The first NIS2 question is not how to implement it, but whether it applies at all. The answer depends on three axes: sector (Annex I or II), size class (headcount plus revenue or balance sheet) and a list of special cases that apply regardless of size. Here is the decision tree every potentially-affected organisation should run and document.

Step 1: check the sector (Annex I or II)

Annex I (sectors of high criticality): energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, space.

Annex II (other critical sectors): postal and courier services, waste management, manufacture and distribution of chemicals, production and distribution of food, manufacturing (medical devices, computers, electrical equipment, machinery, motor vehicles, other transport equipment), digital service providers (online marketplaces, search engines, social networks), research.

If the sector is in neither annex, NIS2 generally does not apply directly. See step 3 for special cases.

Step 2: determine the size class

Large enterprise: >= 250 employees OR (annual revenue > EUR 50m AND balance sheet total > EUR 43m). In Annex I = essential entity. In Annex II = important entity.

Medium enterprise: 50-249 employees OR (revenue EUR 10-50m AND balance sheet EUR 10-43m). In Annex I or II = important entity.

Micro and small enterprises below those thresholds are generally exempt, unless they fall under a special case in step 3.

Important: counting is done at group level using the EU SME definition (Recommendation 2003/361/EC), not per single legal entity.

Step 3: special cases (regardless of size)

Providers of public electronic communications networks and services (telecoms): always in scope.

Trust service providers (eIDAS): always in scope.

TLD registries and DNS service providers: always in scope.

Sole providers in a Member State for an essential service (e.g. national roaming): always in scope.

Public administration entities of central government: always in scope.

Member States may designate additional entities (Germany defines 'besonders wichtige Einrichtungen' in NIS2UmsuCG).

Step 4: supply chain effect

Even if you are formally out of scope: when you supply essential entities, NIS2 requirements get passed through via contract clauses. Essential entities must secure their supply chain under Art. 21(2)(d).

In practice: ISO 27001, documented ICT risk management, incident reporting capability, backup strategy and management body accountability become entry tickets to contracts.

Step 5: documentation

The applicability check is itself a documentation-bearing step. Written, dated, with reasoning per axis (sector, size, special case), signed off by management.

If you document 'not in scope', repeat the assessment annually or upon material change (revenue threshold, acquisition, new business lines).

If you document 'in scope', derive the classification (essential or important) and start the registration with the competent authority (in Germany: BSI via the NIS2UmsuCG register, once operational).

What DecisionOS does

The applicability check is the first audit-defensible decision in a NIS2 programme. DecisionOS records it as a Decision Memo: criteria, thresholds, special cases, sources, stakeholder sign-off. For follow-up reviews the memo is versioned, so the supervisor can reconstruct the position at any point in time.

NIS2 thresholds 2026: am I an essential or important entity?