RoutineMetric

NIS2 Directive Applicability & Class Identifier

Determine if your business is subject to the EU's NIS2 Directive (Directive on measures for a high common level of cybersecurity across the Union) and establish whether you fall under the Essential or Important entity category.

Company Profile

NIS2 applies based on where your main establishment is located in the EU.
If your sector is not listed above, select '-- Select Sector --'.

Special Overrides & Regulated Roles

The NIS2 Directive specifies cases where small/micro organizations or specific digital providers are swept into scope regardless of standard size criteria due to systemic importance.

Regulatory Scope Assessment

IN SCOPE

Your organization is classified as an Important Entity under the NIS2 Directive.

Applicable Jurisdiction:Germany (EU Member State)
Determination Logic
  • Medium-sized enterprise in a High-Criticality Sector (Annex I).
Applicable Enforcement Regime
Reactive (Ex-Post Only)

Supervised retroactively when authorities receive evidence or complaints of non-compliance. Fines of up to €7M or 1.4% of global annual turnover apply.

Strict Reporting Timelines
24h
Early Warning
72h
Incident Report
1mo
Final Report

Requires immediate execution upon identifying any significant security incident.

Immediate NIS2 Checklist

Implement certified Supply Chain risk assessments.
Establish strict cryptography & basic encryption procedures.
Set up formal cyber hygiene training for senior management/executives.
Mandate Multi-Factor Authentication (MFA) across all digital channels.

Understanding the NIS2 Directive: Scope, Requirements, and Legal Overrides

The European Union’s Network and Information Security (NIS2) Directive, established under Directive (EU) 2022/2555, represents a significant modernization of the EU’s shared cybersecurity framework. Designed to address emerging cyber risk profiles across crucial societal and economic infrastructure, the directive replaces the outdated NIS1 and broadens requirements to harmonize defense levels, enforcement regimes, and notification rules across all member states.

Key Criteria of NIS2 Applicability

Unlike its predecessor, NIS2 uses a uniform size-cap rule. Medium and large organizations operating in the critical sectors enumerated in Annex I and Annex II are within its strict scope.

  • Medium-Sized Enterprises: Organizations employing between 50 and 249 staff with annual turnovers under €50M or balance sheets below €43M.
  • Large Enterprises: Organizations exceeding 250 personnel, or holding over €50M in annual turnover and €43M on their balance sheet.
  • Micro/Small Overrides: Specific high-risk entities remain in-scope even if they operate below the standard size cap. These exceptions include DNS providers, public telecom operations, single-source providers of essential community services, and central public administration.

Essential vs. Important Entities

The regulatory burden varies depending on the operational category:

  • Essential Entities (Annex I - High Criticality + Large): Subject to rigorous, proactive supervision (ex-ante) meaning regulators will actively assess internal policies without needing prior evidence of an incident. Fines can reach up to €10 million or 2% of global annual turnover.
  • Important Entities (Annex I Medium, or Annex II): Subject to reactive supervision (ex-post). Regulators act primarily when compliance concerns or active incident signals appear. Fines can reach up to €7 million or 1.4% of global annual turnover.

Interaction with DORA (Lex Specialis)

Financial market participants operating within the EU are also governed by the Digital Operational Resilience Act (DORA). Under the European law concept of lex specialis derogat legi generali, specialized laws override general laws. Where DORA and NIS2 requirements cover similar operational ground (such as threat-led penetration testing, incident reporting, and third-party risk management), DORA regulations supersede NIS2, ensuring financial institutions face a consolidated set of standards.