The Question
"We have been told by our legal counsel that under NIS2 our company is an 'important entity', not an 'essential entity'. The cybersecurity controls we have to implement seem to be the same either way. So does the distinction actually matter, or is it just paperwork?"
The Short Answer
The cybersecurity controls you have to implement are indeed the same — Article 21's ten common measures apply identically to both categories. What changes is how the regulator treats you. Essential entities are supervised proactively, with the regulator able to demand evidence and conduct inspections before any incident has happened. Important entities are supervised reactively, generally only after an incident or a credible signal of non-compliance. Maximum fines also differ: €10 million or 2% of worldwide turnover for essential, €7 million or 1.4% for important. So the distinction is not paperwork. It changes whether the regulator can knock on your door uninvited.
The Detail
Where the classification comes from
NIS2 (Directive EU 2022/2555) splits in-scope organisations into two categories using two axes: sector (which Annex you fall under) and size (medium vs. large enterprise).
The sectors are defined in Annex I ("sectors of high criticality") and Annex II ("other critical sectors"). According to the Belgian competent authority's official NIS2 portal, Annex I covers energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Annex II covers postal and courier services, waste management, chemicals, food production and distribution, manufacturing, digital providers, and research.
The default classification rule is straightforward:
- Large enterprises (250+ employees or >€50M turnover and >€43M balance sheet) operating in Annex I sectors are classified as essential entities.
- Large enterprises in Annex II sectors, and medium enterprises (50+ employees or €10M+ turnover) in either Annex, are classified as important entities.
There are exceptions in both directions — DNS root servers, top-level domain registries, qualified trust service providers, and a few other specifically named operators are essential regardless of size; some entities can be designated as essential by member-state law for reasons of national security or specific function.
What is the same for both
The substantive cybersecurity obligations are identical. Article 21(2) lists ten common cybersecurity risk-management measures that apply to both categories: risk-analysis and information-system security policies; incident handling; business continuity (backup, disaster recovery, crisis management); supply-chain security; security in network and information systems acquisition, development, and maintenance; policies on assessing the effectiveness of measures; basic cyber-hygiene practices and training; cryptography policy; HR security, access control, and asset management; multi-factor authentication.
Article 23 incident-reporting obligations are also the same: a 24-hour early warning if a significant incident is suspected, a 72-hour incident notification with severity assessment, an intermediate report if requested, and a one-month final report.
If you read only the Articles 21 and 23 obligations, "essential" and "important" look operationally identical. That is the source of the common conclusion that the distinction doesn't matter.
What is different
It matters because of who controls the tempo of regulatory interaction.
Essential entities are subject to ex ante (proactive) supervision. Under Article 32, competent authorities can require essential entities to demonstrate compliance without any specific triggering event. They can: order on-site inspections and off-site supervision; request information and access to data, documents, and records; carry out security audits and require targeted audits at the entity's expense; request access to systems, data, and policies; require evidence of policy implementation. None of this requires waiting for something to go wrong.
Important entities are subject to ex post (reactive) supervision. Under Article 33, supervisory measures generally apply only when the competent authority has been "provided with evidence, indication or information" that the entity is not complying. In practice this usually means after an incident, a complaint, an audit referral, or a peer-authority alert. The same toolkit (inspections, audits, document requests) is available, but the trigger threshold is much higher.
This is the operational difference. An essential entity's compliance team should plan for the regulator to ask for evidence on a quiet Tuesday in November. An important entity's team should plan for the regulator to ask for evidence after the worst week of their year.
What the fines actually look like
Maximum administrative fines, set out in Article 34, reflect the same proportionality:
| Category | Maximum fine | Maximum % of worldwide turnover |
|---|---|---|
| Essential entity | €10,000,000 | 2% (whichever is higher) |
| Important entity | €7,000,000 | 1.4% (whichever is higher) |
These are maximums, not defaults. Member-state regulators apply them proportionately based on the facts of the case. But the cap matters because it sets the negotiating position when an enforcement file opens. A 30% reduction from a €10M maximum and a 30% reduction from a €7M maximum land in very different places.
The natural-person liability angle
Article 32 also empowers competent authorities, with respect to essential entities, to temporarily suspend a certification or authorisation and to temporarily prohibit a natural person at executive or legal-representative level from exercising managerial functions. Article 33 does not extend the management-prohibition power to important entities. For board members and executive officers, this is the most direct personal-stakes difference between the two classifications — and the most-asked question we hear from directors of essential entities.
What you should actually do
Three practical implications.
First, know your classification with confidence. If your legal counsel has told you that you are important rather than essential, ask them which Annex they have placed you in and on what size basis. The classification is rarely contested in obvious cases (a large bank is essential; a medium food producer is important), but mid-sized organisations operating across multiple sectors can have genuinely ambiguous status. Member-state competent authorities also publish their own scope guidance — read it directly.
Second, if you are essential, build your compliance evidence pack now. Treat your Article 21 implementation as something a regulator may ask to see at any point, not something you will assemble in response to an incident. Maintain a current ISMS, current attestations (ISO 27001, NIST CSF, or a member-state-recognised framework like Belgium's CyberFundamentals), current risk register, current incident-response runbook, current penetration-test report, and current third-party register. If a competent authority asks tomorrow, your answer is "here it is."
Third, if you are important, do not relax. The substantive obligations are identical. The only difference is when the regulator turns up — and "after an incident" is the worst possible moment to start assembling your evidence pack. The same controls and the same documentation discipline apply. What changes is your operational cadence around regulator-readiness, not the controls themselves.
Sources
- Directive (EU) 2022/2555 (NIS2) — Articles 3, 21, 23, 32, 33, 34; Annexes I and II
- Belgian CCB / Safeonweb@work — NIS2 entity portal — competent-authority summary of the essential/important distinction, sector classifications, and fine maximums