Does NIS2 Apply to My Company? Find Out in 5 Minutes

11 min read · AstraLoop Studio

You've asked yourself the same question, probably right after getting a security questionnaire from a client, or after reading yet another alarmist article: "does this NIS2 thing actually affect me?" The short answer is that it depends on three things: your sector, your size, and who your clients are. The long answer takes five minutes to work through, following a path with a few hurdles along the way, and that's exactly what we're doing here.

Here's the picture up front. EU Directive 2022/2555 (NIS2) was transposed into Italian law through Legislative Decree 138/2024, which took effect on October 16, 2024. The competent authority is ACN (the National Cybersecurity Agency). Companies that fall within scope had to register on the ACN platform during the window that opened in early 2025, and 2026 is when the concrete obligations kick in: baseline security measures and incident notification become operational in the first months of the year, while the full regime matures by autumn 2026. If you haven't registered yet and you should have, you're already behind.

Before diving in, a note of honesty. NIS2 isn't a checklist you tick off in an afternoon. Figuring out whether it applies to you is just the first step — and even if you find you're outside the direct scope, you could still get pulled in through the back door, as a supplier. Let's go through it all, in order.

Illustration of a decision tree with branches running from a company toward three NIS2 verification paths

The three filters: sector, size, supply chain

NIS2 doesn't look at revenue in the classic sense, and it doesn't apply to "all digital companies." It works through progressive elimination. You have to pass three filters in sequence. If you stop at the first one, you're outside the direct scope (but read the supply-chain section anyway). If you clear all three, you're in.

  1. Sector filter. Does your business belong to one of the sectors listed in Annexes I and II of the decree?
  2. Size filter. Do you exceed the size thresholds (employees, or turnover and balance sheet)?
  3. Supply-chain filter. Even if you're outside the first two, is a client of yours who is subject to NIS2 asking you for contractual security guarantees?

Let's take them one at a time, because this is where almost everyone gets the self-assessment wrong.

Filter 1: are you in a NIS2 sector?

The decree distinguishes two groups. The sectors in Annex I are considered "highly critical," those in Annex II are "other critical sectors." The practical difference mostly affects whether you're classified as an essential or an important entity (more on that shortly).

Highly critical sectors (Annex I)

  • Energy (electricity, gas, oil, district heating, hydrogen)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Health (hospitals, laboratories, manufacturing of medical devices and critical medicines)
  • Drinking water and wastewater
  • Digital infrastructure (data centres, cloud, DNS, TLD registries, electronic communications networks)
  • Management of B2B ICT services (managed service providers and managed security service providers)
  • Public administration (per the criteria in the Italian decree)
  • Space

Other critical sectors (Annex II)

  • Postal and courier services
  • Waste management
  • Manufacturing, production and distribution of chemicals
  • Production, processing and distribution of food
  • Manufacturing of medical devices, electronics, machinery, vehicles and other means of transport
  • Digital service providers (online marketplaces, search engines, social networking platforms)
  • Research

Watch out for manufacturing, because it's the most common trap. Plenty of business owners reason like this: "I make furniture, I'm not critical infrastructure, I'm out." Wrong. If you produce medical devices, electronic components, machinery, motor vehicles or processed food, you're in Annex II. A machine shop in the north-east of Italy supplying components for industrial equipment falls squarely under "manufacturing of machinery," full stop.

If, after reading these lists, your sector doesn't show up anywhere — say you run a communications agency, a retail shop, or a general consulting practice — filter 1 excludes you from the direct scope. Feel free to skip ahead to filter 3, because the supply chain could still pull you in.

Filter 2: do you clear the size thresholds?

Being in a covered sector isn't enough on its own. NIS2 uses the medium and large enterprise criterion, borrowed from the EU recommendation on SMEs. In practice, you need to be above the small-enterprise threshold. Generally, you're in scope if:

  • You have at least 50 employees, or
  • Your annual turnover and balance sheet total both exceed €10 million.

If you have fewer than 50 employees and stay under €10 million on both turnover and balance sheet, NIS2 generally doesn't apply to you directly. There's an important exception: some categories are in scope regardless of size. That covers entities such as providers of electronic communications networks, DNS service providers, TLD registries, trust service providers, public administration bodies (per the criteria in the decree), and entities identified as critical to national security. If you're a telecoms provider or a DNS service, being small won't save you.

Essential or important? The distinction that changes the fines

If you clear filters 1 and 2, the decree classifies you as either an essential or an important entity. In broad strokes: large companies in the highly critical Annex I sectors tend to be essential, while medium-sized companies and Annex II entities tend to be important. The security obligations are substantially the same, but the supervisory regime differs (more stringent and proactive for essential entities) and so does the cap on fines. We've dedicated a separate deep dive to NIS2 fines for companies and how they're calculated, because the numbers are scarier than the words.

Illustration of a supply chain with a small link highlighted as the weak point leading to a central node

Filter 3: are you a supplier to a NIS2 entity? The knock-on effect

This is the part almost no article explains properly, and it's the one that drags in thousands of Italian SMEs who thought they were safe. NIS2 requires obligated entities to manage the risk arising from their own supply chain. In plain terms: if a company is in scope, it has to assess the security of its suppliers and demand guarantees from them.

What does that mean for you if, say, you're a 15-person software house, a firm managing a hospital's IT infrastructure, or a components supplier to an energy company? It means your NIS2 client, in order to be compliant itself, is required to push security requirements down onto you through the contract. Not because the law classifies you directly as a NIS2 entity, but because your client can't afford to have a supplier who is its weak link.

The numbers explain why this piece matters so much. Industry data shows supply-chain compromises have grown roughly fourfold in five years, and today around 30% of breaches involve a third party. An attacker doesn't breach the hospital directly — they breach the small supplier that holds the credentials into the hospital's management system. That's exactly why NIS2 forces the big players to vet the small ones.

How it actually shows up

In practice, this is what it looks like when it lands on your desk:

  • A security questionnaire attached to a contract renewal, with dozens of questions on backups, authentication, access management, and staff training.
  • Contract clauses requiring you to notify incidents to the client within tight time windows.
  • A request to prove you've carried out a recent security audit or vulnerability assessment.
  • In some cases, a request for a certification or alignment with a framework such as ISO 27001.

If you can't respond credibly, the risk isn't a fine from ACN (that lands on your client): the risk is losing the contract. A NIS2 client will replace a non-compliant supplier with one that offers real guarantees. That's the actual economic engine pushing the whole supply chain to raise its game — far more than the fines themselves. To structure a solid response to these requests, it's worth starting from our complete guide to IT security audits for SMEs, which ties together risk assessment, technical measures, and documentation.

The 5-minute decision tree

Let's put it all together in a flow you can run through right now, with pen and paper.

StepQuestionIf YESIf NO
1Is my sector in Annex I or II?Go to step 2Go to step 4
2Do I have at least 50 employees, OR over €10 million in both turnover and balance sheet?Go to step 3Go to step 4 (unless a "regardless of size" exception applies)
3I'm directly in scopeESSENTIAL or IMPORTANT entity: ACN registration plus 2026 obligations-
4Do I count a NIS2 entity among my clients (or don't I know)?Supply-chain effect: brace for questionnaires and contract clausesOutside the scope, but security remains a business issue

Pay attention to step 4: even a flat "no" doesn't give you a licence to ignore security. The 2026 Clusit Report shows SMEs account for roughly 72% of attack targets in Italy, with Italy making up about 10% of incidents worldwide and severe attacks rising at a double-digit rate. NIS2 or no NIS2, you're a target. The difference is that if you're in scope, security becomes a legal obligation with personal liability for management; if you're not, it remains a matter of business survival all the same.

If you're in scope: what changes in 2026 (in brief)

Covering every single measure isn't the point of this article, but here's the overview to grasp the scale of it. If you're a NIS2 entity, you need to address risk analysis, incident management, business continuity and backups, supply-chain security, basic IT hygiene and training, access control, and encryption where relevant. And above all: responsibility for making sure all of this happens falls on management, and can no longer be delegated to the IT department. CEOs and boards answer for it personally, and the decree also mandates training for directors.

On timing, remember the two key deadlines: notification of significant incidents to ACN becomes operational in the first part of 2026, while full implementation of security measures matures by autumn. If you want the precise deadline-by-deadline timeline, we've mapped it all out in our dedicated article on NIS2 deadlines for 2026, and you'll find the step-by-step operational detail in our guide to NIS2 obligations for SMEs.

Not sure which branch of the decision tree you're on, or how to answer a client's security questionnaire? Ask us for an assessment: we'll spell out in writing whether NIS2 applies to you and what you actually need to do.

NIS2, the AI Act and GDPR: don't look at them in isolation

A mistake we see often is treating NIS2 as a standalone compliance exercise. In reality, 2026 brings three overlapping regulations. There's GDPR (EU Regulation 2016/679), already in force, covering personal data with the Italian Data Protection Authority as the competent body. There's the AI Act (EU Regulation 2024/1689), which enters its operational phase for high-risk systems from August 2, 2026, with cybersecurity obligations, ACN oversight, and fines that can reach up to €35 million or 7% of global turnover. And there's NIS2.

All three share a common core: risk assessment, incident management, documented governance. Running three disconnected projects makes little sense. If you have an AI system in your company, it's worth understanding how the pieces fit together — we've written a guide on AI Act obligations for SMEs aimed at companies without an in-house legal department. And if you want to frame security as a whole, our 2026 cybersecurity guide for SMEs lays out the priorities without unnecessary jargon.

A risk that often goes unnoticed: Shadow AI

While you're figuring out whether NIS2 applies to you, there's a leak already eroding your compliance that nobody signed off on: your employees pasting company data into ChatGPT, Gemini or Copilot. Surveys indicate that around 38% of employees share confidential data with AI tools, and about 78% bring their own AI tools into the workplace, entirely outside any oversight. It's a supply-chain security issue (your data ends up on third-party services) and, at the same time, a potential GDPR and AI Act problem. If you want to dig deeper, we have a piece on what Shadow AI is and what risks it carries. The point is simple: a serious audit today looks at this too, not just firewalls.

What to do now, in order of priority

  1. Do a proper self-assessment. Work through the three filters. If you have any doubt about your sector — especially if you're a manufacturer or an ICT service provider — check your ATECO code against the annexes of Legislative Decree 138/2024.
  2. If you're in scope and haven't registered, move on the ACN platform right away. Being late already puts you in a risky position.
  3. If you supply a NIS2 entity, don't wait for the questionnaire. Prepare beforehand, because responding credibly to a request for guarantees is far easier if you've already run a vulnerability assessment.
  4. If you're outside the scope entirely, don't let your guard down. SMEs are target number one, and a data breach costs a small business between €35,000 and €250,000 once you factor in downtime, recovery, and reputational damage.

In all four cases, the starting point is the same: know where you're vulnerable. You won't find that out by reading a decree — you find it through a technical analysis of your infrastructure. If you're not sure where to start, begin by understanding the difference between a vulnerability assessment and a penetration test, so you pick the right tool for your risk level instead of buying blind.

NIS2 isn't a bureaucratic monster to fear — it's an accelerator. It forces you to do things that are worth doing anyway, regulatory pressure or not. "Does it apply to my company?" is only the opening question. The real one is different: "can I prove to a client, an authority, or a judge that I'm protecting my data?" That's answered with facts, not a checkbox.

Frequently asked questions

Does NIS2 apply to small businesses with fewer than 50 employees?

Generally not directly: NIS2 uses the medium and large enterprise criterion (at least 50 employees, or over €10 million in both turnover and balance sheet). There are exceptions that apply regardless of size, such as providers of communications networks, DNS services, and trust services. And even if you're small, you can still be pulled in as a supplier to a NIS2 entity.

How do I know if my sector falls under NIS2?

Check Annexes I and II of Legislative Decree 138/2024. Annex I covers energy, transport, banking, health, water, digital infrastructure and ICT services, public administration, and space. Annex II covers postal services, waste, chemicals, food, manufacturing of medical devices, electronics, machinery and vehicles, digital services, and research. Check your ATECO code against these lists.

I'm a supplier to a NIS2 company — do I need to comply too?

You're not directly classified as a NIS2 entity, but your client is required to manage the risk in its own supply chain, so it will push security requirements onto you through the contract: questionnaires, incident notification clauses, audit requests. Failing to respond credibly can cost you the contract, which is the real economic risk for you.

What's the difference between an essential and an important entity?

The security obligations are substantially the same. What changes is the supervisory regime — more proactive and stringent for essential entities — and the cap on fines, which is higher for essential entities. Generally, large companies in the highly critical sectors (Annex I) are essential, while medium-sized companies and Annex II entities tend to be important.

What are the NIS2 deadlines for 2026?

Entities registered on the ACN platform during the window that opened in early 2025. In 2026, notification of significant incidents becomes operational in the first part of the year, and full implementation of security measures matures by autumn. If you're in scope and haven't registered yet, you're already behind.

Who is responsible for NIS2 compliance within a company?

Responsibility falls on management (the CEO and the board) and can no longer be delegated to the IT department. The decree also mandates training for directors. It's one of the most significant changes compared to the past: security becomes a direct, personal responsibility of leadership.

Talk to us: we'll assess your position against NIS2 together and tell you, no fluff, where you're exposed and where it makes sense to start.