NIS2 divides in-scope organisations into two categories: essential entities and important entities. The distinction is not cosmetic — it determines the supervisory regime you fall under, the enforcement powers that apply to you, and the fines you face if you are found non-compliant. Understanding which category applies to your organisation is one of the first steps in building a NIS2 compliance programme.
Essential Entities: The Higher-Obligation Category
Essential entities are organisations operating in the sectors listed in Annex I of NIS2. These are the sectors considered most critical to the EU’s societal and economic function: energy (electricity, oil, gas, district heating, hydrogen); transport (air, rail, water, road); banking; financial market infrastructure; health; drinking water; wastewater; digital infrastructure (IXPs, DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery networks, trust service providers, electronic communication networks and services); public administration; and space.
Within these sectors, the size threshold for essential entity classification applies: medium-sized enterprises (50+ employees, €10 million+ annual turnover) and large enterprises (250+ employees, €50 million+ annual turnover). Certain entities are classified as essential regardless of size — providers of certain digital infrastructure services, entities identified as critical under other EU legislation.
Important Entities: Broader Scope, Lighter Supervision
Important entities include organisations in the additional sectors listed in Annex II of NIS2 — postal and courier services, waste management, manufacture of chemicals, food production and distribution, manufacturing of medical devices, computers, electronics, machinery, motor vehicles, and other transport equipment, digital providers (online marketplaces, online search engines, social networking platforms), and research organisations.
Important entities also include medium and large enterprises in the essential entity sectors that do not meet the criteria for essential entity classification. A medium-sized enterprise in the energy sector that does not qualify as large is an important entity, not an essential entity.
The Supervisory Regime Difference
The critical practical difference between essential and important entity classification is the supervisory approach. Essential entities are subject to proactive supervision — competent authorities can conduct ex-ante inspections, on-site audits, and security scans without waiting for evidence of a breach. Important entities are subject to reactive supervision — competent authorities typically supervise based on evidence of non-compliance or following an incident, rather than proactively.
For essential entities, this means being subject to regulatory scrutiny without needing an incident to trigger it. Your cybersecurity risk management framework, incident response capabilities, and supply chain security practices could be examined as part of routine supervision. Being prepared for proactive scrutiny is a compliance reality for essential entities that important entities are not immediately facing to the same degree.
Fines: Different Maxima for Different Categories
NIS2 establishes maximum fines for non-compliance that differ by category. Essential entities face maximum fines of €10 million or 2% of total worldwide annual turnover (whichever is higher). Important entities face maximum fines of €7 million or 1.4% of total worldwide annual turnover. In both cases, fines can be imposed on management bodies personally for failures of oversight.
At Bitsecura, we help organisations determine their NIS2 classification, understand the compliance obligations that follow from it, and build programmes proportionate to both their entity category and their risk profile. If you are uncertain whether you are an essential or important entity, reach out here — scoping clarity is the foundation of an effective compliance programme.
Bitsecura provides NIS2 compliance consulting and cybersecurity services for essential and important entities. Learn more about our NIS2 services.