What is the difference between essential and important under NIS2?

Essential entities are subject to stricter proactive supervision, must meet higher requirements and face higher fines. Important entities are subject to reactive supervision (investigation after incidents). The distinction is determined by the sector and the size of the organisation.

NIS2 Compliance Check: How Does It Work?

Q: Does my organisation fall under NIS2?

That depends on your sector and size. NIS2 applies to organisations in 18 designated sectors (including energy, transport, healthcare, digital infrastructure and ICT service management) that have more than 50 employees or generate more than 10 million euros in turnover. Use our free NIS2 Compliance Check to determine this in just a few minutes.

Q: What should I do first for NIS2 compliance?

Start by determining whether your organisation falls under NIS2 and which classification applies. Then carry out a gap analysis: which obligations have you already fulfilled and where are the gaps? Prioritise based on risk and start with governance (assigning responsibilities), risk policy and incident reporting procedures.

Q: How does NIS2 relate to ISO 27001?

ISO 27001 covers a large part of the NIS2 requirements, particularly in the area of risk management and organisational measures. However, NIS2 imposes additional requirements, such as mandatory incident reporting within 24 hours, supply chain security, and specific governance requirements. An ISO 27001 certification is a strong foundation, but is not automatically sufficient for full NIS2 compliance.

Q: Is NIS2 mandatory for SMEs?

In principle, NIS2 applies to medium-sized and large organisations (more than 50 employees or more than 10 million euros in turnover). However, there are exceptions: smaller organisations in certain critical sectors, such as providers of DNS services, TLD registries or trust services, may also fall within scope regardless of their size.

The NIS2 Compliance Check is an interactive decision tree that determines whether your organisation falls under the European NIS2 directive, which classification applies (essential or important), and which obligations you must meet. On this page, we explain the methodology, walk through each step and show how you can use the results to make your organisation compliant.

What is the NIS2 Compliance Check?

The NIS2 directive (Network and Information Security Directive 2) is a European law that imposes cybersecurity requirements on organisations in critical and important sectors. The directive is the successor to the original NIS directive from 2016 and has a significantly broader scope: more sectors are covered, the requirements are stricter and the fines are higher.

In the Netherlands, NIS2 is transposed into the Cyberbeveiligingswet (Cbw) (Cybersecurity Act). Organisations that fall under it must comply with requirements regarding risk management, incident reporting, supply chain security and governance — with personal liability for directors in case of non-compliance.

Our NIS2 Compliance Check helps you determine in four steps:

Does your organisation fall under NIS2? — based on sector and size.
Which classification applies? — essential (stricter supervision, higher fines) or important (reactive supervision).
Which obligations must you meet? — specific requirements per classification level.
Where do you stand now? — a gap analysis showing which measures you already have in place and what is missing.

The check runs entirely in your browser. No data is sent to our servers unless you opt for the email report.

Methodology

The NIS2 Compliance Check is based on the official text of EU Directive 2022/2555 (NIS2) and the Dutch implementation through the Cyberbeveiligingswet (Cbw) (Cybersecurity Act). The methodology follows a structured decision tree that translates the criteria of the directive into comprehensible steps.

The classification works on the basis of three dimensions:

Sector assessment — NIS2 defines 18 designated sectors, divided across two annexes. Annex I contains sectors of "high criticality" (energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management B2B, public administration and space). Annex II contains "other critical sectors" (postal and courier services, waste management, chemicals, food production and distribution, manufacturing of certain goods, digital providers and research organisations).
Size assessment — the main rule: organisations with more than 50 employees or more than 10 million euros in annual turnover fall within scope. There are exceptions: some organisations fall under NIS2 regardless of their size, such as providers of DNS services, TLD registries, trust service providers and providers of public electronic communications networks.
Classification assessment — organisations are classified as "essential" or "important". Essential entities are large organisations in Annex I sectors, plus specifically designated organisations. All other in-scope organisations are "important". The distinction determines the supervisory regime and the maximum fines.

Following classification, a gap analysis is conducted based on the obligations in Article 21 of the directive, which prescribes ten categories of security measures.

Step-by-step guide

Sector classification

In the first step, you determine whether your organisation operates in one of the 18 NIS2 sectors. The tool presents the sectors with examples and explanations, so you can easily establish whether you belong. The sectors are:

High criticality (Annex I): energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space.
Other critical sectors (Annex II): postal and courier services, waste management, chemicals, food, manufacturing (medical devices, computers, electronic and optical products, electrical equipment, machinery, motor vehicles, transport equipment), digital services (marketplaces, search engines, social networks), research.

Many organisations only discover at this step that they fall under NIS2. A software company providing B2B services may be in scope as an ICT service provider. A food producer or distributor falls under the Annex II sectors. Take this step seriously and look beyond the obvious sectors.

Determining size

The second step tests whether your organisation exceeds the threshold values. The main rule is clear:

Medium-sized: 50-249 employees or €10M-€50M annual turnover or balance sheet total up to €43M.
Large: 250+ employees or more than €50M annual turnover or balance sheet total exceeding €43M.

Note: the directive uses "or" criteria, not "and". An organisation with 30 employees but €15 million in turnover therefore potentially falls within scope. In addition, there are exceptions for specific organisation types that fall under NIS2 regardless of size: providers of DNS services, TLD registries, trust services, public electronic communications networks and government institutions. Smaller organisations in critical sectors may also fall within scope if designated as essential by a member state.

Classification: essential vs. important

Based on your sector and size, the tool determines your classification:

Essential: large organisations in Annex I sectors, plus specifically designated entities (regardless of size). Essential means proactive supervision, maximum fines of €10 million or 2% of global annual turnover, and the possibility of administrative enforcement measures including suspension of directors.
Important: medium-sized organisations in Annex I sectors, and all in-scope organisations in Annex II sectors. Important means reactive supervision (investigation after incidents or signals) and maximum fines of €7 million or 1.4% of annual turnover.

The classification is crucial because it determines how intensive the supervision is, how high the fines can be and which specific obligations apply. Both classifications require implementation of the Article 21 measures, but essential entities are monitored more actively.

Gap analysis

The final step tests your current situation against the NIS2 obligations in Article 21. The tool asks for each obligation whether you have already fulfilled it:

Risk policy — is there a formal policy for risk management in the area of network and information security?
Incident reporting — do you have procedures for detecting, reporting and handling incidents? NIS2 requires an initial report within 24 hours and a full report within 72 hours.
Supply chain security — do you assess the cybersecurity of your suppliers and service providers?
Governance — is the board actively involved in cybersecurity? NIS2 requires that the board provides oversight and undergoes training.
Business continuity (BCP) — do you have plans for the continuity of your critical services during a cyber incident, including backup management and crisis management?

This step produces a concrete overview of what you already have and what is still missing. The obligations are not optional: non-compliance risks not only fines, but also reputational damage and personal liability of directors.

Interpreting the results

After completing the four steps, you receive a comprehensive overview of your NIS2 status. The results consist of several components:

Classification outcome — a clear badge indicating whether your organisation falls under NIS2, and if so, whether you are classified as essential or important. If your organisation does not fall under NIS2, you receive an explanation of why not (and a recommendation to reassess periodically, as sector changes or growth may alter your status).
Obligations checklist — an overview of all NIS2 obligations with a green (present) or red (missing) status per item. This gives you an at-a-glance insight into your compliance level.
Compliance percentage — the proportion of obligations you have already fulfilled, as an indication of your progress towards full compliance.
Timeline and deadlines — an overview of relevant dates: the official entry into force, registration obligation, and recommended milestones for your compliance journey.
Recommendations — for each missing obligation, a brief explanation of what you need to do, with prioritisation based on risk and legal urgency.

The results are intended as a starting point, not as a definitive legal judgement. The NIS2 directive contains nuances and exceptions that depend on specific circumstances. In case of doubt, we always recommend seeking legal advice. But for the vast majority of organisations, our check provides a reliable and actionable picture.

Free report by email

Free email report

After completing the NIS2 Compliance Check, you can receive your results as a PDF report by email. This free report contains:

Your NIS2 classification (essential, important or not in scope) with supporting rationale
Complete obligations checklist with green/red status
Compliance percentage and progress indication
Basic advice per missing obligation
Relevant deadlines and timeline

The report is immediately usable for internal discussion. Share it with your IT manager, compliance officer or board to jointly set priorities. It provides a clear and factual starting point for the conversation about NIS2 compliance within your organisation.

Premium Assessment

Premium NIS2 Assessment — €79

The Premium NIS2 Assessment goes significantly further than the free check and delivers a complete compliance dossier that you can put to work immediately. The assessment includes:

Detailed gap analysis per NIS2 article — not just a green/red status, but a maturity level assessment per obligation: unknown, basic, advanced or complete. For each article, you receive a specific explanation of what is expected and where your organisation stands.
Compliance roadmap with timeline — a phased plan indicating which measures to tackle first, which can run in parallel and what timeline is realistic. The roadmap takes into account interdependencies between measures.
Documentation requirements per obligation — NIS2 requires that you can demonstrate compliance with the requirements. The report specifies which documents, procedures and records you need per obligation: from a formal risk policy to incident reporting procedures and supplier assessments.
Supply chain requirements — a dedicated chapter on the NIS2 requirements around supply chain security. What requirements must you impose on your suppliers? How do you ensure this contractually? What due diligence is required?
Governance structure advice — NIS2 sets explicit requirements for board involvement. The report advises on the structure of responsibilities, reporting lines and the required board-level training in the area of cybersecurity.
Report for management and board — professionally designed with a management summary that is directly presentable to directors or supervisory authorities. The report is structured as a compliance dossier that you can use as evidence of your efforts.

Free vs. Premium

Component	Free	Premium
NIS2 classification (essential/important)	✓	✓
Obligations checklist	✓	✓
Compliance percentage	✓	✓
Basic advice per obligation	✓	✓
Gap analysis per NIS2 article	✗	✓
Maturity level per obligation	✗	✓
Compliance roadmap with timeline	✗	✓
Documentation requirements per obligation	✗	✓
Supply chain security requirements	✗	✓
Governance structure advice	✗	✓
Management-ready report	✗	✓

Frequently Asked Questions

What is the NIS2 directive?

NIS2 (Network and Information Security Directive 2) is a European directive that imposes cybersecurity requirements on organisations in critical and important sectors. It is the successor to the original NIS directive from 2016 and has a significantly broader scope: more sectors, stricter requirements and higher fines. The directive mandates, among other things, risk management, incident reporting within 24 hours, supply chain security and active board involvement in cybersecurity.

When does NIS2 take effect in the Netherlands?

The EU deadline for transposition into national legislation was 17 October 2024. In the Netherlands, NIS2 is implemented through the Cyberbeveiligingswet (Cbw) (Cybersecurity Act). The legislation is currently in force and organisations that fall under the directive must comply with the requirements or be demonstrably working on implementation. Do not wait: supervisory authorities can enforce and implementing all required measures takes time.

What are the fines for non-compliance with NIS2?

The fines are substantial. For essential entities, the maximum is €10 million or 2% of global annual turnover, whichever is higher. For important entities, this is €7 million or 1.4% of annual turnover. In addition, NIS2 introduces personal liability for directors: they can be suspended or held liable if the organisation fails to comply with the requirements due to board negligence.

Does my organisation fall under NIS2?

That depends on two factors: your sector and your size. NIS2 applies to organisations in 18 designated sectors that have more than 50 employees or generate more than €10 million in turnover. However, there are exceptions: certain organisations fall under NIS2 regardless of their size (such as DNS service providers and trust service providers). Use our free NIS2 Compliance Check to determine this in just a few minutes.

What is the difference between essential and important?

The main difference lies in the supervisory regime and the level of fines. Essential entities are subject to proactive supervision: the supervisory authority actively monitors and can take preventive enforcement action. Important entities are subject to reactive supervision: investigation only takes place after an incident or signal. Both categories must implement the same Article 21 measures, but essential entities are monitored more strictly and face higher fines.

What should I do first for NIS2 compliance?

Start with three steps: (1) determine whether you fall under NIS2 and which classification applies; (2) carry out a gap analysis to see where you stand relative to the obligations; (3) set up governance — assign responsibilities, inform the board and ensure cybersecurity is on the board agenda. From there, you can develop a phased implementation plan, starting with risk policy and incident reporting procedures.

How does NIS2 relate to ISO 27001?

ISO 27001 is a strong foundation for NIS2 compliance and covers many of the required measures, particularly in the area of risk management and organisational controls. However, NIS2 imposes additional requirements that are not standard in ISO 27001: mandatory incident reporting to the supervisory authority within 24 hours, specific supply chain security requirements, governance requirements including board-level training, and registration obligations with the competent authority. An ISO 27001 certification gives you a head start, but is not automatically sufficient.

Is NIS2 mandatory for SMEs?

The main rule is that NIS2 applies to medium-sized and large organisations: more than 50 employees or more than €10 million in turnover. Smaller organisations in principle do not fall within scope. However, there are important exceptions: providers of DNS services, TLD registries, trust service providers and providers of public electronic communications networks fall under NIS2 regardless of their size. In addition, member states can designate smaller organisations as essential when they play a crucial role in a sector. Our advice: always check, even as an SME.

Free

NIS2 Compliance Check

Determine in 4 steps whether you fall under NIS2, which classification applies and which obligations you must meet.

Start the free check

Premium — €79

NIS2 Compliance Assessment

Gap analysis per article, compliance roadmap, documentation requirements and a management-ready report for board and supervisory authorities.

Start the premium assessment