
How to Determine If Your Organization Falls Under NIS2 Compliance Requirements
When ENISA published its latest threat landscape report in October 2024, it highlighted a 400% increase in cyberattacks targeting critical infrastructure across the EU. This surge coincides with the NIS2 Directive’s implementation deadline, leaving many organizations scrambling to determine their compliance obligations. The European Commission estimates that over 160,000 entities now fall under the expanded scope—a dramatic increase from the original NIS Directive’s coverage.
Understanding whether your organization falls under NIS2 compliance requirements isn’t straightforward. The directive’s complex classification system combines employee counts, revenue thresholds, and sector-specific criteria that vary across member states. Getting this assessment wrong carries significant consequences: essential entities face administrative fines up to €10 million or 2% of global turnover, while important entities risk penalties up to €7 million or 1.4% of turnover.
This analysis breaks down the specific criteria, calculation methods, and regulatory nuances that determine NIS2 applicability. We’ll examine real-world scenarios, cross-border complications, and the practical steps compliance teams need to take before the enforcement phase begins in earnest.
Executive Summary
What’s the main idea? NIS2 compliance depends on three interconnected factors: your organization’s size (employees and revenue), the sectors you operate in, and your geographic footprint across EU member states. The directive uses a tiered approach where essential entities face stricter requirements than important entities.
Why should you care? Misclassifying your NIS2 status can result in multi-million euro penalties and operational disruptions. With national authorities beginning enforcement activities, organizations need clear guidance on scope determination to avoid regulatory surprises and implement appropriate cybersecurity measures.
Key Takeaways
-
Employee head count determines whether an organizations must comply with NIS2
Organizations with 50+ employees in essential sectors or 250+ in important sectors automatically fall under NIS2 scope, regardless of revenue.
-
Entities operating in multiple sectors must follow the strictest applicable requirements
Companies operating across multiple NIS2 sectors must comply with the most stringent requirements applicable to their primary business activities.
-
Cross-border operations require engagement with multiple authorities
Organizations operating in multiple EU states must register with each relevant national authority and may face varying implementation approaches.
-
Revenue thresholds depend on sector classification and group turnover
Annual turnover thresholds vary by sector: €10M for essential services, €50M for important entities, calculated using consolidated group figures.
-
Regulatory oversight and penalties differ by sector designation
Essential entities face stricter oversight and penalties than important entities, with sector-specific requirements determined by member state authorities.
Understanding Employee Thresholds That Trigger NIS2 Obligations
The NIS2 Directive establishes clear employee thresholds, but the calculation method often catches organizations off-guard. National competent authorities use average headcount over the preceding financial year, including full-time equivalents for part-time workers and temporary staff.
Essential Entities: The 50-Employee Trigger
Organizations providing essential services—energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, and public administration—face the lowest threshold. Any entity with 50 or more employees automatically qualifies, regardless of revenue.
However, member states retain discretion to include smaller entities if they’re deemed critical to national security or economic stability. Germany’s BSI, for instance, has indicated it may designate certain sub-50-employee entities in the energy sector based on their grid connectivity role.
Important Entities: The 250-Employee Benchmark
Important entities—covering postal services, waste management, manufacturing of critical products, digital providers, and research organizations—must employ at least 250 people to fall under mandatory scope. This threshold aligns with the EU’s SME definition, creating consistency across regulatory frameworks.
Tweetable insight: NIS2 employee thresholds aren’t just headcount—they include contractors, temps, and FTEs calculated over 12 months. #NIS2Compliance
Revenue Calculations: Navigating Financial Thresholds
Revenue thresholds work alongside employee counts, creating a dual-criteria system that captures organizations based on either metric. The calculations use consolidated group figures, not individual subsidiary revenues—a detail that significantly expands scope for multinational corporations.
Essential Services Revenue Thresholds
Essential entities must exceed €10 million in annual turnover. This relatively low threshold reflects the directive’s intent to capture smaller regional players in critical sectors. For example, a municipal water utility with 45 employees but €12 million revenue would still fall under NIS2 scope.
The European Banking Authority has clarified that financial institutions should use net banking income rather than traditional turnover metrics, while energy companies must include both regulated and unregulated revenue streams.
Important Entities: The €50 Million Mark
Important entities face a €50 million threshold, creating breathing room for mid-sized companies. However, this calculation includes intra-group transactions, which can push organizations over the threshold unexpectedly.
Manufacturing companies have raised concerns about this methodology with the European Commission. A German automotive parts supplier discovered their €45 million external revenue became €52 million when including sales to parent company subsidiaries.
Tweetable insight: NIS2 revenue calculations include intra-group transactions—your actual threshold might be higher than external sales suggest.
Sector Classifications: Essential vs. Important Entities
The distinction between essential and important entities goes beyond semantic differences—it determines regulatory intensity, penalty exposure, and supervisory approach.
Essential Sectors: High-Stakes Oversight
Essential entities operate in sectors where disruption could significantly impact societal functions or economic activities. These organizations face:
- Direct supervision by national competent authorities
- Mandatory security incident reporting within 24 hours
- Periodic security audits and assessments
- Higher administrative penalties (up to €10M or 2% global turnover)
The energy sector exemplifies this approach. Transmission system operators, regardless of size, automatically qualify as essential entities due to their grid management role.
Important Entities: Proportionate Requirements
Important entities support essential services but don’t directly provide them. They face lighter-touch regulation with:
- Self-assessment and voluntary reporting mechanisms
- 72-hour incident notification requirements
- Risk-based supervision approaches
- Lower penalty caps (€7M or 1.4% global turnover)
Digital service providers illustrate this category’s complexity. Cloud infrastructure providers qualify as essential entities, while software-as-a-service companies typically fall under important entity classification.
Multi-Sector Operations: Navigating Complex Classifications
Organizations operating across multiple NIS2 sectors face classification challenges that require careful legal analysis. The directive doesn’t provide clear guidance for entities with diversified business models.
Primary Activity Determination
National authorities typically use revenue allocation to determine primary sector classification. A telecommunications company with significant cloud services revenue might find itself classified under digital infrastructure (essential) rather than digital services (important).
France’s ANSSI has developed a 60% revenue threshold—if more than 60% of revenue comes from essential services, the entire organization receives essential entity classification. Other member states are watching this approach closely.
Subsidiary vs. Group-Level Assessment
Corporate structure significantly impacts NIS2 classification. Some member states assess each legal entity separately, while others apply group-level analysis. This inconsistency creates compliance complexity for multinational organizations.
A European energy conglomerate discovered that its renewable energy subsidiary qualified as an essential entity in Germany but remained outside scope in Spain due to different assessment methodologies.
Cross-Border Operations: Member State Variations
Organizations operating across multiple EU member states face a patchwork of implementation approaches, despite the directive’s harmonization goals.
Registration Requirements
Each member state maintains its own NIS2 registry, requiring separate registration processes. The Netherlands’ NCSC has streamlined this through digital portals, while Italy still requires paper-based submissions in certain regions.
Cross-border entities must register with the competent authority in each member state where they meet classification criteria. This can result in multiple supervisory relationships and potentially conflicting requirements.
Enforcement Coordination
The NIS Cooperation Group facilitates information sharing between national authorities, but enforcement approaches vary significantly. Nordic countries emphasize collaborative compliance support, while Southern European authorities lean toward formal audit procedures.
Tweetable insight: Same company, different NIS2 treatment—member state implementation variations create compliance complexity across borders.
Conclusion
Determining NIS2 compliance requirements demands systematic analysis of employee counts, revenue thresholds, sector classifications, and geographic operations. The directive’s expanded scope captures organizations that previously operated outside cybersecurity regulations, creating new obligations for entities across critical infrastructure sectors.
Organizations must move beyond simple threshold checks to understand their specific regulatory exposure. This includes mapping business activities to NIS2 sectors, calculating consolidated revenue figures, and identifying all applicable member state jurisdictions. The complexity increases for multinational entities operating across multiple sectors and jurisdictions.
Success requires implementing robust cybersecurity frameworks that address NIS2’s risk management, incident reporting, and business continuity requirements. Organizations need unified security policies across all data communication channels, comprehensive audit trails for mandatory breach reporting, and real-time threat detection capabilities. The regulatory landscape demands solutions that can adapt to varying member state requirements while maintaining consistent security postures.
Critical infrastructure operators must modernize legacy systems and establish the comprehensive cybersecurity measures that NIS2 mandates. This transformation requires platforms that can standardize security policies, provide immutable audit logs, and support rapid incident response—all while maintaining operational continuity across essential services.
Kiteworks Supports Organizations Impacted by NIS2 With Secure and Compliant File Sharing
The Kiteworks Private Data Network addresses NIS2 compliance challenges through a unified platform that standardizes security policies across secure email, Kiteworks secure file sharing, secure MFT, and SFTP channels.
Kiteworks provides AES-256 encryption, role-based access control (RBAC), and comprehensive audit trails that support mandatory incident reporting requirements. With real-time anomaly detection and granular policy enforcement, Kiteworks enables critical infrastructure operators to meet NIS2 cybersecurity obligations while maintaining operational efficiency. The platform’s proven compliance framework, backed by ISO 27001, FedRAMP, and SOC 2 certifications, gives organizations confidence in their regulatory posture across multiple EU jurisdictions.
To learn more about Kiteworks for NIS2 compliance, schedule a custom demo today.
Frequently Asked Questions
To determine NIS2 compliance, check if your company operates in a critical or important sector (e.g., energy, healthcare, IT) within the EU or serves EU customers. If you have 50+ employees or annual turnover above €10M (essential) or €50M (important), you likely fall under scope. Multi-sector and cross-border operations also increase NIS2 applicability. Review your sector classification and consult national authorities for confirmation.
If essential entities have 50+ employees and important entities have 250+ employees, they are required to comply with the NIS2 Directive. This includes full-time equivalents calculated as an average over the preceding financial year, including temporary staff and contractors. NIS2 applicability may also be impacted by member states who designate smaller entities as essential if they’re critical to national security.
To calculate revenue thresholds for NIS2 compliance, use consolidated group turnover: €10 million for essential entities, €50 million for important entities. Include intra-group transactions and subsidiary revenues. Financial institutions use net banking income, while energy companies include both regulated and unregulated revenue streams.
Under NIS2 , essential entities face stricter oversight with 24-hour incident reporting, direct supervision, and penalties up to €10M or 2% global turnover. Important entities have 72-hour reporting, self-assessment, and lower penalties of €7M or 1.4% turnover.
In order to comply with NIS2 , yes, you must register with the competent authority in each member state where you meet NIS2 classification criteria. Each country maintains separate registries with different processes, from digital portals to paper-based submissions.
Additional Resources
- Brief How to Conduct a NIS 2 Readiness Assessment
- Video NIS 2 Directive: Requirements, Obligations, and How Kiteworks Can Help With Compliance
- Blog Post Small Business Guide to NIS 2 Compliance
- Blog Post NIS 2 Directive: What it Means for Your Business
- Blog Post NIS 2 Directive: Effective Implementation Strategies