Essential and important entities
Essential and important entities are the two central entity categories of the NIS2 Directive, which determine the scope of cybersecurity obligations as well as the intensity of regulatory supervision and enforcement.
The NIS2 Directive (Directive (EU) 2022/2555) distinguishes between "essential entities" and "important entities". This classification largely determines the extent to which an organisation is subject to cybersecurity obligations and how strictly the competent authority supervises and enforces compliance. The categorisation is based on a combination of sector affiliation (Annex I or Annex II of the Directive), company size and the particular criticality of the entity. In Germany, the Directive is transposed into national law through the NIS2 implementation act and the corresponding amendments to the BSI Act.
Essential entities are generally large enterprises (at least 250 employees, or more than EUR 50 million in annual turnover and over EUR 43 million in balance sheet total) from the highly critical sectors listed in Annex I, such as energy, transport, banking, financial market infrastructures, healthcare, drinking water, digital infrastructure and ICT service management. Certain entities also qualify regardless of size, for example qualified trust service providers, operators of critical facilities or central government administration bodies. Important entities, by contrast, are typically medium-sized enterprises (at least 50 employees, or more than EUR 10 million in turnover and balance sheet total) from the Annex I sectors, as well as entities from the other critical sectors under Annex II, such as postal and courier services, waste management, chemicals, food, manufacturing and providers of digital services.
Substantively, the same risk management measures under Art. 21 NIS2 and the same reporting and registration obligations apply to both categories; the key difference lies in supervision and enforcement. Essential entities are subject to proactive, ex-ante supervision with regular inspections, on-site checks and security audits, whereas important entities are in principle only subject to reactive (ex-post) controls triggered by indications of a breach. The penalty framework also differs: essential entities face fines of up to EUR 10 million or 2 % of total worldwide annual turnover, while important entities face fines of up to EUR 7 million or 1.4 % of turnover. Correct self-classification is therefore a decisive first step in determining the scope of one's own obligations.
Legal Basis
Art. 3, Art. 21, Art. 23 and Art. 32 et seq. NIS2 Directive (EU) 2022/2555; German NIS2 implementation act (amended BSI Act)
Practical Example
A mid-sized machine builder with 600 employees and EUR 120 million in annual turnover reviews whether it falls within the scope of NIS2. Because manufacturing (production of machinery) is one of the other critical sectors under Annex II, the company is classified as an "important entity" despite its size, rather than as an essential entity. The information security officer documents the classification together with its justification, registers the company with the competent authority within the deadline and implements the risk management measures under Art. 21. At the same time, the officer notes that supervision is likely to be reactive, but still schedules an internal audit so that compliance can be demonstrated should the authority ever investigate.