Docs

Appearance

Scope and applicability — NIS2 Articles 2, 3, 4, 26

NIS2 scope rests on layered tests in different Articles: Article 2 sets who falls within the Directive's scope, Article 3 classifies in-scope entities as essential or important, Article 4 routes specific obligations to sector-specific Union legal acts where they are equivalent, and Article 26 then allocates jurisdiction across Member States for the in-scope entity. This page walks through each layer and then explains how scope decisions land in Modulos.

Quick decision

  • Annex I / Annex II sector + medium-sized or larger → in scope under Article 2(1). Apply the Article 3 classification test to determine essential vs important status, then proceed to the cybersecurity measures and incident reporting spokes.
  • Annex I / Annex II sector but below the size threshold → check Article 2(2)–(5). Several entity types are in scope regardless of size — Article 2(2)(a) covers providers of public electronic communications networks and services, trust service providers, top-level-domain name registries, and DNS service providers; Article 2(2)(b)–(e) covers sole-provider, public-safety / health impact, systemic risk, and specific-importance cases; Article 2(2)(f) covers central public administration entities and (at Member State option) certain regional public administration entities; Article 2(3) covers CER critical entities; Article 2(4) covers entities providing domain-name registration services.
  • Financial entity identified as essential or important under national NIS2 transposition → apply DORA Article 1(2): DORA is structured to operate as a sector-specific Union legal act for the purposes of NIS2 Article 4 on matters DORA covers; the national NIS2 transposition still applies where DORA does not extend. See NIS2 vs DORA.
  • Non-EU entity of an Article 26(1)(b) type offering services in the Union → Article 26(3) requires designation of a representative in one of the Member States in which the services are offered, and the entity is deemed under the jurisdiction of the Member State where the representative is established.
  • In scope and a covered digital-infrastructure entity type → layer Commission Implementing Regulation (EU) 2024/2690 on top: it specifies technical and methodological requirements for Article 21(2) measures and significant-incident criteria for these entity types.

TL;DR

  • Article 2 sets the in-scope universe: Annex I or Annex II entity type that qualifies as medium-sized under Commission Recommendation 2003/361/EC or exceeds its medium-sized-enterprise ceilings, with regardless-of-size additions in Article 2(2)(a)–(f), CER critical entities pulled in by Article 2(3), domain-name registration service providers added by Article 2(4), Member State discretionary coverage in Article 2(5), a public-administration scope exclusion in Article 2(7), and a separate Member State exemption mechanism for Article 21 / 23 obligations in Article 2(8).
  • Article 3 classifies in-scope entities as essential (Art 3(1)(a)–(g)) or important (Art 3(2)). Essential and important entities have the same Article 21 measure obligations and Article 23 reporting obligations; the supervisory regime differs.
  • Article 4 routes obligations to sector-specific Union legal acts where their requirements are at least equivalent. For financial entities identified as essential or important under national NIS2 transposition, DORA is structured to operate as such an act on the matters DORA covers.
  • Article 26 allocates jurisdiction across Member States: by default, where the entity is established; for Article 26(1)(a) public electronic communications networks/services, where services are provided; for the Article 26(1)(b) digital-infrastructure entity-type list, where the entity has its main establishment in the Union; with Article 26(3) requiring a representative for the Article 26(1)(b) types if not EU-established.
  • Commission Implementing Regulation (EU) 2024/2690 layers sub-sectoral technical specification on top of Article 21 for specific digital-infrastructure entity types and trust service providers.

Primary source

Directive (EU) 2022/2555 on EUR-Lex (CELEX 32022L2555) — Articles 2, 3, 4, 26, plus Annex I high-criticality sectors and Annex II other critical sectors · Commission Implementing Regulation (EU) 2024/2690 · Commission Recommendation 2003/361/EC (SME definition)

The Article 2 scope test

Article 2(1) sets the baseline scope test: the Directive applies to public or private entities of a type referred to in Annex I or Annex II which qualify as medium-sized enterprises under Article 2 of the Annex to Commission Recommendation 2003/361/EC, or which exceed the ceilings for medium-sized enterprises provided for in Article 2(1) of that Annex. NIS2 Article 2(1) also disapplies Article 3(4) of that Annex (the rule that treats an enterprise as not autonomous when ownership thresholds are met).

The Recommendation 2003/361/EC SME definition uses a staff-headcount limb plus a financial limb (turnover or balance-sheet total), and the limbs combine rather than substitute. The practical outcome under Article 2(1) is that an Annex I or Annex II entity is in scope when it qualifies as a medium-sized enterprise under Recommendation 2003/361/EC, or when its staff headcount or financial figures exceed the medium-sized-enterprise ceilings — i.e. the entity is not a small or micro enterprise as the Recommendation defines them. Applying the Recommendation is fact-specific and should be verified against each Member State's transposition.

That is the default. The further rules in Article 2(2)–(7) extend or carve out scope in specific cases:

  • Article 2(2)(a) — providers of public electronic communications networks, providers of publicly available electronic communications services, trust service providers, top-level-domain name registries, and DNS service providers, regardless of size.
  • Article 2(2)(b) — sole providers in a Member State of a service essential for the maintenance of critical societal or economic activities.
  • Article 2(2)(c) — entities whose service disruption could have a significant impact on public safety, security or public health.
  • Article 2(2)(d) — entities the disruption of which could induce significant systemic risk, in particular for sectors where such disruption could have a cross-border impact.
  • Article 2(2)(e) — entities critical because of their specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State.
  • Article 2(2)(f) — public administration entities of central government (as defined by Member States in accordance with national law), and at Member State option, public administration entities at regional level.
  • Article 2(3) — entities identified as critical entities under Directive (EU) 2022/2557 (CER), in respect of their cybersecurity obligations.
  • Article 2(4) — entities providing domain-name registration services.
  • Article 2(5) — Member States may decide that NIS2 applies to local public administration entities and educational establishments (in particular where they carry out critical research activities).

Article 2(7) — public administration scope exclusion. Article 2(7) excludes public administration entities carrying out their activities in the areas of national security, public security, defence or law enforcement (including investigation, detection and prosecution of criminal offences). The carve-out is for the public-administration entities engaged in those specific activities, not a general exclusion for any entity touching national security topics. Article 2(8) is a separate provision: it allows Member States to exempt specific essential or important entities (or specific services or activities of those entities) from the Article 21 and Article 23 obligations where the entities carry out activities in those same areas (national security, public security, defence, or law enforcement) or provide services exclusively to public administration entities referred to in Article 2(7).

Essential vs important — Article 3

Article 3 classifies in-scope entities into two cohorts.

Article 3(1) — essential entities. This list runs from (a) to (g):

  • Article 3(1)(a) — entities of an Annex I type that exceed the ceilings for medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC;
  • Article 3(1)(b) — qualified trust service providers, top-level-domain name registries and DNS service providers, regardless of size;
  • Article 3(1)(c) — medium-sized enterprises providing public electronic communications networks or publicly available electronic communications services;
  • Article 3(1)(d) — Annex I public administration entities (with specifics);
  • Article 3(1)(e) — entities the Member State has identified as essential under Article 2(2)(b), (c), (d) or (e);
  • Article 3(1)(f) — entities identified as critical entities under Directive (EU) 2022/2557 (CER);
  • Article 3(1)(g) — a Member State option allowing entities the Member State identified before 16 January 2023 as operators of essential services under the original NIS Directive (Directive (EU) 2016/1148) to be treated as essential entities under NIS2 (transitional rule).

Article 3(2) — important entities. Entities of an Annex I or Annex II type that do not qualify as essential under Article 3(1). This covers the Annex I and Annex II entities that meet the Article 2 scope test but fall outside Article 3(1)(a)–(g).

Both essential and important entities are subject to the same Article 21 cybersecurity measures and Article 23 reporting obligations. The supervisory regime is what differs (Article 32 ex ante for essential; Article 33 ex post for important).

Sector-specific Union legal acts — Article 4

Article 4 provides the routing mechanism for cases where another Union legal act in a specific sector establishes equivalent cybersecurity obligations. Where such an act requires essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents, and the requirements in that act are at least equivalent in effect to the obligations in NIS2, then the provisions of that sector-specific Union legal act apply — including its supervision and enforcement provisions.

The most important application of Article 4 is the financial sector. DORA (Regulation (EU) 2022/2554) Article 1(2) is structured to operate as a sector-specific Union legal act for the purposes of NIS2 Article 4, on the matters DORA covers (ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk). For a financial entity that would otherwise fall within the scope of national NIS2 transposition, DORA's specialised provisions therefore apply on those matters, with NIS2 obligations remaining relevant for areas DORA does not cover or where the national transposition extends further.

Practical implication: an Article 4 scope memo should record (a) which sector-specific Union legal act is invoked, (b) which NIS2 obligations the act covers, (c) which remain governed by NIS2, and (d) which supervisory authority is competent for each.

Jurisdiction — Article 26

Article 26 allocates jurisdiction across Member States for entities that are in NIS2 scope. The default jurisdictional rule for most in-scope entities is the Member State of establishment in the Union; Article 26 then layers in two specific rules:

  1. Article 26(1)(a) — public electronic communications networks and services. Providers of public electronic communications networks or publicly available electronic communications services are under the jurisdiction of the Member State in which they provide their services.
  2. Article 26(1)(b) — digital-infrastructure entity-type rule. For entities of the following types — DNS service providers; TLD name registries; entities providing domain-name registration services; cloud computing service providers; data centre service providers; content delivery network providers; managed service providers; managed security service providers; providers of online marketplaces, of online search engines, and of social-networking services platforms — jurisdiction follows the Member State where the entity has its main establishment in the Union, with sub-paragraphs setting tie-breakers when there is no main establishment in the Union.
  3. Article 26(3) — non-EU entities. Where an entity of a type referred to in Article 26(1)(b) is not established in the Union but offers services in the Union, it shall designate a representative in one of the Member States in which the services are offered, and is deemed to be under the jurisdiction of the Member State in which the representative is established.

Article 27 then sets the ENISA registry duties for the Article 26(1)(b) digital-infrastructure entity types; entities are required to submit identification and contact information to be included in a Union-level registry maintained by ENISA.

Implementing Regulation (EU) 2024/2690 — sub-sectoral specification

Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 layers technical and methodological specification on top of Article 21(2) and Article 23 for specific entity types. Its Article 1 identifies the entity types covered, which include:

  • DNS service providers and top-level-domain name registries;
  • cloud computing service providers, data centre service providers, content delivery network providers;
  • managed service providers and managed security service providers;
  • providers of online marketplaces, of online search engines, and of social-networking services platforms;
  • trust service providers.

The Regulation specifies the technical and methodological requirements for the Article 21(2) measures as they apply to these entity types, and further specifies the cases in which an incident is considered significant for those entities for the purposes of Article 23 reporting. Entities falling outside the Article 1 list of 2024/2690 still apply Article 21(2) directly under the national transposing law, without that sub-sectoral specification overlay.

How to operationalize NIS2 scope in Modulos

Modulos handles NIS2 scope through explicit, auditable applicability decisions rather than questionnaire-driven auto-descoping. The relevant surfaces:

  1. Requirements — scope-determining obligations are recorded on the OFF-15 (NIS2 org) framework template:
    • ORF-333 — NIS2 scope and entity classification (Articles 2, 3)
    • ORF-334 — Entity-listing data submission and update duty (Article 3(4)–(5))
    • ORF-335 — Sector-specific Union legal act equivalence and residual duty assessment (Article 4)
    • ORF-355 — Article 26 territoriality and EU representative analysis
    • ORF-356 — Article 27 ENISA registry entity
    • ORF-349 — Implementing Regulation 2024/2690 applicability governance
  2. Controls — implemented scoping work (sector mapping memo, size-test record, Article 4 equivalence memo, Implementing Regulation 2024/2690 applicability memo) is documented as named controls and mapped to the relevant requirements.
  3. Evidence — supporting records (sector qualification rationale, size-threshold record, Article 3 entity-listing log, Article 4 equivalence legal analysis, 2024/2690 applicability memo) are recorded once and linked to multiple controls.
  4. Readiness + fulfilment attestation — when controls mapped to a scoping requirement are in a final state, the requirement becomes ready for review and the requirement owner attests fulfilment for the project scope.
  5. NIS2 Scope tagsNIS2 Scope tags are manual filtering aids, not automatic descoping logic. Use them to isolate conditional-applicability requirements that need an explicit scoping decision, then record the decision through the requirement's fulfilment attestation.

Tagged requirements with conditional applicability:

RequirementWhen it mattersNIS2 Scope tag
ORF-335Sector-specific Union legal acts may provide equivalent obligationsArticle 4 Equivalent Union Act
ORF-349Entity type is covered by Implementing Regulation 2024/26902024/2690 Covered Entity
ORF-355Article 26 territoriality / EU representative analysis is requiredArticle 26 Cross-Border Entity
ORF-356Organization is one of the Article 27 ENISA registry entitiesArticle 27 Registry Entity
ORF-357Organization acts as a TLD registry or domain-registration service providerArticle 28 Domain or TLD Entity
ORF-358Organization participates in an Article 29 information-sharing arrangementArticle 29 Information-Sharing Participant
ORF-359Organization maintains or uses an Article 30 voluntary-notification pathArticle 30 Voluntary Notifier
MRF-291AI service supports a 2024/2690 covered entity type2024/2690 Covered Entity
MRF-292AI service supports the trust-service 24-hour derogation pathTrust Service 24-Hour Derogation

Cross-framework mapping (preview)

NIS2 scope areaDORA (Regulation (EU) 2022/2554)EU AI Act (Regulation (EU) 2024/1689)
Article 2 entity scopeArticle 2 financial entity scope (specific entity-type list rather than size-cap rule)Article 2 scope (provider / deployer / importer / distributor; AI system classification)
Article 3 essential vs importantDORA does not use the essential / important splitRisk-class split (prohibited / high-risk / GPAI / limited transparency)
Article 4 sector-specific Union legal actsDORA Article 1(2) operates as a sector-specific Union legal act for NIS2 Article 4 purposesArticle 1(2)–(3) interactions with other Union acts
Article 26 jurisdictionDORA does not depend on the Article 26 mechanism — financial entities are covered by their financial-services licenceEU AI Act Article 2 + Article 25 value-chain responsibility

For the pairwise treatment see NIS2 vs DORA; for the full hub see framework comparison.

NIS2 overview

Framework structure, key dates, OFF-15 / MFF-15 split

Cybersecurity measures (Article 21)

The ten Article 21(2) categories, implementation, and Modulos requirement mapping

Incident reporting (Article 23)

Significance test, staged timelines, trust-service derogation

Operationalizing in Modulos

Practical rollout sequence for OFF-15 and MFF-15

NIS2 vs DORA

Where each applies, sector-specific Union legal act interaction, incident-reporting coordination

Source attribution

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2) is published in the Official Journal of the European Union L 333, 27.12.2022, pp. 80–152. Annex I (high-criticality sectors) and Annex II (other critical sectors) form part of the published Directive. Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 is published in OJ L 2024/2690 of 18.10.2024. Commission Recommendation 2003/361/EC on the definition of micro, small and medium-sized enterprises is published in OJ L 124, 20.5.2003, pp. 36–41.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. NIS2 takes effect in each Member State through national transposing law; in particular, Member State identification under Article 2(2)(b)–(e) and the use of the Article 4 sector-specific Union legal act routing mechanism are matters of national law. For binding interpretation in your jurisdiction, consult the published EUR-Lex text and qualified counsel.