The NIS 2 micro and small enterprise exemption
Under Article 2(1) NIS 2, the directive only applies to medium-sized and larger entities. That is the headline. The reality is a three-step test: the size definition from Recommendation 2003/361/EC, the linked-enterprise rule, and the Article 2(2) overrides that bring micro and small entities back into scope.
The short version
NIS 2 sets a size floor. By default the directive only applies to entities that meet or exceed the medium-sized threshold under Recommendation 2003/361/EC: 50 or more staff, or annual turnover above 10 million euros, or balance sheet total above 10 million euros. Micro and small entities sit below that floor.
That sounds simple. It is not. The Recommendation has its own rules for counting. Article 3(3) of its Annex says if a parent holds more than 50 percent of the voting rights in a subsidiary, you have to aggregate their headcount and turnover. A small subsidiary of a large group is not a small entity under this regime.
Article 2(2) NIS 2 then names categories that fall in regardless of size. Telecoms, qualified trust service providers, DNS, TLD name registries, sole providers of an essential service in a member state, public administration entities, and a few more. If you fit one of those, the size test does not save you. The exemption is the start of the analysis, not the end.
Article 2(1) NIS 2 Directive (2022/2555)
This Directive applies to public or private entities of a type referred to in Annex I or II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article, and which provide their services or carry out their activities within the Union.
This is the default scope rule. Two filters in one sentence: your sector has to be in Annex I or II, and you have to be at least medium-sized under Recommendation 2003/361/EC. Below medium-sized, the directive does not apply by default.
Article 2(2) and (3), Annex to Recommendation 2003/361/EC
The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million. Within the SME category, a small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million. Within the SME category, a microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million.
The Recommendation gives you the numbers. Micro: fewer than 10 staff AND turnover or balance sheet up to 2 million euros. Small: fewer than 50 staff AND turnover or balance sheet up to 10 million euros. Medium: from 50 staff up to 249 OR turnover above 10 million euros. To stay below a size band you have to be below on staff AND below on turnover or balance sheet. Cross either one and you have moved up.
Article 2(2) NIS 2 (regardless of size)
Regardless of their size, this Directive applies to entities of a type referred to in Annex I or II, where: (a) services are provided by providers of public electronic communications networks or of publicly available electronic communications services; (b) services are provided by trust service providers; (c) top-level domain name registries and domain name system service providers; (d) the entity is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities; (e) a disruption of the service provided by the entity could have a significant impact on public safety, public security or public health; (f) a disruption of the service provided by the entity could induce a significant systemic risk, in particular for sectors where such disruption could have a cross-border impact; (g) the entity is critical because of its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State; (h) the entity is a public administration entity.
Eight categories that ignore size. If you fall into any of them, the medium-sized threshold does not save you. Categories (d) to (g) are member state calls: the national authority decides whether you are a sole provider, systemically important, or critical at national or regional level. In Germany the BSI runs that determination.
Apply the size definition
Count your staff and add up your annual turnover and balance sheet total. To stay micro you need fewer than 10 staff AND turnover or balance sheet at 2 million euros or below. To stay small you need fewer than 50 staff AND turnover or balance sheet at 10 million euros or below. Cross the staff number, or cross the financial threshold, and you move up a band.
Aggregate linked enterprises
Recommendation 2003/361/EC Annex Article 3(3) says if a parent enterprise holds more than 50 percent of your voting rights, you have to aggregate their headcount and turnover with yours. A 30-person subsidiary of a 5,000-person group is treated as part of that group for the size test. Most subsidiaries lose the small exemption right here.
Check the Article 2(2) overrides
Even if you pass steps one and two, Article 2(2) NIS 2 may still pull you in. Telecoms, qualified trust services, DNS, TLD registries, sole providers of an essential service in your member state, public administration. National authorities can also designate you as critical at national or regional level under Article 2(2)(g). If any of these fit, the size exemption is gone.
The size exemption is the start of the analysis, not the conclusion
Article 2(1) only gets you through filter one. Annex I or II sector, then medium-sized or larger. Even if you pass the size step as exempt, you still have to walk through Article 2(2). A small company can be in scope because it is the sole DNS provider, a qualified trust service provider, or designated as critical at national level. Reading 2(1) without 2(2) is the most common scoping error we see.
The linked-enterprise rule lifts most subsidiaries out of the exemption
Article 3(3) of the Recommendation Annex is unforgiving. If your parent owns more than 50 percent of your voting rights, their headcount and turnover get added to yours. A small entity in a large corporate group is almost never small under this regime. Mittelstand operators with a holding structure routinely discover that the subsidiary they thought was exempt sits firmly inside the directive.
BSI Betroffenheitsprüfung
The BSI runs an online Betroffenheitsprüfung where you walk through your sector under Annex I or II, your size under Recommendation 2003/361/EC, and the Article 2(2) overrides. §28 BSIG transposes Article 2 and adds national specifics: the determination of sole providers and critical entities sits with the BSI. The result is a binding self-classification you have to register under §33 BSIG.
ENISA scoping and Recommendation guidance
ENISA publishes scoping material that walks the sectoral and size filters in the same order the directive uses. The European Commission also issues a User Guide to the SME Definition explaining the Recommendation in detail, including worked examples for linked and partner enterprises. Both are reference material, not law, but national regulators cite them.
Same directive, different self-registration mechanics
Every member state transposes Article 2 verbatim because the size and override rules are set by EU law. The Netherlands runs the Cyberbeveiligingswet and an online self-classification through the NCSC. Belgium uses Safeonweb at CCB. Austria has the NISG with portal-based registration. The substance is identical. What differs is which national authority you register with and which language the portal speaks.
We are a microenterprise, so NIS 2 does not apply to us.
Step one only. You still have to clear Article 2(2). A nine-person DNS provider is in scope. A six-person qualified trust service provider is in scope. A small entity designated by the BSI as the sole provider of an essential service in Germany is in scope. The size band is the first filter, not the final answer.
We are under 50 staff, so we count as small.
Read Article 2(2) of the Recommendation Annex carefully. Small requires fewer than 50 staff AND turnover or balance sheet at 10 million euros or below. Cross either threshold and you move into medium. A 45-person consultancy with 12 million euros in turnover is medium-sized under the Recommendation, and that means NIS 2 applies if the sector fits.
Our parent company is large, but we run independently, so we count on our own.
Article 3(3) of the Recommendation Annex is structural, not behavioural. If the parent holds more than 50 percent of your voting rights, you aggregate. Day-to-day independence does not matter for the size test. The European Commission User Guide to the SME Definition spells this out with worked examples. Most subsidiaries lose the size exemption here.
What we see in practice: a 30-minute scoping call walks through Annex I or II first, then the staff and financial numbers, then the linked-enterprise question, then Article 2(2). The order matters. Skipping straight to size, the way most consultants pitch the question, hides scope you actually have.
Document the result. A short scoping memo that names the sector under Annex I or II, lists the staff and turnover numbers, addresses linked enterprises, and walks through Article 2(2) is the artefact you want if a national authority later asks why you self-classified as out of scope. If you are in scope, you also need to register under Article 27 NIS 2 and the relevant national provision (in Germany: §33 BSIG).
Our free applicability check walks the three steps in the same order the directive does. Sector under Annex I or II, then the Recommendation size test with linked-enterprise aggregation, then Article 2(2) overrides. You get a written scoping result you can save or share with your lawyer.
If the result is in scope, the platform sets up your obligation register against Article 21 measures and the national reporting channels you need to hit. If you are out of scope by Article 2(1) but want a defensible record of why, the result page gives you a memo with all three steps documented and citation-grade source links.
- Directive (EU) 2022/2555 (NIS 2), Article 2 - eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises, Annex Articles 2 and 3 - eur-lex.europa.eu/eli/reco/2003/361/oj
- European Commission, User Guide to the SME Definition (Publications Office, latest edition)
- BSI Act (BSIG), §28 as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- BSI Betroffenheitsprüfung and NIS 2 Infopakete - bsi.bund.de/dok/nis-2-infopakete
- ENISA NIS 2 scoping material and CIR (EU) 2024/2690 Technical Implementation Guidance