Quick answer up front: whether NIS2 applies to you is decided in two steps, and “we’re too small” is rarely the right one. First the sector counts: if you’re in none of the covered industries, you’re usually out. If you are in one, size counts — and you calculate that size including your linked enterprises. That last part is where most companies misjudge it.
That’s the short version of the test. What NIS2 actually requires once you’re covered is in the overview of NIS2 for SMEs. This post is only about the question that comes before it: does this apply to us at all?
This is meant to help you sort the question, not to replace a legal assessment.
Step 1: the sector
NIS2 hangs on the industry first, not the size. The law lists the covered sectors in two annexes: energy, transport, water, health, banking, digital infrastructure and IT services in one, plus post, waste, chemicals, food, manufacturing and research in the other. If you operate in none of these areas, you generally don’t fall under NIS2.
There’s one exception. Some entities are covered regardless of size, such as qualified trust service providers, DNS services or TLD registries. For them, the headcount doesn’t matter.
Step 2: the size
If you’re in a covered sector, size decides the classification:
| Category | From |
|---|---|
| Essential entity | 250 employees, or over €50m turnover and over €43m balance sheet |
| Important entity | 50 employees, or over €10m turnover and over €10m balance sheet |
Below 50 employees and below €10m you’re usually out — unless you fall into one of the size-independent special categories from step 1.
Linked enterprises count too
This is where many misjudge it. You don’t calculate the size on your own numbers alone, but under the EU recommendation 2003/361/EG. Linked enterprises count at 100 percent, partner enterprises proportionally to the stake. Foreign parents and sister companies count as well.
In concrete terms: a company of 30 people thinks it’s too small — but belongs to a group of 400. For NIS2, the 400 count. “Too small” isn’t true then, it just feels that way. If you belong to a larger structure, take this step seriously before you file the topic away.
If you’re covered
Then the path runs through the BSI. Registration has been running since early 2026 via a dedicated portal, and there’s no transition period. If you missed the first deadline, catch up on the registration quickly, because the obligations apply whether or not you’re registered. And the responsibility for that sits explicitly with management, not with IT alone. A sensible first move, before any forms get filled in: check whether your backup survives a real restore test — NIS2 demands recoverability anyway.
Around 29,500 entities are now under BSI supervision, up from about 4,500 before the reform (BSI, 2025). The odds that you’re newly on the list have gone up.
Not sure whether you’re caught by the sector or by a group structure? Get in touch — we’ll run the test once, properly, before you spend time on the wrong answer.