NIS2Settori

Essential vs important sectors in NIS2: what changes

Concrete differences between essential and important entities: controls, maximum fines, audit frequency. Examples for each category.

2 min read

TL;DR

NIS2 distinguishes essential entities (Annex I) from important entities (Annex II). Essential ones face proactive supervision and higher fines; important ones face reactive supervision and lower fines. The required technical measures are however identical.

Practical differences

| Aspect | Essential | Important | |---|---|---| | Maximum fine | €10M or 2% revenue | €7M or 1.4% revenue | | Supervision type | Proactive (preventive checks) | Reactive (post-incident) | | Technical measures | Article 21 (10 points) | Article 21 (10 points) | | Incident notification | 24h, 72h, 1 month | 24h, 72h, 1 month | | Audit frequency | Annual possible | Only on report |

Measures are the same. The difference is how the authority supervises.

Examples of essential sectors

  • Energy: producers, distributors, network operators.
  • Transport: rail, air, maritime above threshold.
  • Banking and financial infrastructure.
  • Healthcare: hospitals, public health authorities, critical labs.
  • Drinking water and wastewater (operators above threshold).
  • Digital infrastructure: large cloud providers, IXPs, TLD registries, certificate authorities.
  • ICT service management: B2B critical service providers.
  • Public administration (as defined by the Decree).

Examples of important sectors

  • Postal and courier services.
  • Waste management.
  • Manufacturing of specific products (chemicals, medical devices, automotive).
  • Digital services: online marketplaces, search engines, social networks.
  • Research providers.

The trap: "hybrid" sectors

Some companies are in both roles:

  • a large hospital is essential, but its ICT vendor is generally important yet essential as a critical supplier;
  • a cloud provider is essential, and its customers may fall under important.

Always check your role in the supply chain.

What changes operationally

  • Essential entities must prepare for scheduled inspections: documentation always ready, evidence filed.
  • Important entities can afford a "reactive" approach, but documentation must exist if an incident arrives.

In practice: same technical measures, different drill frequency and documentation rigour.

FAQ

Can I "choose" to be important instead of essential?

No. It is determined by sector and size, not by entity choice.

If I am important can I do less?

Technically yes, but the cost difference is small compared with the risk. Align to essential level.

Do additional sanctions (suspension) apply to both?

Yes, but in practice more often to essential entities for systemic risk.

For technical measures, NIS2 minimum technical measures. For applicability, Who is subject to NIS2.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo