Does NIS2 Apply to Your Organization? (Who Does NIS2 Apply To?)

If your organization operates in the EU—or does business with EU customers—you’re probably asking the most common NIS2 question across Europe:

Who does NIS2 apply to?

The short answer: far more organizations than the original NIS Directive.

The longer answer is more nuanced, and that’s exactly what this guide explains—clearly and practically.

What Is NIS2? (Quick Context)

NIS2 (Directive (EU) 2022/2555) is the European Union’s updated cybersecurity directive. It replaces the original NIS Directive and significantly expands:

• The number of covered organizations
• The sectors included
• Enforcement authority
• Fines and penalties

Unlike older regulations, NIS2 focuses on operational cybersecurity, not just documentation.

Who Does NIS2 Apply To? (Clear Answer)

NIS2 applies to medium and large organizations operating in specific sectors that provide critical or important services in the EU.

Organizations are classified into two groups:

• Essential Entities
• Important Entities

If your company falls into either category, NIS2 compliance is mandatory.

Essential Entities Under NIS2

Essential entities are organizations whose disruption would have serious societal or economic impact.

Sectors Covered

NIS2 applies to essential entities in sectors such as:

• Energy (electricity, gas, oil, hydrogen)
• Transport (air, rail, water, road)
• Banking and financial market infrastructure
• Healthcare
• Drinking water and wastewater
• Digital infrastructure (cloud providers, data centers, DNS providers)
• Public administration (central and regional government)
• Space infrastructure

If your organization operates in one of these sectors and meets size thresholds, NIS2 definitely applies.

Important Entities Under NIS2

Important entities include organizations that are not classified as essential but still play a significant role in the economy or digital ecosystem.

Sectors Covered

NIS2 applies to important entities in areas such as:

• Manufacturing (including medical devices, electronics, machinery)
• Digital services (SaaS, marketplaces, search engines)
• Postal and courier services
• Waste management
• Chemicals
• Food production and distribution
• Research organizations

Many companies are surprised to learn they fall into this category.

Does NIS2 Apply to SMEs?

In Most Cases: No—but There Are Exceptions

NIS2 generally applies to medium and large organizations, defined as:

• Medium: 50+ employees or €10M+ turnover
• Large: 250+ employees or €50M+ turnover

However, size is not the only factor.

SMEs Are Covered If They Are:

• Sole providers of essential services
• Critical to supply chains
• High-risk digital infrastructure operators

If you’re an SME providing services to essential entities, NIS2 may still apply indirectly through contractual and security requirements.

Does NIS2 Apply to Non-EU Companies?

Yes—in many cases.

NIS2 applies to non-EU organizations if they:

• Provide services within the EU
• Support EU-based essential or important entities
• Operate EU-facing digital infrastructure
• Are part of EU supply chains

This means U.S., UK, and global companies may still fall under NIS2 obligations.

Key Test: Does NIS2 Apply to You?

Ask yourself these questions:

1. Do we operate in the EU or provide services to EU customers?
2. Do we belong to a regulated or critical sector?
3. Do we have 50+ employees or significant revenue?
4. Do we provide digital, infrastructure, or operational services?
5. Are we part of a regulated supply chain?

If you answered “yes” to two or more, NIS2 likely applies.

Why So Many Organizations Are Affected by NIS2

NIS2 was intentionally designed to:

• Reduce systemic cyber risk
• Cover modern digital businesses
• Address supply-chain vulnerabilities
• Include cloud, SaaS, and managed services

That’s why the question “Who does NIS2 apply to?” is now the most searched compliance query across the EU.

What Happens If NIS2 Applies to You?

If your organization is covered, you must:

• Implement risk-based cybersecurity measures
• Secure networks, systems, and endpoints
• Monitor and manage incidents
• Report major incidents within strict timelines
• Maintain continuous compliance—not annual checklists

Penalties for non-compliance can reach €10 million or 2% of global turnover.

NIS2 Is About Operational Security, Not Paperwork

A key shift under NIS2 is the focus on real-world security controls, including:

• Device management
• Access control
• Patch management
• Incident response readiness
• Continuous monitoring

Organizations relying only on policies or manual audits will struggle to comply.

Final Answer: Who Does NIS2 Apply To?

NIS2 applies to:

Any medium or large organization providing essential or important services in or to the EU—and many others through supply-chain exposure.

If you operate in the EU digital economy, NIS2 is no longer a niche regulation—it’s a baseline requirement.

‍