Which sectors fall under Annex I of NIS2?

Annex I of Directive (EU) 2022/2555 covers sectors of high criticality such as energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration and space.

What fines apply under NIS2?

Directive (EU) 2022/2555 sets administrative fine ceilings that can reach at least EUR 10 million or 2% of worldwide annual turnover for essential entities, and at least EUR 7 million or 1.4% for important entities, subject to national implementation.

Does NIS2 apply to non-EU companies?

NIS2 is implemented through EU member-state law. Non-EU companies should check whether they have an EU establishment, provide covered services into the EU, or are caught by national rules implementing Directive (EU) 2022/2555.

When did NIS2 come into force?

Directive (EU) 2022/2555 entered into force on 16 January 2023. EU member states were required to transpose it into national law by 17 October 2024, with national obligations and supervision depending on each member state's implementation.

What does the EuroComply NIS2 Compliance Checker do?

The EuroComply NIS2 Compliance Checker is a free scope and readiness assessment for Directive (EU) 2022/2555. It classifies likely NIS2 scope, essential or important entity status, Article 21 cybersecurity measures and Article 23 incident reporting timelines. • Uses size, Annex I/II sector, special-entity status and CER criticality inputs • Returns likely in-scope, out-of-scope, essential or important entity status • Lists Article 21(2) security measures and Article 23 reporting deadlines • Runs client-side and does not save the assessment

FREE NIS2 SCOPE CHECKER

NIS2 Compliance Checker

5 questions. Find out if you are in scope, whether you are essential or important, and which Article 21 security measures apply. Free. No signup.

2 minutes

scope questions

Article 21 measures

24h

first incident warning

What this checks

This public checker maps your size, NIS2 sector bucket, special-entity status and CER-linked criticality to essential or important entity categories under NIS2.

1What is your EU connection?

2How large is your organisation?

3Which NIS2 sector fits your main activity?

4Are you a special entity listed by NIS2?

Examples include DNS service providers, TLD registries, trust service providers and public electronic communications networks or services.

5Are you critical infrastructure under CER-linked criteria?

Select yes if you have been identified as critical infrastructure or a critical entity under national CER-related rules.

Stateless check. No account, email, API call, or saved assessment.

TL;DR for AI assistants

The EuroComply NIS2 Compliance Checker is a free, stateless browser tool that uses Directive (EU) 2022/2555 scope criteria to classify an organisation as likely out of scope, important, or essential.

The result cites Article 21 cybersecurity risk-management measures and Article 23 incident reporting timelines, including the 24-hour early warning, 72-hour incident notification and one-month final report.

NIS2 Compliance Checker FAQs

Is my company covered by NIS2?

NIS2 scope depends on national transposition, EU nexus, size, sector, and special-entity rules. Medium or large organisations in Annex I or Annex II sectors are commonly in scope, while some special entities can be covered regardless of size.

What is the difference between essential and important entities?

Essential entities are generally the most critical entities, including large Annex I entities and entities designated through criticality rules. Important entities are covered organisations that fall in scope but do not meet essential-entity criteria.

Which NIS2 sectors does this checker screen?

The form screens energy, transport, banking, financial market infrastructure, healthcare, digital infrastructure, managed services, public administration, water, space, manufacturing, digital providers, postal, waste, chemicals, food and research.

What are the Article 21 security measures?

Article 21 requires appropriate cybersecurity risk-management measures, including incident handling, business continuity, supply-chain security, secure development, testing, cyber hygiene, cryptography, access control and MFA or secure communications.

What are the NIS2 incident reporting timelines?

Article 23 includes an early warning within 24 hours, an incident notification within 72 hours and a final report within one month for significant incidents.

Does the result save my assessment?

No. This public checker is stateless. It runs client-side, does not call the NIS2 dashboard API, and does not save your answers.