
from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
class Sector(Enum):
# Annex I — Highly Critical
ENERGY = "energy"
TRANSPORT = "transport"
BANKING = "banking"
FINANCIAL_MARKET_INFRA = "financial_market_infrastructure"
HEALTH = "health"
DRINKING_WATER = "drinking_water"
WASTEWATER = "wastewater"
DIGITAL_INFRA = "digital_infrastructure"
ICT_SERVICE_MGMT = "ict_service_management_b2b"
PUBLIC_ADMIN = "public_administration"
SPACE = "space"
# Annex II — Other Critical
POSTAL = "postal_and_courier"
WASTE_MGMT = "waste_management"
CHEMICALS = "chemicals"
FOOD = "food"
MANUFACTURING = "manufacturing"
DIGITAL_PROVIDERS = "digital_providers"
RESEARCH = "research"
# Not in scope
NOT_IN_SCOPE = "not_in_scope"
ANNEX_I_SECTORS = {
Sector.ENERGY, Sector.TRANSPORT, Sector.BANKING,
Sector.FINANCIAL_MARKET_INFRA, Sector.HEALTH,
Sector.DRINKING_WATER, Sector.WASTEWATER,
Sector.DIGITAL_INFRA, Sector.ICT_SERVICE_MGMT,
Sector.PUBLIC_ADMIN, Sector.SPACE,
}
ANNEX_II_SECTORS = {
Sector.POSTAL, Sector.WASTE_MGMT, Sector.CHEMICALS,
Sector.FOOD, Sector.MANUFACTURING, Sector.DIGITAL_PROVIDERS,
Sector.RESEARCH,
}
class EntityClassification(Enum):
ESSENTIAL = "essential"
IMPORTANT = "important"
OUT_OF_SCOPE = "out_of_scope"
@dataclass
class OrganisationProfile:
name: str
sector: Sector
employees: int
annual_turnover_eur: float
balance_sheet_eur: float
is_qualified_trust_service_provider: bool = False
is_tld_registry_or_dns_provider: bool = False
is_public_comms_provider: bool = False
is_cer_critical_entity: bool = False
is_sole_essential_service_provider: bool = False
is_cross_border_systemic: bool = False
member_state_designated_essential: bool = False
@dataclass
class ClassificationResult:
classification: EntityClassification
basis: list[str] = field(default_factory=list)
supervisory_regime: str = ""
registration_required: bool = False
notes: list[str] = field(default_factory=list)
class NIS2EntityClassifier:
"""
Classifies organisations under NIS2 Directive (EU) 2022/2555 Art.2-3.
Reference: Art.2 (scope), Art.3 (essential/important),
Annex I, Annex II, Commission Rec. 2003/361/EC (SME thresholds).
"""
def classify(self, org: OrganisationProfile) -> ClassificationResult:
result = ClassificationResult(
classification=EntityClassification.OUT_OF_SCOPE,
registration_required=False,
)
# Step 1: Size classification
is_large = (
org.employees >= 250 or
org.annual_turnover_eur > 50_000_000 or
org.balance_sheet_eur > 43_000_000
)
is_medium = (
not is_large and (
org.employees >= 50 or
org.annual_turnover_eur > 10_000_000 or
org.balance_sheet_eur > 10_000_000
)
)
# Step 2: Special-case Art.2(2) — in scope regardless of size
special_case_inscope = (
org.is_public_comms_provider or
org.is_qualified_trust_service_provider or
org.is_tld_registry_or_dns_provider or
org.is_cer_critical_entity or
org.is_sole_essential_service_provider
)
in_annex_i = org.sector in ANNEX_I_SECTORS
in_annex_ii = org.sector in ANNEX_II_SECTORS
# Step 3: Sector + size scope check
in_scope_by_sector_size = (
in_annex_i or in_annex_ii
) and (is_large or is_medium)
if not (special_case_inscope or in_scope_by_sector_size):
result.classification = EntityClassification.OUT_OF_SCOPE
result.notes.append("Neither sector+size threshold nor Art.2(2) special case met.")
return result
# Step 4: Essential entity criteria (Art.3(1))
essential_grounds = []
if in_annex_i and is_large:
essential_grounds.append("Large entity in Annex I sector (Art.3(1)(a))")
if org.is_qualified_trust_service_provider:
essential_grounds.append("Qualified trust service provider (Art.3(1)(b))")
if org.is_tld_registry_or_dns_provider and org.sector in {Sector.DIGITAL_INFRA}:
essential_grounds.append("TLD registry / DNS provider — Union-level services (Art.3(1)(c))")
if org.is_sole_essential_service_provider:
essential_grounds.append("Sole provider of essential service in member state (Art.3(1)(d))")
if org.is_cross_border_systemic:
essential_grounds.append("Cross-border systemic impact (Art.3(1)(e))")
if org.is_cer_critical_entity:
essential_grounds.append("Designated critical entity under CER Directive (Art.3(1)(f))")
if org.member_state_designated_essential:
essential_grounds.append("Member-state designation as essential (Art.3(1)(g))")
if essential_grounds:
result.classification = EntityClassification.ESSENTIAL
result.basis = essential_grounds
result.supervisory_regime = (
"Art.32 — proactive (ex ante) supervision: regular audits, "
"targeted inspections, on-site checks, off-site supervision"
)
result.registration_required = True
else:
result.classification = EntityClassification.IMPORTANT
result.basis.append(
f"{'Annex I' if in_annex_i else 'Annex II'} sector + "
f"{'large' if is_large else 'medium'} enterprise — does not meet essential criteria"
)
result.supervisory_regime = (
"Art.33 — reactive (ex post) supervision: audits and inspections "
"triggered by evidence of non-compliance or incident notification"
)
result.registration_required = True
# Step 5: Notes
if is_medium and in_annex_i:
result.notes.append(
"Medium entity in Annex I sector: important entity classification. "
"Some member states may upgrade to essential by national designation."
)
if org.sector == Sector.DIGITAL_INFRA:
result.notes.append(
"Digital infrastructure sector: includes cloud computing, data centres, CDNs, "
"IXPs. SaaS providers serving other businesses as MSPs fall in ICT_SERVICE_MGMT."
)
return result
# Example: classify a mid-sized cloud service provider
if __name__ == "__main__":
org = OrganisationProfile(
name="ExampleCloud GmbH",
sector=Sector.DIGITAL_INFRA,
employees=180,
annual_turnover_eur=22_000_000,
balance_sheet_eur=15_000_000,
is_qualified_trust_service_provider=False,
is_tld_registry_or_dns_provider=False,
is_public_comms_provider=False,
is_cer_critical_entity=False,
is_sole_essential_service_provider=False,
)
classifier = NIS2EntityClassifier()
result = classifier.classify(org)
print(f"Classification: {result.classification.value}")
print(f"Basis: {result.basis}")
print(f"Supervisory regime: {result.supervisory_regime}")
print(f"Notes: {result.notes}")
# Output:
# Classification: important
# Basis: ['Annex I sector + medium enterprise — does not meet essential criteria']
# Supervisory regime: Art.33 — reactive (ex post) supervision...
# Notes: ['Medium entity in Annex I sector: important entity classification...']
Art.4: Sector-Specific Union Acts — The Lex Specialis Rule
Article 4 addresses the relationship between NIS2 and sector-specific EU law. This is one of the most practically important provisions for regulated industries.
The Core Rule
Art.4(1): Where a sector-specific Union act requires essential or important entities to take cybersecurity risk management measures or notify competent authorities of significant incidents, and those requirements are at least equivalent in effect to NIS2, then the sector-specific act applies — not NIS2.
Art.4(2): Where sector-specific requirements are not "at least equivalent" in all respects to NIS2, NIS2 applies to fill the gaps.
The DORA Carve-Out — The Most Important Instance
The Digital Operational Resilience Act (Regulation (EU) 2022/2554 — DORA) is the primary example of a sector-specific act that triggers the Art.4 lex specialis rule.
Who is covered by DORA instead of NIS2?
- Credit institutions, payment institutions, e-money institutions
- Investment firms, crypto-asset service providers
- Insurance and reinsurance undertakings
- Occupational pension funds (above thresholds)
- Central counterparties, central securities depositories
- Trading venues, data reporting service providers
- Critical ICT third-party providers (CTPPs) designated by ESAs
The practical implication: A bank operating in Germany does not need to comply with NIS2 Art.21 risk management measures or Art.23 incident reporting — it complies with DORA Art.5–14 (ICT risk management) and DORA Art.17–23 (incident reporting) instead. The NCA for DORA enforcement is the ECB/national financial regulator (BaFin, DNB, FMA), not the NIS2 NCA (BSI, RDI, BMSK).
Where NIS2 fills gaps for DORA entities: DORA does not address certain elements that NIS2 covers (e.g., the full scope of supply chain security under NIS2 Art.21(2)(d) in some interpretations). National transpositions vary. Entities subject to DORA should document their position carefully.
The CER Directive Carve-Out
Directive 2022/2557 (Critical Entities Resilience — CER) covers physical resilience of critical infrastructure. It operates in parallel with NIS2 but does not trigger the Art.4 lex specialis rule for cybersecurity — entities subject to CER are simultaneously subject to NIS2 cybersecurity obligations.
Exception: Where CER imposes security measures that overlap with NIS2 Art.21, member states may clarify application to avoid duplicate compliance burden.
The eIDAS 2.0 Relationship
Regulation (EU) 2024/1183 (eIDAS 2.0) imposes trust and security requirements on trust service providers. These overlap significantly with NIS2 Art.21. Where eIDAS 2.0 obligations are equivalent in effect to NIS2, trust service providers may apply the eIDAS rules.
Key distinction: Qualified trust service providers are always essential entities under NIS2 Art.3(1)(b) — the classification stands even if eIDAS 2.0 takes precedence for the substantive security obligations.
Multi-Regulation Landscape for Digital Infrastructure
If you operate a cloud service that also qualifies as a payment processor, or an e-commerce platform that qualifies as an online marketplace under Annex II and also processes payments under PSD2, you face multiple simultaneous frameworks:
| Your Role | Primary Cybersecurity Regulation | NIS2 Status |
|---|---|---|
| Cloud provider (MSP/MSSP) | NIS2 directly | Essential (large) / Important (medium) |
| Bank or payment institution | DORA (Art.4 lex specialis) | Exempt from NIS2 Art.21/23 |
| Insurance undertaking | DORA | Exempt from NIS2 Art.21/23 |
| Trust service provider (qualified) | eIDAS 2.0 (possible partial exemption) | Essential entity regardless |
| Online marketplace | NIS2 directly (Annex II) | Important (large/medium) |
| CER-designated critical entity | NIS2 directly | Essential entity (Art.3(1)(f)) |
Practical Compliance Timeline
2024: Transposition Deadline
NIS2 required transposition by 17 October 2024. Key transpositions:
- Germany: NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) — in legislative process (BSI Act reform)
- Netherlands: Wet beveiliging netwerk- en informatiesystemen (Wbni) revised
- Austria: NISG 2024 — NIS-Gesetz update
- France: Loi relative à la résilience des activités d'importance vitale (transposing NIS2 alongside SAIV)
Note: Several member states including Germany missed the 17 October 2024 deadline. Enforcement timelines vary.
Key Dates for Entities in Scope
| Date | Obligation |
|---|---|
| 17 October 2024 | NIS2 transposition deadline (member states) |
| 17 April 2025 | Entity registration deadline with NCAs |
| Ongoing | Risk management measures under Art.21 |
| Ongoing | Incident reporting under Art.23 (significant incidents) |
| 2026 | NCA supervisory programmes — audit season beginning |
20-Item NIS2 Scope Readiness Checklist
Use this checklist to confirm whether NIS2 applies to your organisation and which category applies.
Sector Analysis (Items 1–6):
- 1. Mapped your primary and secondary business activities to Annex I or Annex II sectors
- 2. Checked sub-sector categories (e.g., digital infrastructure vs ICT service management vs digital providers)
- 3. Determined whether you provide cloud computing, CDN, data centre, or MSP/MSSP services → Annex I
- 4. Checked whether your SaaS is an "online marketplace" or "online search engine" → Annex II
- 5. Verified whether you are a qualified trust service provider (eIDAS Annex I/II/III service)
- 6. Checked whether any member state has designated you as a critical entity under CER Directive
Size Threshold Analysis (Items 7–11):
- 7. Calculated consolidated employee headcount including linked enterprises
- 8. Calculated consolidated annual turnover (latest financial year)
- 9. Calculated consolidated balance sheet total
- 10. Applied the medium enterprise test: ≥50 employees OR >€10M turnover (and not a micro/small)
- 11. Applied the special-case test (Art.2(2)): do you provide public comms networks, TLD/DNS services, or are you sole essential provider?
Classification and Registration (Items 12–16):
- 12. Determined essential vs important classification using Art.3 criteria
- 13. Identified which national competent authority (NCA) you must register with
- 14. Registered with NCA (deadline: 17 April 2025)
- 15. Documented the legal basis for your classification (for NCA supervisory enquiries)
- 16. Checked whether DORA, eIDAS 2.0, or national sector-specific law triggers Art.4 lex specialis
Governance and Gap Analysis (Items 17–20):
- 17. Mapped NIS2 Art.21(2)(a)–(j) obligations against current security programme
- 18. Confirmed incident reporting process covers NIS2 Art.23 timelines (24h early warning, 72h initial report, 1-month final report)
- 19. Reviewed supply chain security posture under Art.21(2)(d)
- 20. Assigned internal accountability for NIS2 compliance to a named executive (Art.20 management body responsibility)
What Comes Next in the NIS2 Series
This post covers the foundational scope questions. The remainder of the NIS2 Directive builds on this:
- NIS2 Art.5–13: National Strategies, CSIRT Network, Cooperation Group — the governance architecture established at Union and national level
- NIS2 Art.20: Management Body Obligations — board-level cybersecurity governance
- NIS2 Art.21: Risk Management Measures — the ten mandatory security categories
- NIS2 Art.23: Incident Reporting — the 24h/72h/1-month reporting timeline
- DORA Art.1–4: Scope and DORA/NIS2 Interface — lex specialis in practice
This post is part of the sota.io EU Compliance Engineering series — practical guides for developers building compliant infrastructure in Europe.