EN
January 20, 2026 Uyen Pham

Does NIS2 Apply to Us? A Plain-English Scope Test

Home Blog Cybersecurity Does NIS2 Apply to Us? A Plain-English Scope Test

Disclaimer: This article is practical guidance, not legal advice. NIS2 is a directive implemented through national law, so details can vary by country.

Does NIS2 apply to us? For many EU companies, the answer depends on three checks: sector, size, and the role your business plays in the supply chain.

The difficult part is not only legal scope. Even companies that are not directly covered by NIS2 may still face NIS2-style security questions from enterprise customers, procurement teams, insurers, and partners. That is where readiness becomes a commercial issue, not only a compliance issue.

This article gives you a plain-English scope test. It helps you decide whether your company is likely to be an Essential Entity, an Important Entity, out of scope, or commercially affected through customer evidence requirements.

TL;DR

  • NIS2 usually applies when an EU company operates in a covered sector and meets the medium or large entity threshold.
  • A company can be out of legal scope but still receive NIS2-style evidence requests from regulated customers.
  • Essential and Important Entities both need Article 21 control evidence, incident reporting readiness, supplier security controls, and management oversight.
  • If scope is unclear, the first step is a scope confirmation, not a full compliance programme.
ResultWhat it usually meansWhat to do next
Essential EntityYou operate in a high-criticality sector and meet the relevant size or criticality criteriaConfirm your classification, map Article 21 controls, and prepare evidence
Important EntityYou operate in another covered sector or meet the threshold under national rulesConfirm your member-state requirements and build a control checklist
Out of scopeYour sector, size, or service role does not trigger NIS2 directlyMonitor scope changes and prepare customer-facing security evidence if buyers ask for it
Not sureYour group structure, customer role, or country coverage is unclearRun a scope confirmation before investing in a full readiness programme
A summary of an NIS2 scope test
    NIS2 Directive

    A 2-minute NIS2 scope test

    Use this table as a first filter. It does not replace legal advice, but it gives leadership a structured way to decide what to check next.

    Quick questionYesNoNot sureWhat this usually meansWhat to do next
    Do we operate in a sector listed under NIS2, such as energy, transport, banking, healthcare, digital infrastructure, ICT service management, manufacturing, postal services, food, chemicals, research, or digital services?Sector is the first scope triggerConfirm whether your sector falls under Annex I or Annex II
    Do we have 50+ employees, €10M+ annual turnover, or belong to a larger group?Medium and large entities in covered sectors are the main NIS2 targetCheck entity-level and group-level thresholds
    Are we established in the EU or providing covered services in the EU market?EU presence can bring the company under national NIS2 rulesIdentify the relevant member state or states
    Would a cyber incident at our company disrupt customers, public services, or regulated supply chains?Criticality can matter even where size is unclearAssess service dependency and business impact
    Do customers already ask for NIS2, ISO 27001, security questionnaires, incident response evidence, access control evidence, or supplier risk documentation?You may be commercially affected even if not directly in scopePrepare a customer-facing evidence pack
    A 2-minute NIS2 scope test

    How to read the result:

    • Mostly “Yes” – You are likely in scope or close enough that you should confirm classification.
    • Mix of “Yes” and “Not sure” – Your scope is unclear. The next step is a scope confirmation, not a full implementation project.
    • Mostly “No”, but customer pressure is “Yes” – You may be legally out of scope but still expected to show NIS2-style evidence.
    • All “No” – You are likely out of scope for now. Recheck if your sector, size, customer base, or national law changes.

    If your result points toward “Yes”, the next practical step is to map the required risk-management areas. The clearest starting point is the NIS2 Article 21 requirements explained: the 10 risk-management measures, because Article 21 is where NIS2 turns scope into security obligations. After that, use the NIS2 compliance checklist: 40 controls EU companies must demonstrate to translate those obligations into evidence your team can prepare.

    Not sure where your company falls? Start with a scope confirmation and mini gap scan. Sunbytes can check your sector, entity structure, EU footprint, customer pressure, and first evidence gaps before you invest in a full readiness programme. 

    What is the NIS2 Directive?

    NIS2 is the EU cybersecurity directive that replaced the original NIS Directive. Its purpose is to raise the common level of cybersecurity across the EU by expanding the number of covered sectors, setting clearer security requirements, strengthening incident reporting, and increasing supervision.

    For business leaders, NIS2 matters because it connects cybersecurity to three board-level questions:

    • Can we prove that we manage cyber risk?
    • Can we report significant incidents within the required timeline?
    • Can we show customers and regulators that our suppliers, systems, and leadership processes are controlled?

    NIS2 is not only a technical security topic. It affects governance, procurement, supplier management, incident response, and the evidence your company can produce when a customer or authority asks.

    Who does NIS2 apply to?

    NIS2 scope is usually assessed through three criteria:

    1. Sector: Your company must operate in a sector covered by NIS2.
    2. Size: Medium and large entities in covered sectors are the main target. As a first filter, that often means 50+ employees or €10M+ annual turnover.
    3. EU connection: Your company may be covered if it is established in the EU or provides covered services within the EU market, depending on the type of service and national implementation.

    There are exceptions. Some smaller entities may still be covered if their services are critical, if they are the only provider of an essential service, or if national law brings them into scope. Group structure can also affect the assessment.

    Essential vs Important Entities

    NIS2 divides covered entities into two broad categories: Essential Entities and Important Entities. The difference matters because it affects supervision, enforcement, and the level of regulatory attention your company can expect.

    CategoryTypical profileSupervision patternWhat leadership should prepare
    Essential EntityHigh-criticality sector, often larger or highly critical organisationsMore proactive supervisionClear governance, Article 21 control evidence, incident reporting process, board oversight
    Important EntityCovered sector with lower criticality or different size/category treatmentMore reactive supervision, often triggered by incidents or evidence of non-complianceSame core readiness work, with attention to national registration and evidence requirements
    Out of scopeSector, size, and criticality do not trigger NIS2 directlyNo direct NIS2 supervisionCustomer-facing security evidence may still be needed
    Essential vs Important Entities vs Out of scope

    Essential does not mean “must be perfect”. Important does not mean “low priority”. Both categories need cybersecurity risk-management measures, incident reporting discipline, supplier security controls, and management oversight.

    The key difference is how authorities supervise and enforce those duties.

    Sector check: are you in a covered NIS2 sector?

    NIS2 covers sectors of high criticality and other critical sectors. Sectors of high criticality include areas such as energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, and space.

    Other critical sectors include postal and courier services, waste management, chemicals, food, certain manufacturing categories, digital providers, and research organisations.

    For many technology companies, the most relevant categories are:

    • ICT service management: Managed service providers and managed security service providers can fall under NIS2. This matters for IT companies that manage customer systems, networks, infrastructure, cybersecurity operations, or outsourced technology services.
    • Digital infrastructure: Cloud computing providers, data centre providers, content delivery network providers, DNS providers, TLD registries, trust service providers, and providers of electronic communications networks or services can be covered.
    • Digital providers: Online marketplaces, online search engines, and social networking service platforms are included under other critical sectors.
    • Manufacturing: Certain manufacturers, including medical devices, computer and electronics, machinery, motor vehicles, trailers, semi-trailers, and other transport equipment, can fall under the directive.

    If your company does not fit neatly into one label, assess what service you actually provide, who depends on it, and whether a disruption would affect customers in a covered sector.

    Size and structure check: entity, group, or subsidiary?

    The scope question is not always answered at the level of one local office. Authorities may look at:

    1. The individual legal entity: If the company itself meets the size threshold and operates in a covered sector, it may be in scope.
    2. The group: A smaller local entity may still need review if it belongs to a larger group that operates in a covered sector. This is especially relevant when security, infrastructure, IT operations, or service delivery are shared across the group.
    3. The subsidiary: A subsidiary may be relevant if it provides the covered service, runs critical infrastructure, or operates with enough independence to be assessed separately.

    This is why “we are small” is not a safe answer on its own. The better question is: which legal entity provides the service, which group controls it, and which customers depend on it?

    Cross-border operations: why member state rules matter

    NIS2 is an EU directive, but each member state implements it through national law. That means details can differ by country, including:

    • Which authority handles registration and supervision
    • How entities register
    • How sector definitions are interpreted
    • How enforcement is organised
    • What supporting guidance is available
    • How national deadlines and transition periods are managed

    If your company operates in more than one EU country, the scope check should include jurisdiction. Some entities fall under the member state where they are established. Others may have different jurisdiction rules depending on the service type.

    For leadership, this means one EU-level answer is not always enough. You need the EU classification and the member-state implementation path.

    What happens if you are in scope?

    If your company is in scope, the next question is not “Which security tool do we buy?” It is: what must we be able to demonstrate? At a high level, NIS2 creates four practical workstreams.

    1. Cybersecurity risk management

    Covered entities need appropriate measures to manage risks to network and information systems. In practice, this means security policies, access control, incident handling, business continuity, vulnerability handling, supply-chain controls, encryption where relevant, and secure development or acquisition practices.

    For the detailed control list, link the first deep section to NIS2 Article 21 requirements explained: the 10 risk-management measures.

    1. Incident reporting

    NIS2 introduces a structured incident reporting process for significant incidents. Your company needs to know who decides whether an incident is reportable, which authority to contact, what information to provide, and how the timeline is managed.

    If your team needs the reporting timeline, connect this section to NIS2 Article 23 incident reporting: the 24h / 72h / 1-month timeline.

    1. Supply-chain security

    NIS2 expects covered entities to address cybersecurity risks in supplier relationships. That is why customers may ask vendors for evidence around access control, secure development, incident response, data handling, vulnerability management, and subcontractor risk.

    This is where many out-of-scope suppliers still receive the impact of NIS2.

    1. Management accountability

    NIS2 places responsibility on management bodies to approve and oversee cybersecurity risk-management measures. This is not only a security team issue. Leadership needs a documented process for decisions, ownership, and follow-up.

    Penalties should be handled with precision. NIS2 sets maximum administrative fine levels for infringements of risk-management and reporting obligations, with different levels for Essential and Important Entities. For a deeper explanation of fine exposure and enforcement logic, read this guide NIS2 fines and penalties: what non-compliance actually costs.

    If you are out of scope, why customers may still ask for NIS2-style evidence

    A company can be legally out of scope and still commercially affected. This happens when your customers are in scope. If they rely on your software, infrastructure, support, managed service, development team, hosting environment, or data processing workflow, they may need to show that supplier risk is controlled.

    That usually appears as a vendor due diligence questionnaire. Common requests include:

    • Access control policy and review evidence
    • Incident response process
    • Backup and recovery evidence
    • Secure development practices
    • Vulnerability management process
    • Penetration test or vulnerability assessment reports
    • Supplier and subcontractor controls
    • ISO 27001 certificate or equivalent security documentation
    • Data processing agreement and audit trail
    • Business continuity plan

    The customer is not asking because your company is automatically regulated. They are asking because their own NIS2 obligations require them to manage supplier risk.

    This is the commercial reason to prepare NIS2-style evidence even when the legal answer is “out of scope”. Without that evidence, procurement slows down. Security reviews take longer. Sales teams get stuck answering questions one by one.

    A better approach is to prepare a minimum evidence pack before the questionnaire arrives. That evidence should answer three questions: what controls exist, who owns them, and what proof shows they are working.

    If your team is already receiving security questionnaires, use the NIS2 minimum viable evidence pack: what to prepare for Article 21 compliance as the next step after this article.

    NIS2 Scope

    A 30-day scope to readiness plan

    This plan is for companies that need a practical first month, not a heavy compliance programme.

    Week 1: Confirm scope assumptions

    Start with the legal and operational facts.

    • Identify your legal entities
    • List EU countries where you operate or provide services
    • Map your main service lines
    • Check whether each service maps to an NIS2 sector
    • Review employee count, turnover, and group structure
    • Identify customers in regulated or critical sectors

    Output: a first scope view showing likely Essential, likely Important, likely out of scope, or unclear.

    Week 2: Classify customer pressure

    Do not stop at legal scope. Review commercial exposure.

    • Collect recent vendor due diligence questionnaires
    • List customer requests related to NIS2, ISO 27001, incident response, access control, or supplier security
    • Identify customer contracts that mention security obligations
    • Check whether enterprise buyers require evidence before renewal or onboarding

    Output: a customer evidence pressure map showing which accounts or deals depend on security documentation.

    Week 3: Map current controls

    You do not need to solve every gap in week three. You need to know what exists.

    • Map current policies and owners
    • Identify access control process and review frequency
    • Review incident response procedure
    • Check vulnerability scanning and remediation process
    • Review supplier management process
    • Check backup and recovery evidence
    • Identify available audit trails

    Output: a control inventory mapped to the main NIS2 readiness areas.

    Week 4: Decide the support path

    By week four, leadership should be able to make a controlled decision.

    If you are clearly in scope, move into Article 21 control mapping and evidence planning.

    If you are unclear, get legal or compliance confirmation before investing heavily.

    If you are out of scope but customers ask for evidence, build a minimum evidence pack for procurement and renewal conversations.

    If the gap is operational, assign owners, timelines, and proof requirements before buying tools.

    Output: a 30/60/90-day readiness plan with owners, priority gaps, and evidence targets.

    For teams that need a deeper assessment after this first month, read How to run a NIS2 gap analysis: the 5-step assessment framework.

    Common misconceptions about NIS2 scope

    “We are out of scope because we are small.”

    Size matters, but it is not the only factor. Some small or micro entities can still be relevant if they provide critical services or fall under specific national rules. Group structure can also change the answer.

    “We are only a supplier.”

    That may reduce direct legal exposure, but it does not remove customer pressure. If your customer is in scope, they may need evidence that supplier risk is managed.

    “No authority has contacted us yet.”

    NIS2 readiness should not depend on waiting for a regulator. Registration, classification, and supervisory processes differ by country. Customer due diligence may arrive before authority contact.

    “We already have ISO 27001, so we are done.”

    ISO 27001 helps, but it does not automatically answer every NIS2 question. NIS2 also involves incident reporting, management accountability, supply-chain security, and member-state requirements.

    “Our IT provider handles security.”

    An IT provider can operate controls, but leadership still needs evidence, ownership, and oversight. Outsourcing the work does not remove the need to understand the risk.

    What to prepare if you are likely in scope

    If the scope test points toward Essential or Important Entity status, prepare evidence in this order:

    1. Scope record: Document why you believe the company is Essential, Important, unclear, or out of scope.
    2. Entity and service map: Show which legal entity provides which service, in which EU country, and to which customer group.
    3. Article 21 control map: Map current security controls against NIS2 Article 21 risk-management areas.
    4. Incident reporting process: Define who assesses incidents, who contacts the authority, and how the timeline is tracked.
    5. Supplier risk register: List critical suppliers, their role, and what evidence you have for their security posture.
    6. Management approval trail: Record who reviewed the scope decision, which gaps were accepted, and what remediation was approved.
    7. Customer evidence pack: Prepare the documents most likely to appear in procurement reviews: access control evidence, incident process, vulnerability management evidence, business continuity evidence, and supplier security documentation.

    This evidence-first approach is more useful than a long policy list. It gives leadership a way to answer the next security questionnaire, audit request, or customer review with controlled documents instead of scattered explanations.

    How Sunbytes helps with NIS2 scope and readiness

    Security readiness does not stop at the scope answer. If your company is in scope, commercially affected, or still unclear, the next question is what evidence you can produce: scope record, Article 21 control map, supplier risk register, incident process, and management approval trail.

    Sunbytes helps European SMEs turn that uncertainty into a controlled readiness path. CyberSecurity Solutions covers the scope confirmation, mini gap scan, Article 21 evidence mapping, and audit-ready documentation. Digital Transformation Solutions supports the delivery work behind the controls, from secure development practices to remediation planning. Accelerate Workforce Solutions reduces people-risk through structured onboarding, least-privilege access, and compliant offboarding when external teams are involved. 

    Request a scope confirmation and mini gap scan with us.

    FAQs

    NIS2 can apply to SaaS companies if their service falls into a covered sector or service category, such as cloud computing, digital providers, ICT service management, or another covered area. The answer also depends on size, EU presence, and national implementation. If the SaaS product supports customers in critical sectors, customer evidence requests may apply even where direct legal scope is unclear.

    Possibly. A non-EU headquarters does not automatically remove NIS2 exposure if the company provides covered services in the EU market or has an EU establishment. The relevant member-state rules and service type need to be checked.

    Essential Entities usually operate in high-criticality sectors and face more proactive supervision. Important Entities are also covered by NIS2, but supervision is generally more reactive. Both categories need risk-management measures, incident reporting readiness, supplier security controls, and management oversight.

    Yes, in some cases. NIS2 mainly targets medium and large entities in covered sectors, but smaller companies can still be covered if they provide critical services, are the only provider of an essential service, or fall under specific national rules. Group structure can also affect the assessment.

    Treat it as a commercial readiness issue. You may not need a full NIS2 compliance programme, but you should prepare evidence customers are likely to request: access control, incident response, vulnerability management, supplier security, backup and recovery, and management approval records.

    Start with a scope confirmation. Identify your sector, legal entities, group structure, EU footprint, customer dependency, and existing security evidence. That gives leadership enough information to decide whether to move into a gap analysis, evidence pack, or limited customer-readiness track.

    No. ISO 27001 can support NIS2 readiness because it provides a structured security management system and audit evidence. But NIS2 also has specific requirements around incident reporting, management accountability, supply-chain security, and member-state implementation. ISO 27001 is a strong input, not an automatic answer.

    Let’s start with Sunbytes

    Let us know your requirements for the team and we will contact you right away.

    Name(Required)
    untitled(Required)
    Untitled(Required)
    This field is for validation purposes and should be left unchanged.

    Compensation strategy: lead, match, or lag the market? (How to choose in 5 Steps)
    June 5, 2026 thien-le

    Compensation strategy: lead, match, or lag the market? (How to choose in 5 Steps)

    A compensation strategy is the company-wide decision on how to…

    Read more
    How to choose a web development partner in Europe the evaluation framework
    June 3, 2026 thien-le

    How to choose a web development partner in Europe: the evaluation framework

    Choosing a European web development partner means looking past the…

    Read more
    Headless CMS explained: pros, cons, when to use
    June 3, 2026 thien-le

    Headless CMS explained: pros, cons, when to use

    Headless CMS is often sold as the modern answer to…

    Read more
    Blog Overview