Is my organisation subject to NIS2?

Your organisation is subject to NIS2 if it operates in one of the 18 sectors covered by the directive and meets the size criteria (50+ employees OR €10M+ revenue). Certain critical operators are always in scope regardless of size. Public authorities and central government bodies are explicitly covered across the EU.

When did NIS2 come into force?

The NIS2 Directive required EU member states to transpose it into national law by October 2024. Most member states implemented it during late 2024. Requirements apply from the date of national implementation.

What happens if my organisation is subject to NIS2 but does not comply?

Important entities can be fined up to €7 million or 1.4% of global turnover. Essential entities up to €10 million or 2%. Senior management can be held personally liable. Supervisory authorities may conduct unannounced inspections.

NIS2 · Are you in scope?

Is your organisation subject to NIS2?

NIS2 — the EU cybersecurity directive, implemented across member states from October 2024 — applies to thousands of organisations and public bodies across all 18 covered sectors. Use this page to quickly determine whether your organisation is in scope, and what you concretely need to put in place.

Two questions that settle most cases

Does your organisation operate in one of the 18 NIS2 sectors?

See the sector table below. Public authorities at central and regional level are always in scope — regardless of size.

Does your organisation meet the size criteria?

50+ employees OR €10M+ revenue — one criterion is sufficient. Certain critical operators are always in scope regardless of size.

If you answer yes to both → your organisation is likely subject to NIS2.

The definitive determination depends on a case-by-case assessment. Consult your legal adviser if in doubt.

NIS2 sectors across the EU

NIS2 divides sectors into essential entities (stricter supervision, higher fines) and important entities (lighter supervision). Both categories are subject to the same Article 21 requirements for certificate management and TLS security.

Essential entities

⚡ Energy

Electricity, district heating, oil, gas, hydrogen

🚢 Transport

Aviation, rail, maritime, road transport

🏦 Banking

Credit institutions, systemically important banks

📈 Financial market infrastructure

Trading venues, central counterparties

🏥 Healthcare

Hospitals, healthcare authorities, critical pharmaceutical manufacturers

💧 Water and wastewater

Drinking water supply, wastewater treatment

🌐 Digital infrastructure

IXPs, DNS, TLD registries, data centres, CDN, cloud

🖥️ ICT services (B2B)

Managed service providers (MSP), managed security services (MSSP)

🏛️ Public administration

Central government bodies (regional/local public authorities under important entities)

🚀 Space

Operators of ground-based space infrastructure

Important entities

📮 Postal and courier services

National postal operators and courier networks

♻️ Waste management

Incineration, recycling, bulk waste

🧪 Chemicals

Production and distribution of hazardous chemicals

🍎 Food

Large-scale production, processing, and distribution

🏭 Manufacturing

Medical devices, electronics, machinery, vehicles

🔬 Research

Universities and research institutions

💻 Digital providers

Online marketplaces, search engines, social media platforms

🏛️ Regional and local public authorities

Public authorities at central and regional level are always in scope — regardless of size

You are in scope — what now?

NIS2 Article 21 specifies eight security categories you must implement. Here are four immediate first steps for IT teams:

Build an asset inventory of all TLS certificates

This is the first thing supervisory authorities ask for. Start by mapping all certificates and the systems they protect — CertControl builds the register automatically in minutes.

Conduct a risk assessment

Assess the risk of certificate expiry, weak TLS configuration, and compromised keys. Document it as a living record that is updated continuously — not just once.

Set up proactive certificate monitoring

Automated alerts for certificate expiry, TLS failures, and configuration degradation. You must be able to identify the root cause of an incident within 24 hours — that requires continuous monitoring.

Ensure audit-ready documentation

Reports that demonstrate to supervisory authorities and senior management — over time — that you are in control, and have been, not just from the day they ask.

Use our NIS2 checklist with 20 requirements to see exactly what you need to have in place under the directive — and what CertControl covers automatically.

Questions & answers

Frequently asked questions about NIS2 scope

Are public authorities and government bodies subject to NIS2?

Yes. Public authorities and central government bodies are explicitly covered by NIS2 and classified as important entities across the EU. They are subject to the full requirements of Article 21 and 23 regardless of size. This includes requirements for systematic certificate management and TLS certificate monitoring.

Does NIS2 apply to suppliers of NIS2-covered organisations?

Yes, indirectly. NIS2 Article 21(2)(d) and Article 22 require NIS2-covered organisations to address security across the entire supply chain. In practice, this means they will impose concrete security requirements on suppliers — including requirements for certificate management and TLS configuration. If you supply a NIS2-covered organisation, expect to be asked about this.

What is the difference between essential and important entities under NIS2?

Both categories are subject to the same requirements under Article 21. The difference lies in the intensity of supervision and the level of fines: essential entities face stricter proactive supervision and can be fined up to €10 million or 2% of global turnover. Important entities face a somewhat lower fine ceiling — up to €7 million or 1.4% — but the requirements for certificate management and NIS2 compliance are identical.

Who supervises NIS2 compliance?

Supervision is carried out by each member state's designated national NIS2 supervisory authority. For financial sector entities, the relevant financial sector regulator typically acts as sector-specific supervisory authority. The exact body depends on your sector and country — consult your industry association or national authority if you are unsure who supervises your organisation.

Are you in scope?

Start by mapping your certificates — it is always step one

The first thing a NIS2 supervisory authority will ask for is your asset inventory. CertControl builds it automatically and keeps it up to date — from day one.

Start free trial Read about NIS2 coverage

14-day free trial · EU hosted · Dedicated instance per customer