sota.io
2026-04-15·13 min read·

NIS2 Essential Entity vs Important Entity: Classification Rules, Obligations, and Developer Checklist (2026)

NIS2 (Directive 2022/2555/EU) introduces a two-tier classification system that determines which compliance regime your organisation falls under. The distinction matters more than many developers realise: supervisory approach, maximum fines, and registration obligations all differ depending on whether you are an Essential Entity (EE) or an Important Entity (IE).

With NIS2 transposition in force across Member States and national supervisory authorities beginning proactive audits from June 2026, getting your classification right is the first step in any compliance programme.

This guide walks through the classification rules in Annex I and Annex II, the size thresholds, the entity types that bypass the thresholds entirely, the practical differences in obligations, and a Python implementation you can integrate into your compliance tooling.

Why Classification Matters

The classification determines three concrete compliance differences:

DimensionEssential Entity (EE)Important Entity (IE)
Supervisory regimeProactive ex ante (Art.32)Reactive ex post (Art.33)
Maximum fine€10M or 2% global turnover€7M or 1.4% global turnover
Self-registrationMandatory in many Member StatesAlso required, varying rules
Security measuresArt.21 (same set)Art.21 (same set)
Incident reportingArt.23 24h/72h/1-monthArt.23 24h/72h/1-month

The security measures and incident reporting obligations under Art.21 and Art.23 apply equally to both tiers — the classification does not affect what you must do to secure your systems or report incidents. It affects how closely authorities can scrutinise you before a breach occurs, and how much you pay if something goes wrong.

Under Art.32, competent authorities may conduct proactive on-site inspections, regular audits, and security scans of EEs without waiting for an incident. Under Art.33, IEs face supervisory action primarily in response to incidents, complaints, or evidence of non-compliance. The practical risk exposure of being an EE is therefore substantially higher.

Annex I: Essential Entity Sectors

An organisation qualifies as an Essential Entity if it operates in one of the 11 sectors listed in NIS2 Annex I AND meets the applicable size threshold (or falls within a special exception).

Annex I Sectors

1. Energy

2. Transport

3. Banking

4. Financial Market Infrastructure

5. Health

6. Drinking Water

7. Wastewater

8. Digital Infrastructure

9. ICT Service Management (B2B)

10. Public Administration

11. Space

Annex II: Important Entity Sectors

An organisation qualifies as an Important Entity if it operates in one of the 7 sectors listed in NIS2 Annex II AND meets the medium enterprise threshold — or if it operates in an Annex I sector but falls below the large-enterprise threshold that would make it an EE (see size rules below).

Annex II Sectors

1. Postal and Courier Services

2. Waste Management

3. Manufacture, Production, and Distribution of Chemicals

4. Production, Processing, and Distribution of Food

5. Manufacturing Five sub-sectors by NACE Rev.2 classification:

6. Digital Providers

7. Research

Size Threshold Rules

The sector alone is not sufficient for classification. NIS2 applies a size threshold based on the EU SME definition (Commission Recommendation 2003/361/EC).

Essential Entity Size Requirement

A sector-covered entity becomes an EE if it qualifies as a large enterprise:

(Both turnover AND balance sheet must exceed their respective thresholds for the turnover/balance-sheet route.)

Important Entity Size Requirement

A sector-covered entity becomes an IE if it qualifies as a medium enterprise (but not a large one):

An entity in an Annex I sector that meets the medium but not large threshold is classified as an IE rather than an EE.

Small and Micro Enterprise Exception

Entities with fewer than 50 employees and either turnover ≤ €10 million OR balance sheet ≤ €2 million are generally excluded from NIS2 — unless they fall within a special exception (see next section).

Special Exceptions: Entities Covered Regardless of Size

NIS2 Art.2(2) identifies entity types that are always covered, regardless of size. These are automatically classified as Essential Entities:

Automatic EE Regardless of Size

  1. DNS service providers (authoritative and recursive public DNS)
  2. Top-level domain (TLD) name registries (operators of .de, .fr, .nl etc)
  3. Cloud computing service providers (IaaS, PaaS, SaaS at scale — Annex I §8)
  4. Data centre service providers (colocation, wholesale data centres)
  5. Content delivery network providers
  6. Managed service providers and managed security service providers (MSP/MSSP — Annex I §9)
  7. Trust service providers (qualified and non-qualified under eIDAS Regulation)
  8. Public electronic communications network and service providers (telecoms, ISPs)
  9. Public administrations at central government level
  10. Critical infrastructure entities designated by Member States as critical under the EU CER Directive (Directive 2022/2557/EU)
  11. Any entity the Member State has individually identified as essential under national NIS2 transposition law

For SaaS providers, PaaS providers, and cloud hosting companies: if you offer infrastructure-as-a-service or platform-as-a-service to the public, you are very likely in the Annex I §8 Digital Infrastructure category and automatically covered as an EE regardless of company size. This applies even to early-stage startups.

Cross-Border and Group Entity Rules

Group Companies

NIS2 applies at the entity level, not group level. A subsidiary in Germany that meets the thresholds is covered independently, even if the parent does not. However, Member States may allow group-level compliance programmes where subsidiaries share security measures and incident response.

Cross-Border Services

An entity providing services in multiple Member States must comply in each Member State where it provides services. The "country of establishment" principle does not apply uniformly — trust service providers and DNS/TLD operators register in their Member State of establishment, but cloud providers and digital providers may face obligations in all Member States where they operate.

Third-Country Entities

Non-EU entities operating digital infrastructure services within the EU (e.g., serving EU customers from non-EU infrastructure) must designate an EU representative. The representative must be in a Member State where the entity provides services, and the representative becomes a point of contact for supervisory authorities. This has significant implications for non-EU SaaS and infrastructure providers.

The CLOUD Act Intersection

For entities classified as EE or IE that use US-headquartered cloud providers (AWS, Azure, GCP, Cloudflare, Fastly) for their own infrastructure, a compliance gap exists. Under the US CLOUD Act, US law enforcement can compel disclosure of data held by US companies anywhere in the world — including NIS2-mandated incident records, security logs, and audit trails.

This creates a dual exposure:

For an EU Essential Entity storing incident records on AWS or Azure, a US grand jury subpoena could compel disclosure of your NIS2 incident documentation before your own NCA has reviewed it — creating a jurisdiction conflict. Art.21 NIS2 requires entities to manage supply chain risk; this includes third-party cloud jurisdiction risk.

EU-owned, EU-operated infrastructure with no US parent removes this exposure entirely.

Python Implementation: NIS2 EntityClassifier

from dataclasses import dataclass, field
from enum import Enum
from typing import Optional


class AnnexType(str, Enum):
    ANNEX_I = "annex_i"       # Essential Entity sectors
    ANNEX_II = "annex_ii"     # Important Entity sectors
    NOT_COVERED = "not_covered"


class EntitySize(str, Enum):
    LARGE = "large"           # ≥250 employees OR (turnover >€50M AND balance >€43M)
    MEDIUM = "medium"         # 50–249 employees OR (€10M–€50M turnover AND €2M–€43M balance)
    SMALL = "small"           # <50 employees AND ≤€10M turnover
    MICRO = "micro"           # <10 employees AND ≤€2M turnover


class EntityType(str, Enum):
    ESSENTIAL = "essential_entity"
    IMPORTANT = "important_entity"
    NOT_COVERED = "not_covered"


class SupervisoryRegime(str, Enum):
    PROACTIVE = "art_32_proactive"    # EE: on-site inspections, regular audits
    REACTIVE = "art_33_reactive"      # IE: primarily incident-triggered
    NONE = "not_applicable"


ANNEX_I_SECTORS = {
    "energy_electricity", "energy_oil", "energy_gas", "energy_hydrogen",
    "transport_air", "transport_rail", "transport_water", "transport_road",
    "banking", "financial_market_infrastructure",
    "health", "drinking_water", "wastewater",
    "digital_infrastructure_ixp", "digital_infrastructure_dns",
    "digital_infrastructure_tld", "digital_infrastructure_cloud",
    "digital_infrastructure_datacenter", "digital_infrastructure_cdn",
    "digital_infrastructure_trust_service", "digital_infrastructure_telecom",
    "ict_service_management_msp", "ict_service_management_mssp",
    "public_administration_central", "public_administration_regional",
    "space",
}

ANNEX_II_SECTORS = {
    "postal_courier", "waste_management", "chemicals",
    "food_production", "manufacturing_electronics", "manufacturing_electrical",
    "manufacturing_machinery", "manufacturing_vehicles",
    "manufacturing_transport_equipment", "manufacturing_medical",
    "digital_providers_marketplace", "digital_providers_search",
    "digital_providers_social_network", "research",
}

# Entities automatically EE regardless of size (Art.2(2))
SIZE_EXEMPT_EE_SECTORS = {
    "digital_infrastructure_dns", "digital_infrastructure_tld",
    "digital_infrastructure_cloud", "digital_infrastructure_datacenter",
    "digital_infrastructure_cdn", "digital_infrastructure_trust_service",
    "digital_infrastructure_telecom",
    "ict_service_management_msp", "ict_service_management_mssp",
    "public_administration_central",
}


@dataclass
class EntityProfile:
    sector: str
    employee_count: int
    annual_turnover_eur: float        # in millions
    annual_balance_sheet_eur: float   # in millions
    member_state: str = "DE"
    is_critical_infrastructure: bool = False  # CER Directive designation
    has_eu_representative: bool = True        # Required for non-EU entities


@dataclass
class ClassificationReport:
    entity_type: EntityType
    annex_type: AnnexType
    entity_size: EntitySize
    supervisory_regime: SupervisoryRegime
    max_fine_fixed: int        # EUR
    max_fine_pct_turnover: float
    size_exempt: bool
    rationale: list[str] = field(default_factory=list)
    obligations: list[str] = field(default_factory=list)
    gaps: list[str] = field(default_factory=list)


def classify_entity_size(profile: EntityProfile) -> EntitySize:
    emp = profile.employee_count
    rev = profile.annual_turnover_eur
    bs = profile.annual_balance_sheet_eur

    if emp < 10 and rev <= 2 and bs <= 2:
        return EntitySize.MICRO
    if emp < 50 and rev <= 10:
        return EntitySize.SMALL
    # Large: ≥250 employees OR (turnover >50M AND balance >43M)
    if emp >= 250 or (rev > 50 and bs > 43):
        return EntitySize.LARGE
    # Medium: 50–249 OR (10M–50M turnover AND 2M–43M balance)
    if emp >= 50 or (rev > 10 and bs > 2):
        return EntitySize.MEDIUM
    return EntitySize.SMALL


def classify_entity(profile: EntityProfile) -> ClassificationReport:
    size = classify_entity_size(profile)
    sector = profile.sector.lower().replace(" ", "_")

    # Determine annex membership
    if sector in ANNEX_I_SECTORS:
        annex = AnnexType.ANNEX_I
    elif sector in ANNEX_II_SECTORS:
        annex = AnnexType.ANNEX_II
    else:
        return ClassificationReport(
            entity_type=EntityType.NOT_COVERED,
            annex_type=AnnexType.NOT_COVERED,
            entity_size=size,
            supervisory_regime=SupervisoryRegime.NONE,
            max_fine_fixed=0,
            max_fine_pct_turnover=0.0,
            size_exempt=False,
            rationale=[f"Sector '{profile.sector}' not in NIS2 Annex I or Annex II"],
            gaps=["Verify sector classification — some Member States add sectors via national law"],
        )

    # Size exemption check
    size_exempt = (
        sector in SIZE_EXEMPT_EE_SECTORS
        or profile.is_critical_infrastructure
    )

    # Classification logic
    rationale = []
    obligations = []
    gaps = []

    if annex == AnnexType.ANNEX_I:
        if size_exempt:
            entity_type = EntityType.ESSENTIAL
            rationale.append(f"Sector '{sector}' in NIS2 Annex I, Art.2(2) size exemption applies")
        elif size == EntitySize.LARGE:
            entity_type = EntityType.ESSENTIAL
            rationale.append(f"Annex I sector + large enterprise (employees: {profile.employee_count}, "
                             f"turnover: €{profile.annual_turnover_eur}M)")
        elif size in (EntitySize.MEDIUM,):
            entity_type = EntityType.IMPORTANT
            rationale.append(f"Annex I sector + medium enterprise → Important Entity (not large)")
        else:
            entity_type = EntityType.NOT_COVERED
            rationale.append(f"Annex I sector but small/micro enterprise — excluded unless Member State extends scope")

    else:  # ANNEX_II
        if size in (EntitySize.LARGE, EntitySize.MEDIUM):
            entity_type = EntityType.IMPORTANT
            rationale.append(f"Annex II sector + {'large' if size == EntitySize.LARGE else 'medium'} enterprise")
        else:
            entity_type = EntityType.NOT_COVERED
            rationale.append("Annex II sector + small/micro enterprise — excluded from NIS2")

    # Set obligations and fine levels
    if entity_type == EntityType.ESSENTIAL:
        supervisory = SupervisoryRegime.PROACTIVE
        max_fine_fixed = 10_000_000
        max_fine_pct = 2.0
        obligations.extend([
            "Art.21: Implement 10-domain security measures (risk management, incident response, supply chain...)",
            "Art.23: 24h early warning + 72h notification + 1-month final report for significant incidents",
            "Art.32: Subject to proactive supervisory inspections, regular audits, security scans",
            "Art.17: Management bodies personally liable — must approve and oversee security measures",
            "Self-registration with national NIS2 competent authority (most Member States)",
            "Art.27: Maintain ENISA-compatible contact registry (name, sector, IP ranges, NCA contact)",
        ])
    elif entity_type == EntityType.IMPORTANT:
        supervisory = SupervisoryRegime.REACTIVE
        max_fine_fixed = 7_000_000
        max_fine_pct = 1.4
        obligations.extend([
            "Art.21: Same 10-domain security measures as Essential Entities",
            "Art.23: Same 24h/72h/1-month incident reporting as Essential Entities",
            "Art.33: Supervisory action primarily incident-triggered or complaint-driven",
            "Art.17: Management accountability applies equally",
            "Self-registration obligations (vary by Member State)",
        ])
    else:
        supervisory = SupervisoryRegime.NONE
        max_fine_fixed = 0
        max_fine_pct = 0.0
        gaps.append("Confirm with legal counsel — Member States may extend NIS2 scope via national transposition")

    # Hosting gap check
    gaps.append(
        "Supply chain risk (Art.21(2)(d)): Audit cloud provider jurisdiction. "
        "US-headquartered providers expose NIS2 security logs to CLOUD Act compellability."
    )

    if entity_type in (EntityType.ESSENTIAL, EntityType.IMPORTANT):
        gaps.append(
            "Check Art.23 awareness-timestamp logging: NIS2 reporting clock starts at awareness, "
            "not at confirmed breach. Ensure SIEM timestamps are audit-ready."
        )

    return ClassificationReport(
        entity_type=entity_type,
        annex_type=annex,
        entity_size=size,
        supervisory_regime=supervisory,
        max_fine_fixed=max_fine_fixed,
        max_fine_pct_turnover=max_fine_pct,
        size_exempt=size_exempt,
        rationale=rationale,
        obligations=obligations,
        gaps=gaps,
    )


# Example usage
if __name__ == "__main__":
    # SaaS/PaaS cloud provider (any size → automatic EE)
    cloud_startup = EntityProfile(
        sector="digital_infrastructure_cloud",
        employee_count=12,
        annual_turnover_eur=1.5,
        annual_balance_sheet_eur=0.8,
    )
    report = classify_entity(cloud_startup)
    print(f"Cloud startup: {report.entity_type.value}")
    # → essential_entity (size exempt under Art.2(2))

    # Mid-size food producer
    food_company = EntityProfile(
        sector="food_production",
        employee_count=85,
        annual_turnover_eur=22.0,
        annual_balance_sheet_eur=15.0,
    )
    report = classify_entity(food_company)
    print(f"Food company: {report.entity_type.value}")
    # → important_entity (Annex II + medium)

    # Large bank
    bank = EntityProfile(
        sector="banking",
        employee_count=3500,
        annual_turnover_eur=890.0,
        annual_balance_sheet_eur=12000.0,
    )
    report = classify_entity(bank)
    print(f"Large bank: {report.entity_type.value}")
    # → essential_entity (Annex I + large)

The 10-Domain Security Framework (Art.21) — Same for EE and IE

Both Essential and Important Entities must implement the same 10-category security measures under Art.21(2):

  1. Risk management policies — documented, approved by management body
  2. Incident handling — detection, classification, response, and recovery
  3. Business continuity and crisis management — backup systems, disaster recovery, crisis plans
  4. Supply chain security — security of relationships with direct suppliers and service providers
  5. Security in network and information systems acquisition, development, and maintenance — including vulnerability handling and disclosure
  6. Policies to assess effectiveness — security testing, audits, vulnerability scanning
  7. Cybersecurity hygiene and training — basic hygiene practices, staff awareness training
  8. Cryptography policies — encryption in transit and at rest, key management
  9. Human resources security, access control, and asset management — privileged access, joiners/movers/leavers
  10. Multi-factor authentication or continuous authentication — MFA for access to network and information systems

For developers, items 5 (secure SDLC), 6 (security testing), and 10 (MFA) are the most immediately actionable. The Art.21 framework intentionally aligns with ISO/IEC 27001:2022 — if you are ISO 27001 certified, your certification covers substantial NIS2 Art.21 ground.

25-Item Classification Checklist

Part A — Sector Identification (5 items)

Part B — Size Threshold Assessment (5 items)

Part C — Special Exception Check (5 items)

Part D — Classification Result and Registration (5 items)

Part E — Hosting and Supply Chain Gap Check (5 items)

Common Classification Mistakes

Mistake 1: Assuming Size Exemption Applies to All Digital Services

Many SaaS founders assume NIS2 does not apply to their startup because they have fewer than 50 employees. This is wrong for cloud providers, DNS providers, MSPs, and trust service providers — all covered by Art.2(2) size exception. A three-person team running a PaaS offering is an Essential Entity.

Mistake 2: Using Revenue Alone for Size Calculation

The large-enterprise threshold requires both turnover >€50M AND balance sheet >€43M. A profitable trading company with €80M turnover but €25M balance sheet is not a large enterprise by the turnover/balance-sheet route. Check both figures independently.

Mistake 3: Treating Annex II Sectors as Lower Risk

Both tiers have identical Art.21 and Art.23 obligations. An Important Entity in the food sector that suffers a significant incident must still send a 24-hour early warning to its NCA. The "important" label does not reduce operational obligations — only supervisory intensity and fine ceilings differ.

Mistake 4: One-Time Classification

NIS2 classification is not a once-and-done exercise. If your company:

...your classification changes. Build a periodic classification review into your compliance calendar — annually at minimum, or at any material change to business scope or size.

June 2026 NIS2 Audit Preparation

National competent authorities across the EU have signalled that proactive supervisory engagement with Essential Entities will begin in earnest from June 2026. For EEs, this means:

For Important Entities, the June 2026 date is less acute — Art.33 supervision is reactive. However, a significant incident after June 2026 will immediately trigger supervisory scrutiny, and "we hadn't classified ourselves yet" is not a defence.

The minimum viable NIS2 programme for June 2026 readiness:

  1. Classify: Apply the Annex I/II + size rules. Document the result.
  2. Register: File self-registration with your NCA (Art.27).
  3. Assign accountability: Management body formally approves NIS2 programme (Art.17).
  4. Risk assessment: Document your network and information systems, identify risks (Art.21(1)).
  5. Incident playbook: Define what triggers a "significant incident" for Art.23, and who sends the 24-hour early warning and to whom.

These five steps are achievable in days. Waiting for a complete ISO 27001 programme before starting is the most common form of NIS2 procrastination.

Summary

NIS2's two-tier classification drives supervision intensity and fine exposure, not the core obligations. Whether you are an Essential Entity (Annex I sectors + large size, or size-exempt) or an Important Entity (Annex II sectors + medium-or-large, or Annex I sectors + medium size), you must implement Art.21 security measures and Art.23 incident reporting identically.

The most consequential classification decision for infrastructure companies is whether you fall within Art.2(2)'s size-exempt categories — cloud providers, DNS providers, MSPs, and trust service providers are EEs from day one regardless of headcount. If you provide infrastructure services to third parties in the EU, assume you are an Essential Entity and build accordingly.

For hosting infrastructure, the supply chain clause (Art.21(2)(d)) makes your cloud provider's jurisdiction a compliance variable. EU-owned, EU-operated infrastructure with no US-headquartered parent removes the CLOUD Act exposure that creates a dual-jurisdiction conflict for NIS2-mandated incident records.

See Also