Who Needs to Comply with NIS 2? A Clear Guide for Businesses
The NIS 2 Directive represents a major leap in EU-wide cybersecurity regulation, expanding its scope far beyond the original NIS Directive. One of the most common questions from companies today is: "Do we need to comply?" The answer depends on a mix of your industry, company size, and geographic footprint.
Let’s break it down simply.
🔒 Who Must Comply with NIS 2?
Your company must comply with NIS 2 if:
- You operate in any of the 18 specified sectors, including energy, transport, health, banking, digital infrastructure, and more.
- You’re a mid-size or large company, typically meaning:
- 50+ employees and €10M+ in annual revenue for mid-size,
- 250+ employees and €50M+ for large enterprises.
- You offer services in the EU, even if your company is based elsewhere.
📌 Company Size Matters
- Micro/Small: Fewer than 50 employees and less than €10M turnover
- Mid-size: 50–250 employees and €10M–50M turnover
- Large: More than 250 employees and over €50M turnover
👉 Micro and small businesses are mostly exempt, unless:
- They’re the only provider of a critical service in a country
- Their disruption could harm public safety or cause systemic risk
- They're named a "critical entity" by a Member State
Essential vs. Important Entities
Type | Applies To | Supervision | Oversight | Penalties |
🚨Essential Entity | Large companies in critical sectors, DNS/trust services, public networks, government | Proactive (Article 32) | heavier oversight | Up to €10M or 2% global revenue |
🚩Important Entity | Mid-size companies in those sectors + other regulated industries | Reactive (Article 33) | still regulated, but lighter enforcement | Up to €7M or 1.4% global revenue |
Reporting obligations, management accountability and incident response plans are required and mandatory for both entity types.
FULL LIST OF SECTORS & COMPLIANCE STATUS
Here’s the complete breakdown of who is essential and who is important, based on sector and size.
Sectors of High Criticality
Sector - Subsector | Type of entity | Micro & small organizations* | Mid-sized organizations | Large organizations |
Energy - Electricity | Electricity undertakings which carry out the function of ‘supply’ | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Electricity | Distribution system operators | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Electricity | Transmission system operators | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Electricity | Producers | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Electricity | Nominated electricity market operatorsMarket participantsOperators of a recharging point | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - District heating and cooling | Operators of district heating or district cooling | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Oil | Operators of oil transmission pipelines | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Oil | Operators of oil production, refining and treatment facilities, storage and transmission | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Oil | Central stockholding entities | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Gas | Supply undertakings | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Gas | Distribution system operators | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Gas | Transmission system operators | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Gas | Storage system operators | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Gas | LNG system operators | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Gas | Natural gas undertakings | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Gas | Operators of natural gas refining and treatment facilities | ✅ Not required | 🚩 Important | 🚨Essential |
Energy - Hydrogen | Operators of hydrogen production, storage and transmission | ✅ Not required | 🚩 Important | 🚨Essential |
Transport - Air | Air carriers used for commercial purposes | ✅ Not required | 🚩 Important | 🚨Essential |
Transport - Air | Airport managing bodies, airports, including the core airports, and entities operating ancillary installations contained within airports | ✅ Not required | 🚩 Important | 🚨Essential |
Transport - Air | Traffic management control operators providing air traffic control (ATC) services | ✅ Not required | 🚩 Important | 🚨Essential |
Transport - Rail | Infrastructure managers | ✅ Not required | 🚩 Important | 🚨Essential |
Transport - Rail | Railway undertakings, including operators of service facilities | ✅ Not required | 🚩 Important | 🚨Essential |
Transport - Water | Inland, sea and coastal passenger and freight water transport companies, not including the individual vessels operated by those companies | ✅ Not required | 🚩 Important | 🚨Essential |
Transport - Water | Managing bodies of ports, including their port facilities, and entities operating works and equipment contained within ports | ✅ Not required | 🚩 Important | 🚨Essential |
Transport - Water | Operators of vessel traffic services (VTS) | ✅ Not required | 🚩 Important | 🚨Essential |
Transport - Road | Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity | ✅ Not required | 🚩 Important | 🚨Essential |
Transport - Road | Operators of Intelligent Transport Systems | ✅ Not required | 🚩 Important | 🚨Essential |
Banking | Credit institutions | ✅ Not required | 🚩 Important | 🚨Essential |
Financial market infrastructures | Operators of trading venues | ✅ Not required | 🚩 Important | 🚨Essential |
Financial market infrastructures | Central counterparties (CCPs) | ✅ Not required | 🚩 Important | 🚨Essential |
Health | Healthcare providers | ✅ Not required | 🚩 Important | 🚨Essential |
Health | EU reference laboratories | ✅ Not required | 🚩 Important | 🚨Essential |
Health | Entities carrying out research and development activities of medicinal productsEntities manufacturing basic pharmaceutical products and pharmaceutical preparationsEntities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list) | ✅ Not required | 🚩 Important | 🚨Essential |
Drinking water | Suppliers and distributors of water intended for human consumption, excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods | ✅ Not required | 🚩 Important | 🚨Essential |
Waste water | Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity | ✅ Not required | 🚩 Important | 🚨Essential |
Digital infrastructure | Internet Exchange Point providers | ✅ Not required | 🚩 Important | 🚨Essential |
Digital infrastructure | DNS service providers, excluding operators of root name servers | 🚨Essential | 🚨Essential | 🚨Essential |
Digital infrastructure | TLD name registries | 🚨Essential | 🚨Essential | 🚨Essential |
Digital infrastructure | Domain name registration services | 🚩 Important | 🚩 Important | 🚩 Important |
Digital infrastructure | Cloud computing service providers | ✅ Not required | 🚩 Important | 🚨Essential |
Digital infrastructure | Data centre service providers | ✅ Not required | 🚩 Important | 🚨Essential |
Digital infrastructure | Content delivery network providers | ✅ Not required | 🚩 Important | 🚨Essential |
Digital infrastructure | Trust service providers | 🚨Essential | 🚨Essential | 🚨Essential |
Digital infrastructure | Providers of public electronic communications networks | 🚩 Important | 🚨Essential | 🚨Essential |
Digital infrastructure | Providers of publicly available electronic communications services | 🚩 Important | 🚨Essential | 🚨Essential |
ICT service management (B2B) | Managed service providersManaged security service providers | ✅ Not required | 🚩 Important | 🚨Essential |
Public administration | Public administration entities of central governments as defined by a Member State in accordance with national law | 🚨Essential | 🚨Essential | 🚨Essential |
Public administration | Public administration entities at regional level as defined by a Member State in accordance with national law | 🚨Essential | 🚨Essential | 🚨Essential |
Public administration | Public administration entities at local level | ⚠️ based on Member state | ⚠️ based on Member state | ⚠️ based on Member state |
Space | Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks | ✅ Not required | 🚩 Important | 🚨Essential |
Other Important Sectors (Non-high criticality)
Sector - Subsector | Type of entity | Micro and small organizations* | Mid-sized organizations | Large organizations |
Postal and courier services | Postal service providers, including providers of courier services | ✅ Not required | 🚩 Important | 🚩 Important |
Waste management | Undertakings carrying out waste management, excluding undertakings for whom waste management is not their principal economic activity | ✅ Not required | 🚩 Important | 🚩 Important |
Manufacture, production and distribution of chemicals | Undertakings carrying out the manufacture of substances and the distribution of substances or mixtures, and undertakings carrying out the production of articles from substances or mixtures | ✅ Not required | 🚩 Important | 🚩 Important |
Production, processing and distribution of food | Food businesses which are engaged in wholesale distribution and industrial production and processing | ✅ Not required | 🚩 Important | 🚩 Important |
Manufacturing - medical devices and in vitro diagnostic medical devices | Entities manufacturing medical devices, and entities manufacturing in vitro diagnostic medical devices with the exception of entities manufacturing medical devices | ✅ Not required | 🚩 Important | 🚩 Important |
Manufacturing - computer, electronic and optical products | Undertakings carrying out any of the economic activities | ✅ Not required | 🚩 Important | 🚩 Important |
Manufacturing - electrical equipment | Undertakings carrying out any of the economic activities | ✅ Not required | 🚩 Important | 🚩 Important |
Manufacturing - machinery and equipment n.e.c. | Undertakings carrying out any of the economic activities | ✅ Not required | 🚩 Important | 🚩 Important |
Manufacturing - motor vehicles, trailers and semi-trailers | Undertakings carrying out any of the economic activities | ✅ Not required | 🚩 Important | 🚩 Important |
Manufacturing - other transport equipment | Undertakings carrying out any of the economic activities | ✅ Not required | 🚩 Important | 🚩 Important |
Digital providers | Providers of online marketplaces | ✅ Not required | 🚩 Important | 🚩 Important |
Digital providers | Providers of online search engines | ✅ Not required | 🚩 Important | 🚩 Important |
Digital providers | Providers of social networking services platforms | ✅ Not required | 🚩 Important | 🚩 Important |
Research | Research organisations | ✅ Not required | 🚩 Important | 🚩 Important |
Research | Education institutions, in particular where they carry out critical research activities | ⚠️ based on Member state | ⚠️ based on Member state | ⚠️ based on Member state |
🛠️ How to Get Compliant
- ✅ Determine your sector and entity type — essential or important?
NIS2 Compliance Entity Requirement Checker
- 🔎 Conduct a NIS 2 requirements gap analysis
- 📋 Update your cybersecurity policies, procedures and incident response plans
- 🧑💼 Ensure executive accountability is in place
- 📦 Use beams to get your SaaS tool list to save time
Our SaaS insights platform helps security-conscious teams discover, evaluate, and govern every SaaS tool. It only takes 1 minute to set up:
https://app.usebeams.com/company-login
🤙 Why This Matters: NIS 2 = A Cybersecurity Wake-Up Call
It’s estimated that over 100,000 entities will be affected — a massive expansion from the original NIS Directive.
And unlike before, non-compliance isn’t just a risk — it’s a liability, with national regulators gaining more power to inspect, enforce, and penalize lapses.
Final Thoughts
Navigating NIS 2 doesn’t have to be overwhelming. The key is understanding where your company stands, what your responsibilities are, and acting now — because the clock is ticking.
💬 Have questions about your organization’s NIS 2 status or need help mapping out your compliance plan? Reach out to us at team@usebeams.com — let’s make cybersecurity easy and fun, not scary.