Skip to main content
Informationssicherheit / NIS2

NIS2 Applicability Assessment

The process of determining whether an organization qualifies as an essential or important entity under the NIS 2 Directive.

An NIS2 applicability assessment is the structured process by which an organization determines whether it falls within the scope of the NIS 2 Directive. This is a critical first step before implementing any compliance measures, as the directive's obligations only apply to entities that meet specific sector and size criteria.

The assessment examines two dimensions: the sector in which the organization operates (e.g., energy, health, digital infrastructure, transport) and its size (typically 50+ employees or €10M+ annual turnover for "important entities", and 250+ employees or €50M+ turnover for "essential entities"). Certain critical entities may be subject to NIS 2 regardless of size.

Organizations that qualify must register with the competent national authority, implement appropriate risk management measures, and comply with mandatory incident reporting timelines. The applicability assessment should be documented and reviewed regularly, particularly when the organization changes its activities, grows in size, or enters new markets.

Legal Basis

Art. 2–3 EU Directive 2022/2555 (NIS 2); NIS2UmsuCG (Germany)

Practical Example

A software company with 80 employees provides cloud services to hospitals and public authorities. In conducting its NIS2 applicability assessment, it identifies that it operates in the "digital infrastructure" sector and exceeds the size threshold for important entities. As a result, the company initiates a compliance project to implement the required security measures and registers with the Federal Office for Information Security (BSI).

FAQ

Start by checking whether your organization operates in one of the sectors listed in Annex I or II of the NIS 2 Directive (e.g., energy, health, transport, ICT services). Then verify whether you meet the applicable size thresholds. If both apply, you are likely subject to NIS 2 obligations.
NIS 2 does not require a formal external audit for the applicability assessment itself. A documented internal review is generally sufficient. However, the compliance measures that follow may be subject to supervisory review or audits by the national authority.
If the applicability assessment shows that your organization is out of scope, you are not legally required to comply with NIS 2. Nevertheless, implementing appropriate information security measures is strongly recommended as best practice for any organization handling sensitive data or providing critical services.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

NIS 2 Directive NIS2 Reporting Obligation ISMS (Information Security Management System) Compliance Management System (CMS) Risk Assessment
Back to Glossary