Is your organisation subject to NIS2?
NIS2 — the EU cybersecurity directive, with national implementations rolling out from late 2024 into 2025 — applies to thousands of organisations and public bodies across all 18 covered sectors. Use this page to quickly determine whether your organisation is in scope, and what you concretely need to put in place.
Two questions that settle most cases
NIS2 sectors across the EU
NIS2 divides sectors into essential entities (stricter supervision, higher fines) and important entities (lighter supervision). Both categories are subject to the same Article 21 requirements for certificate management and TLS security.
You are in scope — what now?
NIS2 Article 21 specifies ten security categories you must implement. Here are four immediate first steps for IT teams:
Frequently asked questions about NIS2 scope
Is my organisation subject to NIS2?
Your organisation is subject to NIS2 if it operates in one of the 18 sectors covered by the directive and meets the size criteria — 50 or more employees, or €10 million or more in annual revenue. Certain critical operators are always in scope regardless of size, and public authorities are covered as well. Use the sector overview on this page to check where you fit.
When did NIS2 come into force?
The NIS2 Directive required EU member states to transpose it into national law by 17 October 2024, though several member states finalised their laws later — Denmark's NIS 2 Act, for example, entered into force on 1 July 2025. Requirements apply from the date of national implementation.
Are public authorities and government bodies subject to NIS2?
Yes. Central government bodies are explicitly covered by NIS2 and classified as essential entities regardless of size. Regional public administration bodies are typically classified as important entities, and member states can extend coverage to local government — Denmark, for example, covers municipalities through their sector activities. All are subject to the requirements of Articles 21 and 23, including systematic certificate management and TLS certificate monitoring.
What is the difference between essential and important entities under NIS2?
Both categories are subject to the same requirements under Article 21. The difference lies in the intensity of supervision and the level of fines: essential entities face stricter proactive supervision and can be fined up to €10 million or 2% of global turnover. Important entities face a somewhat lower fine ceiling — up to €7 million or 1.4% — but the requirements for certificate management and NIS2 compliance are identical.
What happens if my organisation is subject to NIS2 but does not comply?
Important entities can be fined up to €7 million or 1.4% of global turnover. Essential entities up to €10 million or 2%. Senior management can be held personally liable. Supervisory authorities may conduct inspections and issue binding instructions.
Does NIS2 apply to suppliers of NIS2-covered organisations?
Yes, indirectly. NIS2 Article 21(2)(d) and Article 22 require NIS2-covered organisations to address security across the entire supply chain. In practice, this means they will impose concrete security requirements on suppliers — including requirements for certificate management and TLS configuration. If you supply a NIS2-covered organisation, expect to be asked about this.
Who supervises NIS2 compliance?
Supervision is carried out by each member state's designated national NIS2 supervisory authority. For financial sector entities, the relevant financial sector regulator typically acts as sector-specific supervisory authority. The exact body depends on your sector and country — consult your industry association or national authority if you are unsure who supervises your organisation.
How many sectors does NIS2 cover, and which ones are they?
NIS2 covers 18 sectors across the EU, divided into essential entities — such as energy, transport, banking, healthcare, water and wastewater, digital infrastructure and central public administration — and important entities, such as postal and courier services, waste management, chemicals, food, manufacturing, research and digital providers. Essential entities face stricter supervision and higher fines, while important entities face lighter supervision, but both categories are subject to the same Article 21 requirements for certificate management and TLS security.
What is the first thing I should do if my organisation falls under NIS2?
The first step is to build an asset inventory of all your TLS certificates and the systems they protect — this is the first thing a NIS2 supervisory authority will ask for. From there, conduct a risk assessment, set up proactive certificate monitoring, and ensure audit-ready documentation. NIS2 Article 21 specifies ten security categories you must implement, and these four steps are the immediate first priorities for IT teams.
Start by mapping your certificates — it is always step one
The first thing a NIS2 supervisory authority will ask for is your asset inventory. CertControl builds it automatically and keeps it up to date — from day one.
14-day free trial · EU hosted · Dedicated instance per customer
Primary sources
The regulatory facts on this page are drawn from the primary legislation and the responsible Danish authority. Confirm the current wording directly at the sources below.
- Directive (EU) 2022/2555 (NIS2) — full text on EUR-Lex, the EU's official law database.
- Styrelsen for Samfundssikkerhed (SAMSIK) — the Danish NIS2 authority: guidance, scope and the Danish NIS2 act (in force 1 July 2025).