Does Your Business Need to Comply with NIS2?

NIS2 affects more organizations than ever before. But how do you know if your business is in scope? This guide explains exactly who must comply with NIS2, the size thresholds, and why even smaller companies may be affected through supply chain requirements.

Business professional assessing NIS2 compliance scope
Determining if your business must comply with NIS2

What: Who is in Scope for NIS2?

NIS2 applies to organizations in two categories: essential entities and important entities. The classification determines your regulatory obligations and potential penalties.

Essential Entities (11 sectors)

Higher obligations, stricter supervision

  • Energy (electricity, oil, gas, district heating, hydrogen)
  • Transport (air, rail, water, road)
  • Banking
  • Financial market infrastructures
  • Healthcare (hospitals, laboratories, pharmaceuticals)
  • Drinking water
  • Wastewater
  • Digital infrastructure (DNS, TLD registries, cloud, data centers, CDNs)
  • ICT service management (B2B)
  • Public administration
  • Space

Important Entities (7 sectors)

Reactive supervision (after incidents)

  • Postal and courier services
  • Waste management
  • Chemicals (manufacture, production, distribution)
  • Food (production, processing, distribution)
  • Manufacturing (medical devices, computers, electronics, machinery, motor vehicles)
  • Digital providers (online marketplaces, search engines, social networks)
  • Research organizations

Size Thresholds: The 50/10 Rule (and New Small Mid-Cap Category)

Not every company in these sectors must comply. NIS2 uses size thresholds to determine scope. On January 20, 2026, the EU Commission proposed a new "small mid-cap" entity category that could expand this further:

Medium and large enterprises: 50+ employees OR €10M+ annual turnover
Large enterprises additionally: 250+ employees OR €50M+ turnover AND €43M+ balance sheet
Proposed: Small mid-cap entities (Jan 2026): <750 employees AND <€150M turnover — simplified obligations under the proposed NIS2 amendments
Essential vs Important sectors illustration
NIS2 distinguishes essential and important sectors
Key differences between essential and important entities under NIS2
CategoryEssential EntitiesImportant Entities
Sectors 11 sectors 7 sectors
Supervision Proactive (regular audits) Reactive (after incidents)
Maximum fine €10M or 2% of global turnover €7M or 1.4% of global turnover
Management liability Yes, can be suspended Yes, can be suspended
Incident reporting 24h early warning 24h early warning

Why: Why Does It Matter to Know?

Understanding whether you're in scope is critical for several reasons:

Avoid significant penalties

Essential entities face fines up to €10 million or 2% of global turnover. Important entities up to €7 million or 1.4%. These are not theoretical—regulators are actively enforcing.

Personal liability for management

NIS2 introduces personal liability for directors. Management can be held responsible and even suspended for non-compliance.

Supply chain requirements

In-scope organizations must assess their suppliers' cybersecurity. If you supply to them, you'll face compliance requirements through contracts.

Competitive advantage

Early compliance demonstrates trustworthiness. Many organizations are already asking suppliers about NIS2 compliance in RFPs.

Insurance requirements

Cyber insurers increasingly require NIS2 compliance or equivalent security measures for coverage.

How: Self-Assessment Checklist

Use this checklist to determine if your organization is in scope for NIS2:

1

Do you operate in one of the 18 NIS2 sectors?

Check the essential (11) and important (7) sector lists above

2

Do you have 50+ employees?

Count all employees across the organization

3

Do you have €10M+ annual turnover?

Or €10M+ balance sheet total

4

Are you the sole provider of a critical service?

This applies regardless of size

5

Do you supply to organizations that must comply?

You may face contractual requirements

What to Do Next

If you're in scope—or may be affected through supply chain requirements:

1

Assess your current security posture

Understand where you stand today against NIS2 requirements

2

Start with CyberFundamentals

Belgium's CCB framework is the official path to NIS2 compliance

3

Document everything

Evidence of your security measures is essential for audits

4

Plan for incident reporting

You'll need to report significant incidents within 24 hours

How Easy Cyber Protection Helps

Scope assessment — We help you determine if and how NIS2 applies to you
CyberFundamentals alignment — Guided compliance with Belgium's official framework
Evidence collection — Built-in documentation for audits and supply chain requirements
Progress tracking — Clear visibility into your compliance status
Free start — Begin with our free Small tier to get started

Frequently Asked Questions

My company has exactly 50 employees. Am I in scope?

Yes. NIS2 applies to organizations with 50 or more employees (or €10M+ turnover). The threshold is "50 or more," so exactly 50 employees puts you in scope if you operate in a covered sector.

We're a small IT company that serves healthcare clients. Do we need to comply?

If you don't meet the size thresholds yourself, you're not directly in scope. However, your healthcare clients ARE in scope and must assess their supply chain security. Expect them to require NIS2-level security measures through your contracts.

What about Belgian subsidiaries of international companies?

NIS2 applies per entity. If your Belgian subsidiary operates in a covered sector and meets size thresholds, it must comply. The parent company's compliance doesn't automatically cover subsidiaries.

Is a software company considered "digital infrastructure"?

Not automatically. "Digital infrastructure" refers to specific services: DNS, TLD registries, cloud computing, data centers, CDNs, trust services. A typical software company would more likely fall under "digital providers" (important sector) if it operates marketplaces, search engines, or social networks.

When do we need to be compliant?

NIS2 came into force on October 17, 2024. Essential entities in Belgium must submit their self-assessment by April 18, 2026. Around 2,000 entities (1,500 essential + 500 important) have already registered with the CCB. Belgium uses CyberFundamentals as the compliance framework.

What is the new "small mid-cap" category?

On January 20, 2026, the EU Commission proposed a new entity category for companies with fewer than 750 employees and under €150M turnover. These "small mid-cap" entities would face simplified NIS2 obligations. This is part of the broader EU Cybersecurity Package aimed at making compliance easier for the 28,700 companies affected.

Related Articles

Sources

  1. NIS2 Directive (EU) 2022/2555 — Official Journal of the European Union
  2. Annex I & II: Sectors of High Criticality and Other Critical Sectors — NIS2 Directive Annexes
  3. CyberFundamentals Framework — Centre for Cybersecurity Belgium (CCB)
  4. NIS Directive Implementation — European Union Agency for Cybersecurity (ENISA)
  5. NIS2 Article 2: Scope — Size thresholds and entity definitions
  6. EU Cybersecurity Package (January 2026) — Proposed NIS2 amendments including small mid-cap category