The Question
"We operate in the Netherlands with around 80 employees and roughly EUR 15 million in annual turnover. Do we fall under NIS2?"
The Short Answer
Probably yes — at least in part. NIS2 (Directive 2022/2555) applies to medium-sized and large enterprises operating in 18 defined sectors. If your company meets the size thresholds and operates in one of those sectors, you are in scope. The next step is determining whether you are classified as an "essential" or "important" entity, which affects how you are supervised and the penalties you face.
The Detail
NIS2 establishes two tiers of in-scope organisations: essential entities and important entities. Both are subject to the same security obligations, but they face different supervisory regimes and penalty caps.
Size thresholds apply to most sectors. The baseline is:
- Medium-sized enterprises: 50 or more employees, or EUR 10 million or more in annual turnover
- Large enterprises: 250 or more employees, or EUR 50 million or more in annual turnover
If your organisation falls below these thresholds, you are generally out of scope — unless you operate in a category where size does not matter. Trust service providers, DNS service providers, TLD name registries, and a small number of other entity types are in scope regardless of their size.
Sector coverage is the second filter. NIS2 covers 18 sectors divided across two annexes:
- Annex I (high criticality): energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space
- Annex II (other critical sectors): postal and courier services, waste management, manufacture and distribution of chemicals, food production and distribution, manufacturing (medical devices, electronics, machinery, motor vehicles, and other transport equipment), digital providers, and research
Your sector determines your classification. Large enterprises in Annex I sectors are classified as essential entities. Medium-sized enterprises in Annex I, and both medium and large enterprises in Annex II, are generally classified as important entities.
It is also worth noting that EU member states have the authority to extend NIS2 scope to additional entities beyond what the Directive mandates. The Netherlands has implemented NIS2 through national legislation, and Dutch authorities may apply scope to entities not captured at the EU level.
What This Means for You
The classification — essential or important — has direct consequences. Essential entities face proactive, ex-ante supervision and penalties of up to EUR 10 million or 2% of global annual turnover (whichever is higher). Important entities face reactive, ex-post supervision and penalty caps of EUR 7 million or 1.4% of global annual turnover.
Both classifications carry the same core obligations: risk management measures, incident reporting, supply chain security, business continuity planning, and governance requirements including personal liability for senior management.
If you are unsure whether your organisation is in scope, the safest starting point is to map your sector against the two annexes and assess whether you meet the size thresholds. Do not wait for your national authority to make that determination for you.
Related Resources
- NIS2 Regulatory Intelligence — Full breakdown of the Directive, implementation status, obligations, and penalty structure
- Orizon Comply — Our GRC platform for managing NIS2 compliance programmes
- Compliance Frameworks — How NIS2 maps to ISO 27001, IEC 62443, and other standards
Compliance Q&A is a regular series where we answer the questions European mid-market organisations ask us most. Each edition focuses on a single, practical question. If you have a question you would like us to address, get in touch.