(5 min read)
With the introduction of the NIS2 Directive, organisations across the European Union must now actively assess whether they fall within its scope. Companies operating in sectors such as energy, banking, healthcare, digital infrastructure, or waste management may be subject to the new cybersecurity obligations, particularly where medium or large enterprise thresholds are met. As a first step, organisations should conduct and document a defensible self-assessment, reviewing sector classification, group structures, workforce arrangements, and the nature of their services. Incorrect assumptions during this exercise may lead to flawed scoping conclusions and compliance risks. The article below outlines practical self-assessment considerations and common misconceptions relevant to determining scope under NIS2 and preparing for compliance.
With the implementation of Directive (EU) 2022/2555 ("NIS2") across EU Member States, the organisational conversation about cybersecurity has changed direction. The question is no longer whether NIS2 applies in the abstract, but whether organisations have correctly assessed their position - and can evidence that assessment if challenged.
NIS2 requires a self-assessment of applicability and places responsibility for this directly on organisations. There is no “opt-in” or prior designation as a prerequisite for compliance. Instead, entities are expected to determine their status based on sector, size, and role, and to justify that determination with a structured, defensible analysis. In that sense, scoping is not a formality, but rather a risk-critical exercise.
Scope of NIS2: broader than many assume
NIS2 captures a wide range of medium and large entities operating in sectors listed in its Annexes I and II, including but not limited to energy, banking, ICT services, digital infrastructure, healthcare, and waste management. In certain cases, entities may also fall within scope irrespective of size where they perform particularly critical functions. As a starting point for an initial self-assessment, entities should consider in particular:
- whether they operate in a covered sector; and
- whether they meet the EU SME thresholds for a medium or large enterprise.
A self-assessment can be initially conducted using our AG NIS2 self-assessment tool available here.
While this looks straightforward, applying these thresholds correctly is where key misconceptions may arise.
Structuring the assessment: a pragmatic approach
A robust scoping exercise typically focuses on a small number of core dimensions:
- Sector – whether the organisation’s activities fall within Annex I or II of NIS2;
- Size – employee, turnover, and balance sheet thresholds, including group aggregation;
- Structure – ownership and control relationships affecting SME qualification;
- Role – whether the entity provides services that are critical or essential;
- Documentation – whether the assessment is recorded, reasoned, and defensible.
Misinterpretations tend to arise where one of these elements is considered in isolation – for example, focusing only on headcount, or applying an overly narrow reading of sectoral activities.
Common misconceptions that distort scoping
“We are too small to be in scope”
Size is not always assessed on a standalone basis. Under EU rules on group structures, relationships between affiliates may require aggregation of employee numbers and financial data. As a result, a seemingly small local entity can qualify as a medium or large undertaking when assessed at group level.
“Employee numbers only include our direct staff”
The concept of “employees” is broader than traditional employment contracts. It may extend to part-time staff, contractors, and individuals working under mandate or B2B arrangements, depending on how the workforce is structured in practice.
“If we were in scope, the regulator would tell us”
NIS2 reverses this logic. There is no requirement for prior notification by authorities. Organisations are expected to proactively assess their status and be able to justify it. The absence of regulatory engagement does not indicate that an entity is out of scope.
“We already have cybersecurity measures, so we are compliant”
Existing frameworks (e.g. ISO standards or internal policies) may provide a useful starting point, but they are not sufficient in themselves. NIS2 requires organisations to implement and evidence specific measures relating to governance, accountability, incident handling, business continuity, supply chain security, access controls, cybersecurity training, and technical safeguards. Compliance depends not only on having measures in place, but also on documenting, maintaining, and demonstrating them in line with regulatory expectations.
What this means in practice?
For most organisations, several practical implications follow:
- active determination is required – status under NIS2 must be assessed, not assumed;
- cross-functional cooperation is necessary – legal, IT, risk, compliance and management input is typically needed;
- documentation is critical – conclusions must be supported by clear evidence and reasoning;
- existing frameworks can be leveraged – but usually require some to NIS2 requirements;
- incident response must be structured – including clear escalation and reporting processes aligned with NIS2 requirements.
In practice, organisations tend to approach this in phases: first confirming scope, then conducting a gap analysis, followed by prioritised implementation.
How can we help?
We advise businesses on mapping and implementing obligations arising under NIS2 (on EU-wide level). We support our clients in particular in:
- assessing whether NIS2 applies to your organisation;
- identifying the specific regulatory requirements;
- implementing cybersecurity policies, procedures and documentation;
- advising on the legal aspects of cybersecurity incident management and reporting;
- reviewing agreements with ICT product and service providers;
- delivering training for management boards and IT teams on the new regulatory requirements.
