NIS2 Critical Sectors: The Complete List

One of the most consequential questions under Directive 2022/2555 (NIS2) is deceptively simple: does your organization fall within scope? The directive applies to "medium-sized and large entities" in specific sectors — and the definitions of those sectors are significantly broader than many compliance teams expect.

This article covers the complete classification of sectors under NIS2, the size thresholds that determine applicability, and what being classified as "essential" versus "important" means in practice.

How NIS2 Determines Scope

The directive applies a two-step test:

Step 1 — Sector check: Does your organization operate in a sector listed in Annex I or Annex II?

Step 2 — Size threshold: Does your organization qualify as at least a medium-sized enterprise (50+ employees OR €10M+ annual turnover/balance sheet)?

If both conditions are met, your organization is in scope. Member States may extend the directive to smaller entities in critical sectors or to specific entities identified as posing significant systemic risk — so verify your national transposition law.

There are also size-independent entities that fall within scope regardless of headcount or revenue: top-level domain name registries, DNS service providers, TLD registries, providers of public electronic communications networks, and trust service providers under eIDAS, among others.

Annex I: Essential Entities (11 Sectors)

Essential entities face stricter supervision, higher maximum fines (up to €10M or 2% of global turnover), and are subject to proactive supervision — meaning regulators can audit them without waiting for an incident.

1. Energy

Electricity: Electricity undertakings, distribution system operators, transmission system operators, producers, nominated electricity market operators, market participants, aggregators, demand response operators, energy storage operators.

District heating and cooling: Operators of district heating or cooling.

Oil: Operators of oil transmission pipelines, operators of oil production, refining, treatment, storage, and transmission facilities.

Gas: Supply undertakings, distribution system operators, transmission system operators, storage system operators, LNG system operators, natural gas undertakings, operators of natural gas refining and treatment facilities.

Hydrogen: Operators of hydrogen production, storage, and transmission infrastructure.

2. Transport

Air: Air carriers, airport managing bodies, airports (including core network airports), traffic management and control operators, ground handling service providers.

Rail: Infrastructure managers, railway undertakings (including operators of service facilities).

Water: Inland, sea, and coastal passenger and freight water transport companies (excluding individual vessels). Port authorities, managing bodies of ports, operators of vessel traffic services.

Road: Road authorities responsible for traffic management infrastructure, operators of Intelligent Transport Systems.

3. Banking

Credit institutions as defined in Article 4(1)(1) of Regulation (EU) No 575/2013.

4. Financial Market Infrastructures

Operators of trading venues as defined in point (24) of Article 4(1) of Directive 2014/65/EU. Central counterparties (CCPs) as defined in Article 2(1) of Regulation (EU) No 648/2012.

5. Health

Healthcare providers, EU reference laboratory networks, entities carrying out research and development activities on medicinal products, entities manufacturing basic pharmaceutical products and pharmaceutical preparations, entities manufacturing medical devices considered critical during a public health emergency.

6. Drinking Water

Suppliers and distributors of water intended for human consumption (excluding distributors for whom distribution of water is a non-principal part of a more general activity).

7. Wastewater

Undertakings collecting, disposing of, or treating urban wastewater, domestic wastewater, or industrial wastewater (excluding cases where wastewater treatment is a non-principal part of a more general activity).

8. Digital Infrastructure

Internet exchange point (IXP) operators, DNS service providers (excluding root name server operators), TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, trust service providers, providers of public electronic communications networks, providers of publicly available electronic communications services.

9. ICT Service Management (B2B)

Managed service providers (MSPs), managed security service providers (MSSPs).

This sector is critical to note: IT service providers and cybersecurity firms who serve other businesses are directly in scope, with no size exemption — making this one of the broadest catch-all categories in the directive.

10. Public Administration

Central government entities. Member States may also include regional government entities. Notably, the public administration sector is carved out of the size threshold — if you provide services to central government, the size rules may not apply.

11. Space

Operators of ground-based infrastructure, owned, managed, and operated by Member States or by private parties, that support the provision of space-based services (excluding providers of public electronic communications networks).

Annex II: Important Entities (7 Sectors)

Important entities face reactive supervision (regulators typically investigate after incidents) and lower maximum fines (up to €7M or 1.4% of global turnover). The substantive security obligations under Article 21 are identical to essential entities.

1. Postal and Courier Services

Postal service providers as defined in Article 2(1a) of Directive 97/67/EC and courier service providers.

2. Waste Management

Undertakings carrying out waste management as defined in Article 3(9) of Directive 2008/98/EC (excluding cases where waste management is a non-principal part of a more general activity that the undertaking carries out).

3. Manufacture, Production and Distribution of Chemicals

Undertakings manufacturing or distributing substances as defined in Article 3(1) of Regulation (EC) No 1907/2006, and undertakings manufacturing or distributing articles containing substances referred to in Article 3(3) of that Regulation.

4. Production, Processing and Distribution of Food

Food businesses as defined in Article 3(2) of Regulation (EC) No 178/2002 that are both wholesale distributors AND are engaged in industrial production or processing.

5. Manufacturing

This is the sector that surprises most general manufacturers. NIS2 covers:

• Medical devices and in vitro diagnostic medical devices (per Regulations (EU) 2017/745 and 2017/746)
• Computers, electronic and optical products (NACE Rev. 2 Division 26)
• Electrical equipment (Division 27)
• Machinery and equipment n.e.c. (Division 28)
• Motor vehicles, trailers and semi-trailers (Division 29)
• Other transport equipment (Division 30)

6. Digital Providers

Online marketplaces (as defined in Article 2(n) of Directive 2005/29/EC), online search engines (as defined in Article 2(5) of Regulation (EU) 2022/2065), social networking services platforms.

7. Research

Research organizations, with particular focus on those whose primary goal is to conduct research and development activities.

The Size Thresholds Explained

| Classification | Employees | AND/OR | Annual Turnover / Balance Sheet | |---|---|---|---| | Micro enterprise | < 10 | | < €2M | | Small enterprise | < 50 | | < €10M | | Medium enterprise | ≥ 50 | OR | ≥ €10M | | Large enterprise | ≥ 250 | OR | ≥ €50M turnover OR ≥ €43M balance sheet |

NIS2 applies to medium and large enterprises in scope sectors. Micro and small enterprises are generally excluded unless they meet one of the special criteria (e.g., sole provider of a critical service, systemic importance).

Practical Determination Flow

If you are unsure of your classification, work through these questions:

1. Is my primary business activity listed in Annex I or Annex II?
2. Do I employ 50 or more people, OR have annual turnover/balance sheet exceeding €10M?
3. Am I a trust service provider, DNS service provider, TLD registry, or MSP/MSSP serving businesses?
4. Has my national competent authority specifically identified my organization as falling within scope regardless of size?

If you answer yes to questions 1+2, or yes to question 3, you are in scope.

What Being In Scope Means

Both essential and important entities must:

• Implement the security risk management measures required by Article 21 (10 categories including incident handling, supply chain security, encryption, and multi-factor authentication)
• Report significant incidents to the national CSIRT within 24 hours of becoming aware
• Register with the national competent authority (where required by national transposition)
• Ensure management bodies are trained and accountable for cybersecurity

The difference between essential and important is primarily in supervision intensity and penalty ceilings — not in what you must do.

For details on the penalty structure and what fines your organization could face, see our guide on NIS2 penalties and fines. For an overview of NIS2 obligations more broadly, see our NIS2 compliance guide for businesses.

WarDek scans your digital infrastructure against the technical requirements of NIS2 Article 21, giving you a gap analysis you can present to your competent authority as evidence of proactive compliance efforts.

Sector classifications are based on Directive 2022/2555 (NIS2), Annexes I and II. National transposition laws may expand scope or add sector-specific requirements. Verify the applicable law in each jurisdiction where you operate.