How to Determine If Your Organization Falls Under NIS2 Compliance Requirements

When ENISA published its latest threat landscape report in October 2024, it highlighted a 400% increase in cyberattacks targeting critical infrastructure across the EU. This surge coincides with the NIS2 Directive’s implementation deadline, leaving many organizations scrambling to determine their compliance obligations. The European Commission estimates that over 160,000 entities now fall under the expanded scope—a dramatic increase from the original NIS Directive’s coverage.

Understanding whether your organization falls under NIS2 compliance requirements isn’t straightforward. The directive’s complex classification system combines employee counts, revenue thresholds, and sector-specific criteria that vary across member states. Getting this assessment wrong carries significant consequences: essential entities face administrative fines up to €10 million or 2% of global turnover, while important entities risk penalties up to €7 million or 1.4% of turnover.

This analysis breaks down the specific criteria, calculation methods, and regulatory nuances that determine NIS2 applicability. We’ll examine real-world scenarios, cross-border complications, and the practical steps compliance teams need to take before the enforcement phase begins in earnest.

Executive Summary

What’s the main idea? NIS2 compliance depends on three interconnected factors: your organization’s size (employees and revenue), the sectors you operate in, and your geographic footprint across EU member states. The directive uses a tiered approach where essential entities face stricter requirements than important entities.

Why should you care? Misclassifying your NIS2 status can result in multi-million euro penalties and operational disruptions. With national authorities beginning enforcement activities, organizations need clear guidance on scope determination to avoid regulatory surprises and implement appropriate cybersecurity measures.

Understanding Employee Thresholds That Trigger NIS2 Obligations

The NIS2 Directive establishes clear employee thresholds, but the calculation method often catches organizations off-guard. National competent authorities use average headcount over the preceding financial year, including full-time equivalents for part-time workers and temporary staff.

Essential Entities: The 50-Employee Trigger

Organizations providing essential services—energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, and public administration—face the lowest threshold. Any entity with 50 or more employees automatically qualifies, regardless of revenue.

However, member states retain discretion to include smaller entities if they’re deemed critical to national security or economic stability. Germany’s BSI, for instance, has indicated it may designate certain sub-50-employee entities in the energy sector based on their grid connectivity role.

Important Entities: The 250-Employee Benchmark

Important entities—covering postal services, waste management, manufacturing of critical products, digital providers, and research organizations—must employ at least 250 people to fall under mandatory scope. This threshold aligns with the EU’s SME definition, creating consistency across regulatory frameworks.

Tweetable insight: NIS2 employee thresholds aren’t just headcount—they include contractors, temps, and FTEs calculated over 12 months. #NIS2Compliance

Revenue Calculations: Navigating Financial Thresholds

Revenue thresholds work alongside employee counts, creating a dual-criteria system that captures organizations based on either metric. The calculations use consolidated group figures, not individual subsidiary revenues—a detail that significantly expands scope for multinational corporations.

Essential Services Revenue Thresholds

Essential entities must exceed €10 million in annual turnover. This relatively low threshold reflects the directive’s intent to capture smaller regional players in critical sectors. For example, a municipal water utility with 45 employees but €12 million revenue would still fall under NIS2 scope.

The European Banking Authority has clarified that financial institutions should use net banking income rather than traditional turnover metrics, while energy companies must include both regulated and unregulated revenue streams.

Important Entities: The €50 Million Mark

Important entities face a €50 million threshold, creating breathing room for mid-sized companies. However, this calculation includes intra-group transactions, which can push organizations over the threshold unexpectedly.

Manufacturing companies have raised concerns about this methodology with the European Commission. A German automotive parts supplier discovered their €45 million external revenue became €52 million when including sales to parent company subsidiaries.

Tweetable insight: NIS2 revenue calculations include intra-group transactions—your actual threshold might be higher than external sales suggest.

Sector Classifications: Essential vs. Important Entities

The distinction between essential and important entities goes beyond semantic differences—it determines regulatory intensity, penalty exposure, and supervisory approach.

Essential Sectors: High-Stakes Oversight

Essential entities operate in sectors where disruption could significantly impact societal functions or economic activities. These organizations face:

• Direct supervision by national competent authorities
• Mandatory security incident reporting within 24 hours
• Periodic security audits and assessments
• Higher administrative penalties (up to €10M or 2% global turnover)

The energy sector exemplifies this approach. Transmission system operators, regardless of size, automatically qualify as essential entities due to their grid management role.

Important Entities: Proportionate Requirements

Important entities support essential services but don’t directly provide them. They face lighter-touch regulation with:

• Self-assessment and voluntary reporting mechanisms
• 72-hour incident notification requirements
• Risk-based supervision approaches
• Lower penalty caps (€7M or 1.4% global turnover)

Digital service providers illustrate this category’s complexity. Cloud infrastructure providers qualify as essential entities, while software-as-a-service companies typically fall under important entity classification.

Multi-Sector Operations: Navigating Complex Classifications

Organizations operating across multiple NIS2 sectors face classification challenges that require careful legal analysis. The directive doesn’t provide clear guidance for entities with diversified business models.

Primary Activity Determination

National authorities typically use revenue allocation to determine primary sector classification. A telecommunications company with significant cloud services revenue might find itself classified under digital infrastructure (essential) rather than digital services (important).

France’s ANSSI has developed a 60% revenue threshold—if more than 60% of revenue comes from essential services, the entire organization receives essential entity classification. Other member states are watching this approach closely.

Subsidiary vs. Group-Level Assessment

Corporate structure significantly impacts NIS2 classification. Some member states assess each legal entity separately, while others apply group-level analysis. This inconsistency creates compliance complexity for multinational organizations.

A European energy conglomerate discovered that its renewable energy subsidiary qualified as an essential entity in Germany but remained outside scope in Spain due to different assessment methodologies.

Cross-Border Operations: Member State Variations

Organizations operating across multiple EU member states face a patchwork of implementation approaches, despite the directive’s harmonization goals.

Registration Requirements

Each member state maintains its own NIS2 registry, requiring separate registration processes. The Netherlands’ NCSC has streamlined this through digital portals, while Italy still requires paper-based submissions in certain regions.

Cross-border entities must register with the competent authority in each member state where they meet classification criteria. This can result in multiple supervisory relationships and potentially conflicting requirements.

Enforcement Coordination

The NIS Cooperation Group facilitates information sharing between national authorities, but enforcement approaches vary significantly. Nordic countries emphasize collaborative compliance support, while Southern European authorities lean toward formal audit procedures.

Tweetable insight: Same company, different NIS2 treatment—member state implementation variations create compliance complexity across borders.

Conclusion

Determining NIS2 compliance requirements demands systematic analysis of employee counts, revenue thresholds, sector classifications, and geographic operations. The directive’s expanded scope captures organizations that previously operated outside cybersecurity regulations, creating new obligations for entities across critical infrastructure sectors.

Organizations must move beyond simple threshold checks to understand their specific regulatory exposure. This includes mapping business activities to NIS2 sectors, calculating consolidated revenue figures, and identifying all applicable member state jurisdictions. The complexity increases for multinational entities operating across multiple sectors and jurisdictions.

Success requires implementing robust cybersecurity frameworks that address NIS2’s risk management, incident reporting, and business continuity requirements. Organizations need unified security policies across all data communication channels, comprehensive audit trails for mandatory breach reporting, and real-time threat detection capabilities. The regulatory landscape demands solutions that can adapt to varying member state requirements while maintaining consistent security postures.

Critical infrastructure operators must modernize legacy systems and establish the comprehensive cybersecurity measures that NIS2 mandates. This transformation requires platforms that can standardize security policies, provide immutable audit logs, and support rapid incident response—all while maintaining operational continuity across essential services.

Kiteworks Supports Organizations Impacted by NIS2 With Secure and Compliant File Sharing

The Kiteworks Private Data Network addresses NIS2 compliance challenges through a unified platform that standardizes security policies across secure email, Kiteworks secure file sharing, secure MFT, and SFTP channels.

Kiteworks provides AES-256 encryption, role-based access control (RBAC), and comprehensive audit trails that support mandatory incident reporting requirements. With real-time anomaly detection and granular policy enforcement, Kiteworks enables critical infrastructure operators to meet NIS2 cybersecurity obligations while maintaining operational efficiency. The platform’s proven compliance framework, backed by ISO 27001, FedRAMP, and SOC 2 certifications, gives organizations confidence in their regulatory posture across multiple EU jurisdictions.

To learn more about Kiteworks for NIS2 compliance, schedule a custom demo today.

Additional Resources

• Brief How to Conduct a NIS 2 Readiness Assessment
• Video NIS 2 Directive: Requirements, Obligations, and How Kiteworks Can Help With Compliance
• Blog Post Small Business Guide to NIS 2 Compliance
• Blog Post NIS 2 Directive: What it Means for Your Business
• Blog Post NIS 2 Directive: Effective Implementation Strategies