Logo Ardion White
Book a demo

NIS2 sectors

In this article, you can read what NIS2 sectors are, who must comply with NIS2, the main NIS2 requirements explained, and how NIS2 improves cybersecurity.
  • 22/05/2026
  • 11 min read
Example of NIS2 sector
Picture of Erwin Wiersma
Erwin Wiersma
Security researcher @ Ardion

What are the NIS2 sectors?

The NIS2 sectors are the specific industries and domains that fall under the scope of the NIS2 directive. These sectors have been identified as critical to the functioning of society and the economy, making them a priority for enhanced cybersecurity measures.

The NIS2 directive expands on its predecessor by including a broader range of NIS2 industries and fields, ensuring that both public and private organizations operating in these areas are better protected against cyber threats. Understanding which NIS2 categories are covered is essential for organizations to determine their obligations and prepare for compliance.

Infographic of sectors in NIS2 directive

Critical sectors under NIS2

NIS2 sectors are divided into two main groups: sectors of high criticality and other critical sectors. Sectors of high criticality include areas such as energy, transport, banking, financial market infrastructure, healthcare, drinking water, digital infrastructure, ICT service management, wastewater, public administration, and space activities.

These NIS2 domains are considered vital because disruptions here could have far-reaching consequences for society or the economy. Each sector has unique characteristics and risk profiles, but all share the need for robust cybersecurity measures to ensure continuity and safety.

Expansion of NIS2 industries compared to NIS1

One of the most significant changes introduced by the NIS2 directive is the expansion of covered industries. While the original NIS directive focused on a narrower set of essential services, NIS2 brings additional NIS2 fields into scope.

This includes digital providers, postal and courier services, waste management, chemical manufacturing and distribution, food production and processing, research, and general manufacturing. By broadening the list of NIS2 categories, the directive acknowledges the interconnectedness of modern economies and the importance of securing a wider range of critical infrastructure.

Who must comply with NIS2?

The NIS2 timeline sets out clear rules on which organisations must comply with its cybersecurity standards. If your organisation operates in one of the designated NIS2 sectors and meets certain size or importance criteria, you are likely required to follow the directive.

This applies to both public and private entities across a wide range of NIS2 industries. The goal is to ensure that essential services and critical infrastructure within the EU are protected from cyber threats, and many organisations start by aligning with an information security policy to formalise responsibilities and controls.

Criteria for inclusion under NIS2

Not every business in the EU falls under the scope of NIS2. The directive specifically targets organisations that play a significant role in society or the economy.

To determine if your company must comply, you need to look at two main factors: the sector you operate in and the size of your organisation. NIS2 domains include both very critical and other critical sectors, as outlined in Annex I and Annex II of the directive.

If your business is medium-sized or larger, or if it provides services deemed essential to the functioning of society, you are likely within the scope. Micro and small enterprises are generally excluded unless they offer services that are particularly vital, such as trust services or domain name registration.

Essential versus important entities

NIS2 introduces two main categories for compliance: essential entities and important entities. Essential entities are typically large organisations in high-impact NIS2 fields like energy, healthcare, or digital infrastructure.

Important entities are usually medium-sized businesses in both critical and less critical NIS2 areas, such as postal services or food production. The distinction matters because the level of regulatory scrutiny and potential penalties differ between these groups.

Essential entities face stricter oversight and higher fines for non-compliance, while important entities have slightly less stringent requirements but are still held to robust cybersecurity standards.

Critical sector NIS2 directive

Automatic coverage for specific organisations

Some organisations are automatically covered by NIS2, regardless of their size. This includes trust service providers, top-level domain registries, and providers of public electronic communication networks.

These NIS2 categories are considered so crucial to the functioning of the digital economy that even micro or small businesses in these sectors must comply. Additionally, government organisations operating within the listed NIS2 industries are always included.

In some cases, national authorities can designate other small companies as critical if their services are vital to the economy or society, ensuring that no essential function is left unprotected.

Cross-border and multinational considerations

If your organisation operates in multiple EU countries or provides services across borders, you need to pay special attention to NIS2 compliance. Multinational companies must assess their status in each Member State where they have operations, as local legislation may vary in how it implements the directive.

Even organisations based outside the EU but offering critical services within the EU can fall under NIS2 obligations. This cross-border approach ensures that the security of NIS2 domains is maintained consistently throughout the union, preventing weak links in the chain of essential services.

Implications of non-compliance

Failing to comply with NIS2 requirements can have serious consequences. Both essential and important entities risk facing substantial financial penalties, with fines reaching up to millions of euros or a percentage of global turnover, whichever is higher.

Beyond monetary sanctions, non-compliance can damage an organisation’s reputation and disrupt its operations. Since NIS2 aims to protect critical infrastructure, any lapse in compliance could also pose risks to wider society.

Therefore, understanding whether your organisation falls within the NIS2 directive’s scope is not just a legal necessity but a fundamental part of responsible business practice in today’s interconnected world.

NIS2 requirements explained

The NIS2 directive introduces a comprehensive set of requirements for organisations operating in critical sectors across the EU. These requirements are designed to strengthen cybersecurity resilience and ensure that network and information systems are better protected against evolving threats.

The directive sets out clear obligations for entities within NIS2 industries, spanning governance, risk management, incident reporting, and supply chain security. By establishing a unified legal framework, NIS2 aims to create consistency in how organisations approach cybersecurity, regardless of their specific NIS2 domains or fields.

Below, we explore the core elements of these requirements and how they apply across different NIS2 categories.

Governance and accountability

A central pillar of the NIS2 requirements is the emphasis on governance and accountability within organisations. Entities covered by the directive must define clear roles and responsibilities for cybersecurity at every level of the organisation.

This includes appointing individuals or teams who are directly accountable for implementing and overseeing cybersecurity measures. The goal is to ensure that decision-making around security is not left to chance but is embedded in the organisational structure.

For NIS2 areas such as healthcare, energy, and digital infrastructure, this means that board-level executives may be held personally liable for failures to comply with the directive. Regular training and awareness programs are also mandated to keep staff informed about current threats and best practices.

This focus on governance ensures that cybersecurity is treated as a strategic priority, not just an IT issue.

Risk management and technical controls

NIS2 places significant emphasis on proactive risk management and the implementation of robust technical controls. Organisations must conduct regular assessments to identify vulnerabilities within their network and information systems.

Based on these assessments, they are required to implement appropriate security measures tailored to the risks identified in their specific NIS2 domains. These measures can include access controls, encryption, secure system configurations, and monitoring tools to detect suspicious activity.

The directive recognises that each sector faces unique challenges, so flexibility is built into the requirements to allow for sector-specific adaptations. For example, what constitutes adequate protection in the banking sector may differ from what is needed in public administration or space activities.

The overarching principle is that all NIS2 industries must demonstrate a continuous commitment to improving their cybersecurity posture.

Incident detection and reporting obligations

Timely detection and reporting of security incidents are core components of the NIS2 requirements. Organisations must establish processes to monitor their systems for potential breaches or disruptions.

When an incident occurs, there are strict timelines for notifying relevant national authorities and, where applicable, affected stakeholders. The directive specifies that initial notification should happen without undue delay, often within 24 hours of becoming aware of the incident.

This rapid reporting enables authorities to coordinate responses and mitigate wider impacts across NIS2 categories. In addition to immediate notification, organisations are expected to provide follow-up reports detailing the nature of the incident, its impact, and the steps taken to resolve it.

These obligations apply equally across all NIS2 fields, reinforcing the importance of transparency and collaboration in the face of cyber threats.

Supply chain security and third-party risk

Another key aspect of the NIS2 requirements is the focus on securing the supply chain and managing third-party risks. Organisations must assess and address vulnerabilities not only within their own operations but also among suppliers and service providers who have access to critical systems or data.

This is particularly relevant for NIS2 industries that rely heavily on outsourced IT services, cloud providers, or interconnected networks. The directive encourages entities to establish clear contractual requirements for cybersecurity with their partners and to regularly review compliance.

Supply chain security extends to ensuring that products and services used within NIS2 domains meet recognised standards and certifications. By taking a holistic approach to third-party risk, the directive aims to prevent weak links that could compromise the security of entire sectors or even cross-sector NIS2 areas.

More stories you might like

Logo of NIS2 directive
NIS2

NIS2 timeline

In this article, you can read about the NIS2 timeline, who must comply with
ISO 27001 vs NIS2
ISO27001, NIS2

Differences ISO 27001 and NIS2

In this article you’ll discover the key differences, overlaps, and practical steps for aligning
NIS2 directive Europe
NIS2

What is the NIS2 directive?

The NIS2 directive refers to the European Union’s updated Network and Information Security directive

Our website uses cookies to improve your experience and ensure proper functionality. By accepting our cookies, you agree to their use. For more information, please read our privacy policy.

Close message
Accept cookies