Are you covered by NIS2 and the Cybersecurity Act?
Check if your organization is covered by the NIS2 directive and classified as an essential or important entity. Our free tool gives you an answer in under 2 minutes.
Important information
This tool provides a preliminary assessment based on EU Directive 2022/2555. The actual classification depends on national legislation and the supervisory authority's interpretation.
Which sectors are covered by the NIS2 directive?
NIS2 expands the number of regulated sectors from 7 to 18 and introduces two categories: highly critical sectors (essential entities) and other critical sectors (important entities).
Highly critical sectors (Annex I)
Essential entities – Proactive supervision
- Energy (electricity, oil, gas, heating, hydrogen)
- Transport (aviation, rail, maritime, road)
- Banking and financial market infrastructure
- Healthcare
- Drinking water and wastewater
- Digital infrastructure (DNS, TLD, data centers, CDN)
- Public administration (municipalities, regions, agencies)
- Space
- ICT service management (B2B)
Penalty: Up to 10,000,000 EUR or 2% of global annual turnover
Other critical sectors (Annex II)
Important entities – Reactive supervision
- Postal and courier services
- Waste management
- Manufacturing, production and distribution of chemicals
- Production, processing and distribution of food
- Manufacturing (medical devices, computers, vehicles, machinery)
- Digital providers (marketplaces, search engines, social networks)
- Research organizations
Penalty: Up to 7,000,000 EUR or 1.4% of global annual turnover
Size requirements for NIS2
Medium-sized company
50-249 employees or 10-50 M EUR turnover
→ Important entity
Large company
250+ employees or 50+ M EUR turnover
→ Essential entity (highly critical sector)
Exceptions
Certain operations are covered regardless of size
→ Qualified trust services, DNS, TLD, etc.
Frequently asked questions about NIS2 classification
Which organizations are covered by the NIS2 directive?
NIS2 covers organizations in 18 sectors including energy, transport, healthcare, water supply, digital infrastructure and public administration. The size requirement is at least 50 employees or 10 million euros in turnover, but certain critical operations are covered regardless of size.
What is the difference between an essential and important entity?
Essential entities are large companies (250+ employees or 50M+ euros) in highly critical sectors and are subject to proactive supervision with penalties up to 10 million euros. Important entities are medium-sized companies or companies in other critical sectors with reactive supervision and lower penalty levels.
Are municipalities and regions covered by NIS2?
Yes, public administration is a new sector in NIS2. Municipalities, regions and government agencies are covered by the Cybersecurity Act that implements NIS2 in Sweden. Penalties for the public sector can amount to 10 million SEK.
How do I know if my company is covered by NIS2?
Use our free classification tool above. It checks three factors: 1) Whether you belong to one of the 18 regulated sectors, 2) Whether you meet the size requirements (50+ employees or 10M+ euros turnover), 3) Whether special exceptions apply to your business.
Which sectors are new in NIS2 compared to NIS?
NIS2 expands the number of sectors from 7 to 18. New sectors include public administration, space, wastewater, waste management, manufacturing of critical products, food, chemicals, postal and courier services, and research organizations.
When does NIS2 come into effect in Sweden?
The Cybersecurity Act, which implements the NIS2 directive into Swedish law, comes into effect on January 15, 2026. Organizations covered should start their compliance work now to have time to implement necessary security measures.
Are you covered by NIS2? Take the next step
Perform a GAP analysis to measure your maturity against NIS2 requirements, or book a consultation to discuss your specific situation.