Does the NIS2 Directive Apply to Your Business?

[Updated July 2025]

‍

One of the most frequent questions we get from our customers is:

“Does the NIS2 Directive apply to my organization?”

We get why that’s the case. Because the answer isn’t straightforward.

Maybe someone told you that the NIS2 Directive applies to you if you’re either an essential or important entity.

Unfortunately, it’s a myth. The answer for your specific business depends on several factors and exemptions, which can be difficult to navigate.

However, we’ll make sure to lead you directly to the answer by taking you through:

• Entities that are directly covered
• Entities that are indirectly impacted
• Our NIS2 decision tree to use on your specific organization

Entities that are directly covered

The NIS2 Directive affects entities – across all areas and sectors and having activities in the EU – that are considered vital to the economy and society. 

For that reason, you should prepare to comply with NIS2 if you operate within or supply those areas or sectors.

First and foremost, you’re directly covered by NIS2, if your company – no matter the size of it – is within one of these 10 categories:

1. Public communications networks and services
2. Trust service providers (an entity that, for instance, makes and validates electronic signatures)
3. Domain names
4. The only provider of an essential service (this is often utility companies like water or electricity companies)
5. Public safety or public health
6. Systemic risk (an example of systemic risk is the financial crisis in 2008 and the collapse of Lehman Brothers that had a domino effect on the rest of the world)
7. Critical to a sector
8. Central government
9. Defined as “critical” in the Critical Entities Resilience Directive
10. Municipalities, regions, or educational institutions (if decided on a national level).

If your company isn’t within these categories, other factors decide if you’re covered by NIS2 – more specifically, if your company is defined as either an essential or important entity.

That is the case if your company is within one of the sectors shown in this below:

‍

‍

Please note that there are legal nuances of when an entity is either essential or important in the NIS2 Directive. We don’t cover these nuances here, but feel free to reach out to us if you need any help.

‍

‍

Furthermore, as a main rule, you are only covered by the NIS2 directive, if your company falls within both of these criteria:

• You have 50 employees or more
• You have an annual turnover and a balance sheet of €10 million.

‍

‍

So, to sum up: 

You need to be NIS2 compliant, if your company falls within the requirements above regarding 1) the sector, 2) the number of employees, and 3) the annual turnover and balance sheet of €10 million.

‍

But…

‍

Even if NIS2 doesn't directly apply to you, you can still be indirectly impacted and must, therefore, comply with the directive.

Entities that are indirectly impacted

You may be indirectly impacted by NIS2 if 1) your customers are directly covered, and 2) if you provide services or products that can affect and compromise the security of your network and information systems. That is, systems that have something to do with IT.

‍

Let's give you an example:

‍

Your company provides software or IT solutions to hospitals, such as an electronic medical record system.

‍

When your company is hit by a cyber-attack, it can have major consequences for the hospital's operations - and can mean that the hospital doesn’t have access to vital information or has to postpone or cancel important operations.

‍

To protect itself from such risks, the hospital must ensure that its cybersecurity is adequate in relation to the potential risks. The hospital can ensure this through a contractual obligation, as shown here:

‍

All the factors that we just went through for you decide whether you’re directly covered or indirectly impacted by NIS2.

‍

However, if you still struggle to find out if you’re affected, we’ve made this NIS2 decision tree for you – it will give you a bulletproof answer.

Get a sneak peek and your very own copy of the NIS2 decision tree below.
‍