Back to knowledge base

Do I fall under NIS2? How to determine whether your organisation is an essential or important entity

Published on July 11, 2026

On 15 August 2026 the Dutch Cybersecurity Act enters into force, the Dutch implementation of NIS2. More than 8,000 organisations fall under it, and a fair share of them do not know it yet. At the same time, there are organisations worrying unnecessarily, or that have been told by a salesperson that they are "NIS2-obligated" when that is far from established.

For most organisations, the question "am I in scope?" can be answered in ten minutes. This article walks through the criteria in the order in which you can tick them off yourself.

Step 1: is your main activity in one of the 18 sectors?

The act works with two sector lists, taken from the European NIS2 directive.

Sectors of high criticality (Annex I): energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure (including data centres, cloud and DNS), ICT service management (B2B, such as managed service providers), public administration and space.

Other critical sectors (Annex II): postal and courier services, waste management, chemicals, food, manufacturing of among others medical devices, electronics, machinery and vehicles, digital providers (online marketplaces, search engines, social networks) and research.

Note the wording "main activity". A software company that happens to have a hospital as a customer is not thereby in the health sector. But a managed service provider falls directly under Annex I as an ICT service manager, something many SME IT providers have not yet fully realised.

Step 2: do you meet the size threshold?

Within those sectors, the act in principle applies to medium-sized and large organisations:

SizeCriteriaPosition
Large250 or more employees, or more than 50 million euros turnoverEssential entity (in Annex I sectors)
Medium50 to 250 employees, or 10 to 50 million euros turnoverImportant entity
Small and microFewer than 50 employees and less than 10 million euros turnoverOutside the act, barring exceptions

Rule of thumb: large organisations in the high-criticality sectors are essential; the remaining organisations within scope are important. The obligations are identical; the difference is in supervision. Essential entities receive proactive supervision and higher maximum fines, important entities are checked afterwards, for example following an incident or a signal.

Step 3: check the exceptions

For a number of categories the act applies regardless of size. The main ones: DNS service providers, top-level domain registries, providers of (qualified) trust services and parts of government, including central government, provinces, municipalities and water authorities. A small organisation that is the sole provider of a critical service in the Netherlands can also be designated.

For public-sector directors there is an extra reason to look closely: the act explicitly regulates board-level accountability. What that does and does not mean is covered in NIS2 and joint and several liability for public-sector directors, with the practical follow-up in the NIS2 roadmap for public-sector boards.

Still in doubt after these three steps? The Dutch government offers an official self-assessment (via regelhulpenvoorbedrijven.nl) that gives a definitive answer per situation. The outcome is also a useful document for your records: "we are not in scope, and this is how we established that" is something you want to be able to show as well.

Outside the scope is not out of range

The most underestimated outcome of the self-check is this: you fall formally outside the act, but your largest customers are covered by it. Those 8,000 organisations are required to manage the risks in their supply chain, and as a supplier you will notice that in the form of questionnaires, contract requirements and audits. What that supply-chain duty of care means for you as a supplier and how to answer such a supplier questionnaire well we described earlier.

In practice, for SMEs the pressure from the chain is often felt sooner than the act itself: the regulator may never knock on your door, your largest customer will.

You are in scope. Now what?

Four things, in this order:

  1. Register your organisation in the entity register via mijn.ncsc.nl. This is the most accessible obligation and the first one visible to the regulator.
  2. Map your risks. The duty of care starts with knowing what you have and where you are vulnerable, including what is visible from the outside. Start with what an attacker sees of your domain.
  3. Set up your reporting process. Significant incidents require an early notification within 24 hours. You only achieve that with a rehearsed process and agreements with your suppliers.
  4. Make it demonstrable and board-owned. The board approves the measures and oversees them. Make sure there is dated evidence of what you do, because a measure you cannot demonstrate does not count.

Conclusion

Whether you fall under NIS2 is not a matter of gut feeling or of what a vendor claims, but of two testable criteria: sector and size, plus a short list of exceptions. Do the check, record the outcome, and remember that even a "no" does not exempt you from the practice: the supply chain asks the same questions as the law.

Exposentry helps with the steps that come next: continuous visibility of your external attack surface and forensically substantiated reports with which you demonstrate your duty of care to regulators and customers alike. Not a compliance guarantee, but a demonstrable building block. Start with a baseline scan or see the plans and pricing.

Written by Edward Hasekamp, founder of Exposentry and core maintainer of the open-source OpenKAT project. See the project on GitHub and the profile at github.com/hasecon. Exposentry provides EU-sovereign, forensically substantiated vulnerability monitoring based on OpenKAT. More articles in the Knowledge base.