Product Use Cases Pricing Guides Free tools About Book demo Start free trial
NIS2 · Are you in scope?

Is your organisation subject to NIS2?

NIS2 — the EU cybersecurity directive, with national implementations rolling out from late 2024 into 2025 — applies to thousands of organisations and public bodies across all 18 covered sectors. Use this page to quickly determine whether your organisation is in scope, and what you concretely need to put in place.

Two questions that settle most cases

1
Does your organisation operate in one of the 18 NIS2 sectors?
See the sector table below. Public authorities at central and regional level are always in scope — regardless of size.
2
Does your organisation meet the size criteria?
50+ employees OR €10M+ revenue — one criterion is sufficient. Certain critical operators are always in scope regardless of size.
If you answer yes to both → your organisation is likely subject to NIS2.
The definitive determination depends on a case-by-case assessment. Consult your legal adviser if in doubt.

NIS2 sectors across the EU

NIS2 divides sectors into essential entities (stricter supervision, higher fines) and important entities (lighter supervision). Both categories are subject to the same Article 21 requirements for certificate management and TLS security.

Essential entities
Energy
Electricity, district heating, oil, gas, hydrogen
Transport
Aviation, rail, maritime, road transport
Banking
Credit institutions, systemically important banks
Financial market infrastructure
Trading venues, central counterparties
Healthcare
Hospitals, healthcare authorities, critical pharmaceutical manufacturers
Water and wastewater
Drinking water supply, wastewater treatment
Digital infrastructure
IXPs, DNS, TLD registries, data centres, CDN, cloud
ICT services (B2B)
Managed service providers (MSP), managed security services (MSSP)
Public administration
Central government bodies (regional/local public authorities under important entities)
Space
Operators of ground-based space infrastructure
Important entities
Postal and courier services
National postal operators and courier networks
Waste management
Incineration, recycling, bulk waste
Chemicals
Production and distribution of hazardous chemicals
Food
Large-scale production, processing, and distribution
Manufacturing
Medical devices, electronics, machinery, vehicles
Research
Universities and research institutions
Digital providers
Online marketplaces, search engines, social media platforms
Regional and local public authorities
Public authorities at central and regional level are always in scope — regardless of size

You are in scope — what now?

NIS2 Article 21 specifies ten security categories you must implement. Here are four immediate first steps for IT teams:

1
Build an asset inventory of all TLS certificates
This is the first thing supervisory authorities ask for. Start by mapping all certificates and the systems they protect — CertControl builds the register automatically in minutes.
2
Conduct a risk assessment
Assess the risk of certificate expiry, weak TLS configuration, and compromised keys. Document it as a living record that is updated continuously — not just once.
3
Set up proactive certificate monitoring
Automated alerts for certificate expiry, TLS failures, and configuration degradation. You must be able to identify the root cause of an incident within 24 hours — that requires continuous monitoring.
4
Ensure audit-ready documentation
Reports that demonstrate to supervisory authorities and senior management — over time — that you are in control, and have been, not just from the day they ask.
Use our NIS2 checklist with 20 requirements to see exactly what you need to have in place under the directive — and what CertControl covers automatically.
Questions & answers

Frequently asked questions about NIS2 scope

Is my organisation subject to NIS2?

Your organisation is subject to NIS2 if it operates in one of the 18 sectors covered by the directive and meets the size criteria — 50 or more employees, or €10 million or more in annual revenue. Certain critical operators are always in scope regardless of size, and public authorities are covered as well. Use the sector overview on this page to check where you fit.

When did NIS2 come into force?

The NIS2 Directive required EU member states to transpose it into national law by 17 October 2024, though several member states finalised their laws later — Denmark's NIS 2 Act, for example, entered into force on 1 July 2025. Requirements apply from the date of national implementation.

Are public authorities and government bodies subject to NIS2?

Yes. Central government bodies are explicitly covered by NIS2 and classified as essential entities regardless of size. Regional public administration bodies are typically classified as important entities, and member states can extend coverage to local government — Denmark, for example, covers municipalities through their sector activities. All are subject to the requirements of Articles 21 and 23, including systematic certificate management and TLS certificate monitoring.

What is the difference between essential and important entities under NIS2?

Both categories are subject to the same requirements under Article 21. The difference lies in the intensity of supervision and the level of fines: essential entities face stricter proactive supervision and can be fined up to €10 million or 2% of global turnover. Important entities face a somewhat lower fine ceiling — up to €7 million or 1.4% — but the requirements for certificate management and NIS2 compliance are identical.

What happens if my organisation is subject to NIS2 but does not comply?

Important entities can be fined up to €7 million or 1.4% of global turnover. Essential entities up to €10 million or 2%. Senior management can be held personally liable. Supervisory authorities may conduct inspections and issue binding instructions.

Does NIS2 apply to suppliers of NIS2-covered organisations?

Yes, indirectly. NIS2 Article 21(2)(d) and Article 22 require NIS2-covered organisations to address security across the entire supply chain. In practice, this means they will impose concrete security requirements on suppliers — including requirements for certificate management and TLS configuration. If you supply a NIS2-covered organisation, expect to be asked about this.

Who supervises NIS2 compliance?

Supervision is carried out by each member state's designated national NIS2 supervisory authority. For financial sector entities, the relevant financial sector regulator typically acts as sector-specific supervisory authority. The exact body depends on your sector and country — consult your industry association or national authority if you are unsure who supervises your organisation.

How many sectors does NIS2 cover, and which ones are they?

NIS2 covers 18 sectors across the EU, divided into essential entities — such as energy, transport, banking, healthcare, water and wastewater, digital infrastructure and central public administration — and important entities, such as postal and courier services, waste management, chemicals, food, manufacturing, research and digital providers. Essential entities face stricter supervision and higher fines, while important entities face lighter supervision, but both categories are subject to the same Article 21 requirements for certificate management and TLS security.

What is the first thing I should do if my organisation falls under NIS2?

The first step is to build an asset inventory of all your TLS certificates and the systems they protect — this is the first thing a NIS2 supervisory authority will ask for. From there, conduct a risk assessment, set up proactive certificate monitoring, and ensure audit-ready documentation. NIS2 Article 21 specifies ten security categories you must implement, and these four steps are the immediate first priorities for IT teams.

Are you in scope?

Start by mapping your certificates — it is always step one

The first thing a NIS2 supervisory authority will ask for is your asset inventory. CertControl builds it automatically and keeps it up to date — from day one.

14-day free trial  ·  EU hosted  ·  Dedicated instance per customer

Sources

Primary sources

The regulatory facts on this page are drawn from the primary legislation and the responsible Danish authority. Confirm the current wording directly at the sources below.