Art. 2 NIS 2 + Annex I/II + Rec 2003/361/EC

Who is in scope of NIS 2: the complete Article 2 test

Article 2 NIS 2 sets one EU-wide scope test. Three parts: sector (Annex I or II), size (medium or larger per Recommendation 2003/361/EC), and the regardless-of-size overrides. This page walks all of it in order, the way an applicability check has to read.

Simon OrzelSimon Orzel·

The short version

There is one EU-wide test for whether NIS 2 binds you. It lives in Article 2 of the Directive. It has three moving parts. Sector. Size. Override. Most explainers cover the first two and stop. The third one is where small entities get pulled in and where most surprises happen.

Article 2(1) is the base case. You are in if you sit in a sector listed in Annex I (sectors of high criticality) or Annex II (other critical sectors), and you are at least a medium-sized enterprise under Recommendation 2003/361/EC. Article 2(2) then lists the cases where you are in regardless of size. Telecoms, trust service providers, DNS, TLD registries, sole providers of essential services, public administration entities and a few more. Below the size threshold does not mean out.

Germany puts the same test into national law through §28 BSIG. The substance is identical. The mechanics (which agency, which form, which deadline) are national. Run the test once, write down the result, keep it on file. That document is your applicability assessment.

The legal source
Three layers stacked. The Directive (Article 2 NIS 2 plus Annex I and II). The size regulation (Recommendation 2003/361/EC, the EU's official definition of a medium enterprise). The national transposition (in Germany: §28 BSIG).

Article 2(1) NIS 2 Directive (2022/2555)

This Directive applies to public or private entities of a type referred to in Annex I or II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article, and which provide their services or carry out their activities within the Union.

The base test. Sector (Annex I or II), size (medium or larger), service provided in the Union. Article 2(2) then adds a list of regardless-of-size cases. Article 2(3) pulls in CER critical entities. Articles 2(5) to 2(11) carve out national security, defence, parliaments, central banks and the financial sector (DORA, lex specialis under Article 4).

Recommendation 2003/361/EC, Annex Article 2

The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million.

The EU's official size definition. Medium starts at 50 staff and at least EUR 10 million turnover and EUR 10 million balance sheet. NIS 2 catches you from medium upwards. 'Exceeds the ceilings for medium' in Article 2(1) means large enterprise under the same Recommendation. Linked and partner enterprises aggregate, so a small subsidiary of a large parent often counts as large.

§28 BSIG (Germany)

Besonders wichtige Einrichtungen sind Einrichtungen einer in Anlage 1 genannten Art und Größe; wichtige Einrichtungen sind Einrichtungen einer in Anlage 2 genannten Art und Größe.

Germany splits the EU's two categories into 'besonders wichtige' (essential) and 'wichtige' (important) Einrichtungen using Anlagen 1 and 2 of the BSIG, which mirror Annex I and II of the Directive. The size thresholds and regardless-of-size cases follow the EU text. Other member states have their own transposition laws (NL Cyberbeveiligingswet, AT NISG, FR ordonnance n° 2024-1184) using the same EU floor.

The three parts of the test
Article 2 NIS 2 splits the question into three. Sector, size, override. You run them in order. If you stop after the first two, you will miss the regardless-of-size cases.
Sector

Annex I or Annex II?

Annex I (sectors of high criticality, 11 sectors): Energy, Transport, Banking, Financial market infrastructure, Health, Drinking water, Waste water, Digital infrastructure, ICT service management (B2B, MSP and MSSP), Public administration, Space. Annex II (other critical sectors, 7 sectors): Postal and courier, Waste management, Chemicals, Food, Manufacturing (medical devices, electronics, electrical equipment, machinery, vehicles), Digital providers (online marketplaces, search engines, social networks), Research. If your service or activity sits in either Annex, move to the size test.

Size

Medium enterprise or larger?

Recommendation 2003/361/EC defines medium as 50 staff or more, OR turnover of at least EUR 10 million AND balance sheet of at least EUR 10 million. Article 2(1) catches you from medium upwards. Linked-enterprise aggregation applies: if a parent controls more than 50 percent of the votes, headcount and turnover are combined. A 30-person subsidiary of a 5000-person group counts as part of that group's figures.

Override

Does Article 2(2) or 2(3) pull you in regardless of size?

Article 2(2) overrides the size test for: providers of public electronic communications networks or services; trust service providers (eIDAS); TLD name registries and DNS service providers (excluding root-name-server operators); sole providers in a member state of a service essential for critical societal or economic activities; entities where disruption could significantly impact public safety, public security or public health, or induce systemic risk, or that are critical for a sector or interdependent sectors; public administration entities. Article 2(3) pulls in entities identified as critical under the CER Directive (Critical Entities Resilience). Article 2(4) lets member states pull in regional public administration.

Two rules that shape how you read the test
Two interpretive rules sit under Article 2. Both are easy to miss and both change the result for real companies.

The test runs per legal entity, not per group

Article 2(1) attaches the duties to the entity, not the corporate group. A holding structure with five legal entities runs the test five times. The applicability and the duties land on the legal entity in scope. Group services can implement controls centrally, but the legal addressee is the entity. Where linked-enterprise figures change the size of a subsidiary, that just changes the input to the size test, not who carries the duty. See also the subsidiary and holding scope page.

Below the size threshold does not mean out

Article 2(2) is the trap small entities walk into. Telecoms providers, trust service providers, DNS providers, TLD registries, sole providers of essential services and certain public administration entities are caught regardless of size. A five-person eIDAS trust service provider is in. A 20-person DNS provider is in. The size test is for the base case only; check the override list before you write 'out of scope'.

How national regulators run this
The EU sets one applicability test. Each country runs it through its own agency, with its own portal and its own forms. The substance is identical.
Germany

BSI / §28 BSIG and the applicability tool

The BSI publishes a 'Betroffenheitsprüfung' tool on its website that walks Anlage 1 and Anlage 2 BSIG. Entities classify themselves and register through the BSI registration portal. §28 BSIG splits scope into 'besonders wichtige' (essential, mostly Annex I) and 'wichtige' (important, mostly Annex II) Einrichtungen, with different penalty ceilings under §65 BSIG.

EU-wide

ENISA transposition tracker

ENISA, the EU cybersecurity agency, publishes a transposition tracker showing where each member state stands on putting NIS 2 into national law. As of May 2026, several states had been referred to the CJEU for late transposition. The Directive itself applies from 18 October 2024 regardless; the national law just adds the local enforcement plumbing.

Other member states

National transposition laws

Netherlands: Cyberbeveiligingswet (NCSC as competent authority). Austria: NISG (BMI). France: ordonnance n° 2024-1184 (ANSSI). Belgium: NIS2-Wet (CCB). The scope test is identical because Annex I and II are EU-level. What differs: registration portals, reporting deadlines under national procedural law, which agency you talk to first.

Three traps we see all the time
Three reasons companies wrongly conclude they are out of scope. All three skip a step in Article 2.

  • We are under 50 staff, so NIS 2 does not apply.

    Not necessarily. Article 2(2) pulls in providers of telecoms, trust services, DNS, TLD registries, sole providers of essential services and certain public administration entities regardless of size. A four-person eIDAS trust service provider is in. Run the override check before you stop at the size threshold.

  • We are a public sector body, so we are out.

    It depends. Article 2(2)(i) covers public administration entities at central and (where the member state chooses) regional level. Article 2(5) to 2(11) carve out national security, defence, law enforcement, the judiciary, parliaments and central banks, but most other public administration entities are in. Germany's §28 BSIG and the BSI applicability tool show the local cut.

  • Our subsidiary is small, so it is out.

    Linked-enterprise aggregation under Recommendation 2003/361/EC adds the parent's headcount and turnover to the subsidiary's figures when the parent controls more than 50 percent of the votes. A 30-person subsidiary of a 5000-person group runs the size test on the combined figures, not the local ones. See the subsidiary and holding scope page for the full rule.

How real operators run the test

The full Article 2 test takes about ten minutes if you run it in order. Sector first (one look at Annex I and II). Size next (your latest annual figures plus linked-enterprise aggregation if you have a parent). Then the overrides (Article 2(2), 2(3), 2(4) and the carve-outs 2(5) to 2(11)). Then the result. Three pages of notes are enough.

Write it down. Date it. Sign it. That document is your Anwendbarkeitsprüfung. National authorities expect you to be able to show how you arrived at 'in scope' or 'out of scope', not just the conclusion. If the figures change (a merger, a new line of business, crossing a threshold), rerun the test and keep the prior version. The audit trail of the decision matters as much as the decision.

How we handle this on the platform

The applicability check on nisd2.eu walks the full Article 2 tree, in order. Sector pick from Annex I and II. Size with linked-enterprise aggregation. Override list from Article 2(2) and 2(3). Carve-outs from Article 2(5) to 2(11). The output is a written Anwendbarkeitsprüfung with your sector, headcount and turnover figures, override status, and classification (besonders wichtig, wichtig, or out).

The check is free. You get the document as PDF and as a versioned record inside the platform. Rerun it whenever your figures change. Each version is timestamped and signed by the user who ran it, so the audit trail is built in.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Article 2 and Annexes I and II — eur-lex.europa.eu/eli/dir/2022/2555/oj
  • Commission Recommendation 2003/361/EC, definition of micro, small and medium-sized enterprises — eur-lex.europa.eu/eli/reco/2003/361/oj
  • Directive (EU) 2022/2557 (CER), critical entities resilience — eur-lex.europa.eu/eli/dir/2022/2557/oj
  • BSI-Gesetz (BSIG), §28 as amended by the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz
  • BSI Betroffenheitsprüfung — bsi.bund.de/dok/nis-2-betroffenheitspruefung
  • ENISA NIS 2 transposition tracker (as of May 2026)
Run the full Article 2 test in ten minutes
Sector, size with linked-enterprise aggregation, overrides and carve-outs. You get a written Anwendbarkeitsprüfung as PDF and a versioned record. Free, open source, no lock-in.
Open the free applicability check