Docs

Appearance

Scope and applicability — NIS2 Articles 2, 3, 4, 26

NIS2 scope rests on layered tests in different Articles: Article 2 sets who falls within the Directive's scope, Article 3 classifies in-scope entities as essential or important, Article 4 routes specific obligations to sector-specific Union legal acts where they are equivalent, and Article 26 then allocates jurisdiction across Member States for the in-scope entity. This page walks through each layer and then explains how scope decisions land in Modulos.

Quick decision

  • Annex I / Annex II sector + medium-sized or larger → in scope under Article 2(1). Apply the Article 3 classification test to determine essential vs important status, then proceed to the cybersecurity measures and incident reporting spokes.
  • Annex I / Annex II sector but below the size threshold → check Article 2(2)–(5). Several entity types are in scope regardless of size — Article 2(2)(a) covers providers of public electronic communications networks and services, trust service providers, top-level-domain name registries, and DNS service providers; Article 2(2)(b)–(e) covers sole-provider, public-safety / health impact, systemic risk, and specific-importance cases; Article 2(2)(f) covers central-government public administration entities and, following a risk-based assessment, certain regional-level entities; Article 2(3) covers CER critical entities; Article 2(4) covers entities providing domain-name registration services.
  • Financial entity identified as essential or important under national NIS2 transposition → apply DORA Article 1(2): DORA is structured to operate as a sector-specific Union legal act for the purposes of NIS2 Article 4 on matters DORA covers; the national NIS2 transposition still applies where DORA does not extend. See NIS2 vs DORA.
  • Non-EU entity of an Article 26(1)(b) type offering services in the Union → Article 26(3) requires designation of a representative in one of the Member States in which the services are offered, and the entity is deemed under the jurisdiction of the Member State where the representative is established.
  • In scope and a covered digital-infrastructure entity type → layer Commission Implementing Regulation (EU) 2024/2690 on top: it specifies technical and methodological requirements for Article 21(2) measures and significant-incident criteria for these entity types.

TL;DR

  • Article 2 sets the in-scope universe: Annex I or Annex II entity type that qualifies as medium-sized under Commission Recommendation 2003/361/EC or exceeds its medium-sized-enterprise ceilings, with regardless-of-size additions in Article 2(2)(a)–(f), CER critical entities pulled in by Article 2(3), domain-name registration service providers added by Article 2(4), Member State discretionary coverage in Article 2(5), a public-administration scope exclusion in Article 2(7), and a separate Member State exemption mechanism for Article 21 / 23 obligations in Article 2(8).
  • Article 3 classifies in-scope entities as essential (Art 3(1)(a)–(g)) or important (Art 3(2)). Essential and important entities have the same Article 21 measure obligations and Article 23 reporting obligations; the supervisory regime differs.
  • Article 4 routes obligations to sector-specific Union legal acts where their requirements are at least equivalent. For financial entities identified as essential or important under the national rules transposing NIS2 Article 3, DORA is considered such an act (DORA Article 1(2)) on the matters DORA covers.
  • Article 26 allocates jurisdiction across Member States. By default, the entity is under the jurisdiction of the Member State where it is established, with three exceptions:
    • Article 26(1)(a): public electronic communications networks/services — where the services are provided;
    • Article 26(1)(b): the digital entity-type list — where the main establishment in the Union is (Article 26(2) cascade), with Article 26(3) requiring an EU representative for non-EU providers;
    • Article 26(1)(c): public administration entities — the Member State which established them.
  • Commission Implementing Regulation (EU) 2024/2690 layers sub-sectoral technical specification on top of Article 21 for specific digital-infrastructure entity types and trust service providers.

Primary source

Directive (EU) 2022/2555 on EUR-Lex (CELEX 32022L2555) — Articles 2, 3, 4, 26, plus Annex I high-criticality sectors and Annex II other critical sectors · Commission Implementing Regulation (EU) 2024/2690 · Commission Recommendation 2003/361/EC (SME definition)

Scope decision flow at a glance

The Article 2–4 scope test runs as a sequence of gates. The flow below is indicative orientation — the sections that follow walk through each gate against the OJ text, and the binding test sits in each Member State's transposing law.

NIS2 · ARTICLES 2–4
Scope decision flow — is the entity in scope?
Gate 1 · Art 2(1) — entity type
Is the organisation of a type referred to in Annex I (high-criticality sectors) or Annex II (other critical sectors)?
No → Annex route closed. Standalone routes remain: CER critical entities (Art 2(3)), domain-name registration service providers (Art 2(4)), and national-law extensions to local public administration and education (Art 2(5)).
Yes ↓
Gate 2 · Art 2(1) — Union nexus
Does it provide its services or carry out its activities within the Union?
No → Out of NIS2 scope.
Yes ↓
Gate 3 · Art 2(1)–(3) — size, or a regardless-of-size route
Is it medium-sized or larger under Recommendation 2003/361/EC — or does an Article 2(2)–(3) regardless-of-size route apply?
Art 2(2)(a): public e-communications providers, trust service providers, TLD name registries, DNS service providers. Art 2(2)(b)–(e): cases requiring Member-State identification. Art 2(2)(f): central-government entities, and regional entities whose service disruption could significantly impact critical societal or economic activities (risk-based assessment). Art 2(3): CER critical entities — regardless of size, and essential per Art 3(1)(f).
No to both → Out of NIS2 scope — unless the national transposition extends further.
Yes ↓
Gate 4 · Art 2(7)–(9) — carve-outs
Is it a public administration entity active in national security, public security, defence or law enforcement (Art 2(7)) — or has the Member State exempted it under Art 2(8) (entities, public or private, active in those areas or serving Art 2(7) bodies exclusively)?
Neither carve-out is available where the entity acts as a trust service provider (Art 2(9)).
Yes → Art 2(7): outside the Directive. Art 2(8): exempt from Arts 21 / 23 (and Ch VII) for those activities only — otherwise still in scope and classified; verify under national law.
No ↓ — in scope; classify
Essential entity · Art 3(1)
Large Annex I entities; qualified trust service providers, TLD registries, DNS providers; further Art 3(1)(c)–(g) cases
Art 32 supervision — ex ante and ex post
Important entity · Art 3(2)
The remaining in-scope Annex I and Annex II entities not classified as essential
Art 33 supervision — ex post
Financial entity in DORA's scope? Under NIS2 Article 4 and DORA Article 1(2), DORA applies as the sector-specific Union legal act on the matters it covers; the relevant NIS2 provisions do not apply to those entities. Entities a Member State has exempted from DORA under its Art 2(4) fall outside NIS2 entirely (Art 2(10)).
Indicative orientation only — not legal advice. Member-State identification under Art 2(2)(b)–(e), Art 2(8) exemptions, and the binding scope test are matters of each Member State's transposing law. Verify the outcome against the national transposition.

The Article 2 scope test

Article 2(1) sets the baseline scope test: the Directive applies to public or private entities of a type referred to in Annex I or Annex II which qualify as medium-sized enterprises under Article 2 of the Annex to Commission Recommendation 2003/361/EC, or which exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article, and which provide their services or carry out their activities within the Union. The Union-nexus condition is part of the scope test itself — it is what brings non-EU providers serving the EU within scope. NIS2 Article 2(1) also disapplies Article 3(4) of that Annex (the rule that an enterprise is not an SME where 25% or more of its capital or voting rights are controlled by one or more public bodies) — so public control does not by itself push an entity over the size cap.

The Recommendation 2003/361/EC SME definition uses a staff-headcount limb plus a financial limb (turnover or balance-sheet total), and the limbs combine rather than substitute. The practical outcome under Article 2(1) is that an Annex I or Annex II entity providing services or carrying out activities in the Union is in scope when it qualifies as a medium-sized enterprise under Recommendation 2003/361/EC, or when its staff headcount or financial figures exceed the medium-sized-enterprise ceilings — i.e. the entity is not a small or micro enterprise as the Recommendation defines them. Applying the Recommendation is fact-specific and should be verified against each Member State's transposition.

That is the default. The further rules in Article 2(2)–(7) extend or carve out scope in specific cases:

  • Article 2(2)(a) — providers of public electronic communications networks, providers of publicly available electronic communications services, trust service providers, top-level-domain name registries, and DNS service providers, regardless of size.
  • Article 2(2)(b) — sole providers in a Member State of a service essential for the maintenance of critical societal or economic activities.
  • Article 2(2)(c) — entities whose service disruption could have a significant impact on public safety, security or public health.
  • Article 2(2)(d) — entities the disruption of which could induce significant systemic risk, in particular for sectors where such disruption could have a cross-border impact.
  • Article 2(2)(e) — entities critical because of their specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State.
  • Article 2(2)(f) — public administration entities of central government as defined by a Member State in accordance with national law (point (f)(i)), and public administration entities at regional level as so defined that, following a risk-based assessment, provide services whose disruption could have a significant impact on critical societal or economic activities (point (f)(ii)).
  • Article 2(3) — entities identified as critical entities under Directive (EU) 2022/2557 (CER), in respect of their cybersecurity obligations.
  • Article 2(4) — entities providing domain-name registration services.
  • Article 2(5) — Member States may decide that NIS2 applies to local public administration entities and educational establishments (in particular where they carry out critical research activities).

Article 2(7) — public administration scope exclusion. Article 2(7) excludes public administration entities carrying out their activities in the areas of national security, public security, defence or law enforcement (including the prevention, investigation, detection and prosecution of criminal offences). The carve-out is for the public-administration entities engaged in those specific activities, not a general exclusion for any entity touching national security topics.

Article 2(8) — exemption option. Article 2(8) allows Member States to exempt specific entities from the obligations laid down in Article 21 or 23 — with regard to the relevant activities or services — where the entities carry out activities in those same areas or provide services exclusively to the public administration entities referred to in Article 2(7). For entities operating exclusively in that mode, Member States may also exempt them from the Article 3 identification and Article 27 registry duties.

Article 2(9) — trust-service backstop. Paragraphs (7) and (8) do not apply where the entity acts as a trust service provider — a trust service provider cannot be carved out on national-security grounds.

Essential vs important — Article 3

Article 3 classifies in-scope entities into two cohorts.

Article 3(1) — essential entities. This list runs from (a) to (g):

  • Article 3(1)(a) — entities of an Annex I type that exceed the ceilings for medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC;
  • Article 3(1)(b) — qualified trust service providers, top-level-domain name registries and DNS service providers, regardless of size;
  • Article 3(1)(c) — medium-sized enterprises providing public electronic communications networks or publicly available electronic communications services;
  • Article 3(1)(d) — the central-government public administration entities referred to in Article 2(2), point (f)(i) (regional-level entities under point (f)(ii) are important entities unless separately identified);
  • Article 3(1)(e) — entities the Member State has identified as essential under Article 2(2)(b), (c), (d) or (e);
  • Article 3(1)(f) — entities identified as critical entities under Directive (EU) 2022/2557 (CER);
  • Article 3(1)(g) — a Member State option allowing entities the Member State identified before 16 January 2023 as operators of essential services in accordance with the original NIS Directive (Directive (EU) 2016/1148) or national law to be treated as essential entities under NIS2 (transitional rule).

Article 3(2) — important entities. Entities of an Annex I or Annex II type that do not qualify as essential under Article 3(1). This covers the Annex I and Annex II entities that meet the Article 2 scope test but fall outside Article 3(1)(a)–(g).

Both essential and important entities are subject to the same Article 21 cybersecurity measures and Article 23 reporting obligations. The supervisory regime is what differs: essential entities face the comprehensive Article 32 regime (ex ante and ex post); important entities face Article 33 supervision (ex post only, triggered by evidence, indication or information of alleged non-compliance).

Sector-specific Union legal acts — Article 4

Article 4 provides the routing mechanism for cases where another Union legal act in a specific sector establishes equivalent cybersecurity obligations. Where such an act requires essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents, and the requirements in that act are at least equivalent in effect to the obligations in NIS2, then under Article 4(1) the relevant provisions of NIS2 — including the supervision and enforcement provisions of Chapter VII — do not apply to those entities. The sector-specific act applies of its own force (recital 23 glosses this as the sector act's provisions, including on supervision and enforcement, applying instead).

The most important application of Article 4 is the financial sector. Under Article 1(2) of DORA (Regulation (EU) 2022/2554), DORA is considered a sector-specific Union legal act for the purposes of NIS2 Article 4, on the matters DORA covers (ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk). For a financial entity that would otherwise fall within the scope of national NIS2 transposition, DORA's specialised provisions therefore apply on those matters, with NIS2 obligations remaining relevant for areas DORA does not cover or where the national transposition extends further.

Practical implication: an Article 4 scope memo should record (a) which sector-specific Union legal act is invoked, (b) which NIS2 obligations the act covers, (c) which remain governed by NIS2, and (d) which supervisory authority is competent for each.

Jurisdiction — Article 26

Article 26 allocates jurisdiction across Member States for entities that are in NIS2 scope. The default jurisdictional rule is the Member State in which the entity is established; Article 26(1) then carries three specific exceptions, and Article 26(2)–(3) adds the main-establishment cascade and the non-EU representative rule:

  1. Article 26(1)(a) — public electronic communications networks and services. Providers of public electronic communications networks or publicly available electronic communications services are under the jurisdiction of the Member State in which they provide their services.
  2. Article 26(1)(b) — digital entity-type rule. For entities of the following types — DNS service providers; TLD name registries; entities providing domain-name registration services; cloud computing service providers; data centre service providers; content delivery network providers; managed service providers; managed security service providers; providers of online marketplaces, of online search engines, and of social-networking services platforms — jurisdiction follows the Member State where the entity has its main establishment in the Union.
  3. Article 26(1)(c) — public administration entities. These are under the jurisdiction of the Member State which established them.
  4. Article 26(2) — the main-establishment cascade. The main establishment is the Member State where decisions related to the cybersecurity risk-management measures are predominantly taken; if that cannot be determined (or the decisions are not taken in the Union), the Member State where cybersecurity operations are carried out; failing that, the Member State of the establishment with the highest number of employees in the Union.
  5. Article 26(3) — non-EU entities. Where an entity of a type referred to in Article 26(1)(b) is not established in the Union but offers services in the Union, it shall designate a representative in one of the Member States in which the services are offered, and is deemed to be under the jurisdiction of the Member State in which the representative is established.

Article 27 then sets the ENISA registry duties for the Article 26(1)(b) entity types; entities are required to submit identification and contact information to be included in a Union-level registry maintained by ENISA.

Implementing Regulation (EU) 2024/2690 — sub-sectoral specification

Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 layers technical and methodological specification on top of Article 21(2) and Article 23 for specific entity types. Its Article 1 identifies the entity types covered, which include:

  • DNS service providers and top-level-domain name registries;
  • cloud computing service providers, data centre service providers, content delivery network providers;
  • managed service providers and managed security service providers;
  • providers of online marketplaces, of online search engines, and of social-networking services platforms;
  • trust service providers.

The Regulation specifies the technical and methodological requirements for the Article 21(2) measures as they apply to these entity types, and further specifies the cases in which an incident is considered significant for those entities for the purposes of Article 23 reporting. The Regulation refers to the covered entity types as "relevant entities"; entities falling outside the Article 1 list of 2024/2690 still apply Article 21(2) directly under the national transposing law, without that sub-sectoral specification overlay.

Two structural features of the Implementing Regulation matter for implementation:

  • Its Annex contains the detailed technical and methodological requirements, organised in numbered points that track the Article 21(2) measure categories (from the policy on the security of network and information systems at point 1 and the risk-management policy at point 2 through to environmental and physical security at point 13).
  • Where the Annex provides that a requirement shall be applied "where appropriate", "where applicable" or "to the extent feasible", and the relevant entity considers it not appropriate, not applicable or not feasible to apply, Article 2(2) of the Regulation requires the entity to document its reasoning to that effect in a comprehensible manner. A bare "not applicable" disposition without recorded reasoning does not satisfy the Regulation.

How to operationalize NIS2 scope in Modulos

Modulos handles NIS2 scope through explicit, auditable applicability decisions rather than questionnaire-driven auto-descoping. The relevant surfaces:

  1. Requirements — scope-determining obligations are recorded on the OFF-15 (NIS2 org) framework template:
    • ORF-333 — NIS2 scope and entity classification (Articles 2, 3)
    • ORF-334 — Entity-listing data submission and update duty (Article 3(4); Article 3(3) sets the list it feeds)
    • ORF-335 — Sector-specific Union legal act equivalence and residual duty assessment (Article 4)
    • ORF-355 — Article 26 territoriality and EU representative analysis
    • ORF-356 — Article 27 ENISA registry entity
    • ORF-349 — Implementing Regulation 2024/2690 applicability governance
  2. Controls — implemented scoping work (sector mapping memo, size-test record, Article 4 equivalence memo, Implementing Regulation 2024/2690 applicability memo) is documented as named controls and mapped to the relevant requirements.
  3. Evidence — supporting records (sector qualification rationale, size-threshold record, Article 3 entity-listing log, Article 4 equivalence legal analysis, 2024/2690 applicability memo) are recorded once and linked to multiple controls.
  4. Readiness + fulfilment attestation — when controls mapped to a scoping requirement are in a final state, the requirement becomes ready for review and the requirement owner attests fulfilment for the project scope.
  5. NIS2 Scope tagsNIS2 Scope tags are manual filtering aids, not automatic descoping logic. Use them to isolate conditional-applicability requirements that need an explicit scoping decision, then record the decision through the requirement's fulfilment attestation.
  6. NIS2 Basis tags — alongside the scope tags, every requirement carries NIS2 Basis tags identifying its legal basis: Directive Art 21 (all entities) for duties binding every in-scope essential and important entity, Impl. Reg. 2024/2690 (relevant entities only) for the technical detail binding only the Article 1 relevant entities, and dedicated values for the Article 20 governance, Articles 2–4 scope, Article 23 reporting, Articles 26–28 registration, Articles 29–30 information-sharing, and Articles 32–33 supervision duty families. A requirement that layers both bases carries both tags — the Applicability section in the requirement text states which limb binds which cohort.

Tagged requirements with conditional applicability:

RequirementWhen it mattersNIS2 Scope tag
ORF-335Sector-specific Union legal acts may provide equivalent obligationsArticle 4 Equivalent Union Act
ORF-349Entity type is covered by Implementing Regulation 2024/26902024/2690 Covered Entity
ORF-355Article 26 territoriality / EU representative analysis is requiredArticle 26 Cross-Border Entity
ORF-356Organization is one of the Article 27 ENISA registry entitiesArticle 27 Registry Entity
ORF-357Organization acts as a TLD registry or domain-registration service providerArticle 28 Domain or TLD Entity
ORF-358Organization participates in an Article 29 information-sharing arrangementArticle 29 Information-Sharing Participant
ORF-359Organization maintains or uses an Article 30 voluntary-notification pathArticle 30 Voluntary Notifier
MRF-291AI service supports a 2024/2690 covered entity type2024/2690 Covered Entity
MRF-292AI service supports the trust-service 24-hour derogation pathTrust Service 24-Hour Derogation

Cross-framework mapping (preview)

NIS2 scope areaDORA (Regulation (EU) 2022/2554)EU AI Act (Regulation (EU) 2024/1689)
Article 2 entity scopeArticle 2 financial entity scope (specific entity-type list rather than size-cap rule)Article 2 scope (provider / deployer / importer / distributor; AI system classification)
Article 3 essential vs importantDORA does not use the essential / important splitRisk-class split (prohibited / high-risk / GPAI / limited transparency)
Article 4 sector-specific Union legal actsUnder DORA Article 1(2), DORA is considered a sector-specific Union legal act for NIS2 Article 4 purposesArticle 2(3)–(12) interplay with other Union acts
Article 26 jurisdictionDORA does not depend on the Article 26 mechanism — DORA scope attaches to the authorised entity types listed in its Article 2(1)EU AI Act Article 2 + Article 25 value-chain responsibility

For the pairwise treatment see NIS2 vs DORA; for the full hub see framework comparison.

NIS2 overview

Framework structure, key dates, OFF-15 / MFF-15 split

Cybersecurity measures (Article 21)

The ten Article 21(2) categories, implementation, and Modulos requirement mapping

Incident reporting (Article 23)

Significance test, staged timelines, trust-service derogation

Operationalizing in Modulos

Practical rollout sequence for OFF-15 and MFF-15

NIS2 vs DORA

Where each applies, sector-specific Union legal act interaction, incident-reporting coordination

Source attribution

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2) is published in the Official Journal of the European Union L 333, 27.12.2022, pp. 80–152. Annex I (high-criticality sectors) and Annex II (other critical sectors) form part of the published Directive. Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 is published in OJ L 2024/2690 of 18.10.2024. Commission Recommendation 2003/361/EC on the definition of micro, small and medium-sized enterprises is published in OJ L 124, 20.5.2003, pp. 36–41.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. NIS2 takes effect in each Member State through national transposing law; in particular, Member State identification under Article 2(2)(b)–(e) and the use of the Article 4 sector-specific Union legal act routing mechanism are matters of national law. For binding interpretation in your jurisdiction, consult the published EUR-Lex text and qualified counsel.