Does NIS2 Apply to Your Company? Quick Self-Assessment & Decision Guide

Part of: NIS2 Directive Explained for Small Companies - For complete compliance requirements, see our comprehensive guide.

You heard about NIS2. Maybe a customer asked if you’re compliant. Maybe you saw a headline about penalties. Now you need to know: Does this actually apply to you?

The good news: Most small businesses are exempt.

The less good news: If you’re covered, you need to act now.

TL;DR:

• NIS2 applies if you have 50+ employees OR €10M+ revenue AND operate in 1 of 18 critical sectors
• Small businesses (<50 employees, <€10M revenue) are generally exempt
• Supply chain pressure may apply even if not directly covered
• Takes 2 minutes to determine with our decision tree below

Quick navigation:

• The 3-Question Test
• Size Threshold Check
• Sector Coverage Check
• What If You’re Covered?
• What If You’re Not Covered?
• Special Cases

The 3-Question Test

Answer these three questions to know if NIS2 applies to you.

Question 1: Are You Big Enough?

NIS2 applies to medium and large companies only.

Size threshold - need to meet ONE of these:

• 50 or more employees
• €10 million or more annual revenue
• €10 million or more balance sheet total

Under all three thresholds? → You’re likely exempt. Skip to “What If You’re Not Covered”

Meet any threshold? → Continue to Question 2

Gray zone (48-52 employees or €9-11M revenue)? Member States may have slight variations. Check your national implementation to be certain.

Question 2: Are You in a Covered Sector?

Check if your primary business activity is in one of these 18 sectors:

Essential Entities (higher penalties: €10M or 2% revenue)

Energy:

• Electricity generation, transmission, distribution
• Oil production, refining, distribution
• Gas production, transmission, distribution
• Hydrogen production, distribution

Transport:

• Air carriers, airports, air traffic management
• Rail transport, infrastructure managers
• Water transport (maritime, inland waterways)
• Road transport (passenger, freight if critical)

Banking & Finance:

• Credit institutions, payment service providers
• Financial market infrastructure

Healthcare:

• Hospitals and healthcare providers
• Pharmaceutical manufacturers
• Medical device manufacturers
• Research and development in pharmaceuticals

Water:

• Drinking water supply
• Wastewater treatment and distribution

Digital Infrastructure:

• Internet exchange points (IXPs)
• DNS service providers
• TLD registries
• Cloud computing service providers
• Data center service providers
• Content delivery networks (CDNs)

ICT Service Management:

• Managed service providers (MSPs)
• Managed security service providers (MSSPs)

Public Administration:

• Government bodies at central level

Space:

• Space infrastructure operators

Important Entities (lower penalties: €7M or 1.4% revenue)

Postal & Courier:

• Postal services
• Courier services

Waste Management:

• Waste collection, treatment, disposal

Chemicals:

• Production and distribution of chemicals

Food:

• Food production, processing, distribution

Manufacturing:

• Medical devices and in vitro diagnostics
• Computer, electronic, optical products
• Electrical equipment
• Machinery and equipment
• Motor vehicles, trailers, semi-trailers
• Other transport equipment

Digital Providers:

• Online marketplaces
• Online search engines
• Social networking service platforms

Research:

• Research organizations

Not in any sector? → You’re exempt. Skip to “What If You’re Not Covered”

In a covered sector? → Continue to Question 3

Question 3: Are You a Critical Supplier?

Even if you’re small (under thresholds), you might face NIS2-style requirements if:

You provide services to covered entities:

• IT services or infrastructure for healthcare, banking, energy companies
• Cloud hosting or managed services for essential/important entities
• Software in the supply chain for critical sectors
• Security services or monitoring for covered companies

Why this matters: NIS2 Article 21 requires covered entities to assess and manage supply chain security. Your customers will push requirements down through contracts.

Result:

• Not legally mandated to comply with NIS2
• But expect contract clauses requiring security measures
• May need ISO 27001 or similar to win/keep business

Size Threshold Details

How to Count Employees

Include in your count:

• Full-time employees
• Part-time employees (weighted by hours worked)
• Long-term contractors (>6 months)

Don’t include:

• Short-term contractors (<6 months)
• Interns and trainees
• Seasonal workers
• External consultants

Gray zone at 48-50 employees? You’re on the borderline. Plan as if you’re covered - better to implement measures early than scramble if an audit counts you as 50+.

How to Calculate Revenue

€10 million annual revenue threshold:

• Based on fiscal year revenue
• Group revenue if you’re part of larger company
• Consolidated across subsidiaries

Just under €10M? Growth could push you over next year. Start building security hygiene now so you’re ready.

Multiple business units? If your company has different divisions, consolidate revenue. A company with €5M e-commerce + €6M consulting = €11M total = covered.

Balance Sheet Threshold

€10 million balance sheet total:

• Total assets on your balance sheet
• Annual basis

This catches capital-intensive businesses that might have lower revenue but significant assets.

Sector Coverage Details

Digital Infrastructure (Most Relevant for Tech Companies)

You’re likely covered if you provide:

Cloud Services:

• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Software as a Service (SaaS) for business-critical functions

Hosting:

• Web hosting (shared, VPS, dedicated)
• Managed WordPress hosting
• Application hosting

Data Centers:

• Colocation services
• Server housing
• Network operations centers

CDN & DNS:

• Content delivery networks
• Domain Name System providers
• DDoS mitigation services

Managed Services:

• Managed IT service providers (MSPs)
• Managed security services (MSSPs)
• Remote monitoring and management

Key point: If you host infrastructure or provide managed services for any businesses, you’re classified as digital infrastructure regardless of your customers’ sectors.

Manufacturing (Broader Than You Think)

Covered manufacturing includes:

• Medical devices (any size, all manufacturers)
• Electronics and computer equipment
• Electrical equipment
• Industrial machinery
• Vehicles and transport equipment

Not just assembly: Component manufacturers and suppliers in these sectors may also be covered if they meet size thresholds.

Food Production & Distribution

Includes:

• Food processing plants
• Large-scale distribution
• Food safety-critical operations

Excludes: Small restaurants, cafés, local bakeries (unless part of large chain meeting size threshold).

What If You’re Covered?

You meet size threshold + operate in covered sector.

Immediate Actions (This Week)

1. Confirm with National Authority

Member States have slight variations in implementation.

Check your country’s status:

• ECSO NIS2 Directive Transposition Tracker
• Contact your national cybersecurity authority (NCSC)

Important: Transposition is accelerating. Germany completed its implementation on December 6, 2025, with no transition period—it’s immediately binding. Don’t wait for your country—start implementing now.

2. Assess Current State

Run quick assessments to understand your gaps:

• Security Audit Readiness Check - GDPR and basic security controls
• Backup Health Check - 3-2-1 rule compliance and ransomware protection
• Vendor Dependency Assessment - Supply chain security risks

3. Notify Management

This is a board-level requirement.

NIS2 Article 20 explicitly requires management to:

• Oversee cybersecurity measures
• Approve policies and risk acceptance
• Receive training on cyber risks
• Be held personally liable for breaches

Schedule management briefing this month.

Next Steps (This Month)

Understand the 10 minimum measures:

Read our complete NIS2 compliance guide for detailed breakdown of:

1. Risk analysis and security policies
2. Incident handling (24-hour reporting)
3. Business continuity and backups
4. Supply chain security
5. Security in acquisition and development
6. Effectiveness assessment
7. Cyber hygiene and training
8. Cryptography and encryption
9. Access control and asset management
10. Multi-factor authentication

Create implementation roadmap:

Realistic timeline: 12 months from gap analysis to full compliance.

Phase 1 (Months 1-3): Quick wins - MFA, backups, access control Phase 2 (Months 4-6): Documentation - policies, procedures, risk register Phase 3 (Months 7-9): Technical controls - logging, monitoring, encryption Phase 4 (Months 10-12): Testing and refinement

Get expert help:

Book a NIS2 gap analysis consultation - We’ll map your current state against the 10 measures and create a prioritized action plan.

What If You’re Not Covered?

You’re under size thresholds or not in a covered sector.

Good news: NIS2 doesn’t directly apply to you.

But Monitor Customer Requirements

If you sell B2B to these sectors:

• Healthcare companies
• Financial services
• Manufacturing
• Hosting/cloud providers
• Transport and logistics
• Energy companies

Expect RFPs and contracts to ask:

• “Are you ISO 27001 certified?”
• “What cybersecurity framework do you follow?”
• “Do you have incident response procedures?”
• “What’s your backup and disaster recovery plan?”

This is supply chain pressure, not direct regulation. But the outcome is similar: you need to demonstrate security practices.

Build Basic Hygiene Anyway

Even if exempt, implement these basics:

Essentials (protect your business):

• MFA on all admin accounts (email, banking, hosting)
• Regular, tested backups (Test yours now)
• Security awareness training for staff
• Keep software and systems updated
• Document who has access to what

Why bother if you’re exempt?

• Protects your business regardless of NIS2 (ransomware doesn’t check compliance status)
• Prepares you for growth (easier to build in than retrofit)
• Satisfies customer due diligence (win B2B contracts)
• Reduces insurance premiums (cyber insurance requires basic controls)

Start here:

• Security Audit Readiness - See where you stand
• Backup Health Check - 3-minute assessment

Watch for Threshold Changes

NIS2 may expand in future:

• Size threshold could drop (from 50 to 25 employees?)
• More sectors could be added
• Supply chain mandates may become formalized

Set calendar reminder: Review annually if you’re near thresholds (45+ employees, €8M+ revenue).

Growing startup? Plan for NIS2 compliance before you hit thresholds. Implementing measures at 40 employees is easier than scrambling at 51.

Special Cases

Hosting Providers & SaaS Companies

If you provide:

• Web hosting (any type)
• Cloud services (IaaS, PaaS, SaaS)
• Managed WordPress or application hosting
• VPS or dedicated servers
• MSP or MSSP services

Classification: “Digital infrastructure” or “ICT service management” = Essential Entity

Covered if: 50+ employees OR €10M+ revenue

Penalty tier: €10M or 2% revenue (higher)

Key point: You’re covered regardless of who your customers are. Even if you only host SMB websites, you’re essential infrastructure under NIS2.

Need help? We have a specific guide for hosting providers.

Online Marketplaces & Platforms

If you operate:

• E-commerce marketplace (third-party sellers)
• Online search engine
• Social networking platform

Classification: “Digital providers” = Important Entity

Covered if: €10M+ revenue (employee count matters less for platforms)

Penalty tier: €7M or 1.4% revenue

Examples:

• Amazon-style marketplace: Covered
• Single-vendor e-commerce shop: Not covered (unless in other sector)
• Niche industry marketplace with €12M revenue: Covered

Agencies & Consultancies

Generally NOT covered unless:

• You manage client infrastructure (MSP = covered as ICT service management)
• You’re a critical supplier to essential entities (supply chain pressure)
• You operate cloud services for clients (covered as digital infrastructure)

Examples:

• Marketing agency: Not covered
• Web design agency: Not covered
• Managed IT services provider: Covered (if 50+ employees or €10M+ revenue)

Micro-Businesses (Definitely Exempt)

Under 10 employees and under €2M revenue: You’re a micro-business. NIS2 explicitly excludes micro-enterprises in most contexts.

Relax. Focus on basic security hygiene, but don’t stress about NIS2 compliance.

Decision Tree Flowchart

┌─────────────────────────────────────┐
│ Is your company located in the EU? │
└─────────────────┬───────────────────┘
                  │ Yes
                  ▼
┌─────────────────────────────────────────────────────────┐
│ Do you have 50+ employees OR €10M+ revenue/assets?     │
└─────────────┬───────────────────────────┬───────────────┘
              │ No                        │ Yes
              ▼                           ▼
┌─────────────────────────┐   ┌──────────────────────────────┐
│ You're EXEMPT           │   │ Are you in 1 of 18 covered   │
│                         │   │ sectors?                      │
│ But monitor supply      │   └──────────┬──────────┬────────┘
│ chain pressure if you   │              │ No       │ Yes
│ sell to covered         │              ▼          ▼
│ entities                │   ┌──────────────┐  ┌─────────────┐
└─────────────────────────┘   │ EXEMPT       │  │ COVERED     │
                               │              │  │ by NIS2     │
                               └──────────────┘  └──────┬──────┘
                                                         ▼
                                             ┌───────────────────────┐
                                             │ Essential or          │
                                             │ Important Entity?     │
                                             │                       │
                                             │ Check sector list:    │
                                             │ - Essential: €10M/2%  │
                                             │ - Important: €7M/1.4% │
                                             └───────────────────────┘

Next Steps Based on Your Result

✅ If You’re Covered (Essential or Important Entity)

Urgent (this month):

1. Read full NIS2 compliance requirements
2. Run gap analysis against 10 measures
3. Book consultation for implementation roadmap
4. Notify board/management of compliance obligation
5. Check national authority for registration requirements

Timeline: 12 months to full compliance (start now)

Budget: €20K-60K depending on current security posture

⚠️ If You’re Exempt But Near Threshold

Recommended actions:

1. Build basic security hygiene now (easier than later)
2. Monitor growth - set reminder at 45 employees or €9M revenue
3. Prepare for potential customer security requirements
4. Document current security practices

Timeline: Proactive (no deadline)

Budget: €2K-10K for basic hygiene

✅ If You’re Clearly Exempt

Optional but smart:

1. Implement basic security anyway (protects business)
2. Take backup health check (3 minutes)
3. Consider if customers might require security proof
4. Set annual reminder to reassess (regulations change)

Timeline: At your convenience

Budget: Minimal (use free tools, basic cloud services)

Key Takeaways

The simple version:

You’re covered if:

• (50+ employees OR €10M+ revenue) AND (in 1 of 18 sectors)

You’re exempt if:

• Under all size thresholds
• OR not in a covered sector

Gray zone:

• Small supplier to covered entities = expect contractual requirements
• Near thresholds and growing = plan ahead

Either way:

• Basic security hygiene protects your business
• MFA, backups, and training benefit everyone
• Start now - it’s easier than scrambling later

Related guides:

• Complete NIS2 requirements and implementation roadmap
• Security audit readiness assessment
• Backup health check (3-2-1 rule + ransomware protection)
• Book NIS2 gap analysis consultation

Sources:

• NIS2 Directive Official Text (EU)
• ECSO NIS2 Transposition Tracker
• ENISA NIS2 Technical Guidance
• NIS2 Article 21: Cybersecurity Measures
• Germany NIS2 Implementation: BSI Act December 2025 (Greenberg Traurig)