# NIS2 Entity Classification

> Classify an organization as essential, important, or out-of-scope under the NIS2 Directive (EU 2022/2555). Maps activities to Annex I/II sectors, applies size thresholds (medium/large enterprise criteria), and determines member state jurisdiction. Produces a classification report with regulatory obligations summary.



Tags: NIS2, EU Directive, Cybersecurity, Entity Classification, GRC, Compliance


## Example Prompts

- Classify our organization under NIS2
- Check if we are an essential or important entity under NIS2
- Map our business activities to NIS2 Annex I and II sectors
- Determine which member state has jurisdiction over our NIS2 obligations

URL: https://rakenne.app/skills/nis2-entity-classification/index.md

Try this skill: https://rakenne.app/a/?skill=nis2-entity-classification



## Overview

Determine whether your organization falls under the NIS2 Directive (EU 2022/2555) and what that means in practice. The skill walks through the full classification workflow: mapping business activities to Annex I and Annex II sectors, applying the EU medium/large enterprise size thresholds, and resolving which member state holds primary jurisdiction. The result is a classification report you can hand to legal counsel, share with your board, or use as the starting point for a NIS2 compliance program.

NIS2 replaced the original NIS Directive with a significantly broader scope, pulling in sectors like waste water, food production, digital providers, and ICT service management that were previously unregulated at the EU level. The size-cap rule means most medium and large enterprises in covered sectors are now in scope, but the classification logic is not straightforward — sector-specific overrides, special category designations, and multi-country jurisdiction rules all add complexity. This skill encodes that logic into structured tools so the assessment is consistent and auditable.

### What It Covers

- **Sector mapping** — matches organization activities against all 11 Annex I (high criticality) and 7 Annex II (other critical) sectors and their sub-sectors
- **Size-cap assessment** — evaluates employee count, annual turnover, and balance sheet total against EU medium and large enterprise thresholds
- **Special category handling** — identifies entities that are essential regardless of size (qualified trust service providers, DNS providers, TLD registries, public ECN/ECS providers, central government bodies, sole providers)
- **Entity classification** — determines essential, important, or out-of-scope status with legal basis references (Art. 3)
- **Jurisdiction resolution** — applies the Art. 26 main establishment principle and handles multi-country service provision, no-EU-establishment scenarios, and special jurisdiction rules
- **Regulatory obligations summary** — outlines applicable supervision regime, incident reporting duties, governance requirements, and penalty framework

## Example Conversation

> **You:** We need to classify our company under NIS2. We're a B2B SaaS company called CloudOps Solutions, headquartered in Berlin. We provide managed cloud infrastructure and security monitoring services to enterprise clients across the EU.
>
> **Agent:** I'll walk you through the full NIS2 entity classification. Let me start by gathering some details about your organization.
>
> 1. How many employees do you have?
> 2. What is your annual turnover and balance sheet total (in EUR)?
> 3. Do you have establishments in other EU countries besides Germany?
> 4. In which member states do you provide services?
> 5. Do you hold any special designations — for example, are you a qualified trust service provider, DNS service provider, or TLD name registry?
>
> **You:** We have 85 employees. Annual turnover is EUR 22 million, balance sheet total is EUR 18 million. Our only office is in Berlin, but we provide services to clients in Germany, France, the Netherlands, and Sweden. No special designations.
>
> **Agent:** Good, let me map your business activities to NIS2 sectors. Running `sector_mapper`...
>
> **Results — NIS2 Sector Mapping:**
>
> ### Annex I — Sectors of High Criticality
>
> | Sector | Sub-sectors | Matched Keywords |
> |--------|-------------|-----------------|
> | Digital infrastructure | Cloud, Data centres, CDNs, Trust services | cloud, data centre |
> | ICT service management (B2B) | MSPs, MSSPs | managed service provider, managed security |
>
> **Summary:** 2 Annex I sectors matched, 0 Annex II sectors.
>
> You match two Annex I sectors — Digital infrastructure (for your cloud infrastructure services) and ICT service management (for managed security monitoring). Both are high-criticality sectors. Does this mapping look correct, or are there activities I should adjust?
>
> **You:** That looks right. We also resell some SaaS tools but that's a minor part of the business.
>
> **Agent:** The reselling activity doesn't map to a separate NIS2 sector — your primary classification drivers are the cloud infrastructure and managed security services. Let me now classify your entity. Running `entity_classifier`...
>
> **Results — NIS2 Entity Classification:**
>
> **Classification: IMPORTANT ENTITY**
>
> ### Size Assessment
>
> | Criterion | Value | Medium (>=) | Large (>=) |
> |-----------|-------|-------------|------------|
> | Employees | 85 | 50 | 250 |
> | Turnover | EUR 22,000,000 | EUR 10M | EUR 50M |
> | Balance sheet | EUR 18,000,000 | EUR 10M | EUR 43M |
>
> **Size:** Medium enterprise | Medium test: PASS | Large test: FAIL
>
> ### Rationale
> - Medium enterprise in Annex I sector(s): Digital infrastructure, ICT service management (B2B) (Art. 3(2)).
>
> ### Regulatory Implications
> - **Reactive** (ex-post) supervision.
> - Art. 21 risk-management and Art. 23 incident reporting apply.
> - Fines up to **EUR 7M or 1.4% worldwide turnover** (Art. 34(5)).
> - Management body must approve and oversee cybersecurity measures (Art. 20).
>
> You qualify as an **important entity** — medium-sized enterprise in Annex I sectors. If you grow past 250 employees or EUR 50M turnover, you would move to **essential entity** status with stricter (proactive) supervision. Let me now determine jurisdiction. Running `jurisdiction_resolver`...
>
> **Results — NIS2 Jurisdiction Determination:**
>
> **Primary jurisdiction: DE** (main establishment)
>
> Under Art. 26(1), jurisdiction is the member state of main establishment — where cybersecurity risk-management decisions are predominantly taken.
>
> **Services provided in (no establishment):** FR, NL, SE — primary jurisdiction remains Germany. These member states may request supervisory cooperation.
>
> Your primary regulator will be the German Federal Office for Information Security (BSI). You'll need to register with BSI and comply with the German NIS2 transposition. France, the Netherlands, and Sweden can request cooperation from BSI but cannot directly supervise you.
>
> **You:** What are our concrete next steps?
>
> **Agent:** I'll compile the full classification report now. Writing to `output/NIS2-Entity-Classification-Report.md`...
>
> The report is ready. Key next steps from the report:
> 1. **Register** with BSI as an important entity under the German NIS2 transposition (NIS2UmsuCG)
> 2. **Implement Art. 21 risk-management measures** — supply chain security, incident handling, business continuity, encryption, access control, and multi-factor authentication
> 3. **Establish incident reporting** — significant incidents must be reported within 24 hours (early warning), 72 hours (incident notification), and 1 month (final report)
> 4. **Board accountability** — your management body must formally approve cybersecurity measures and undergo training
> 5. **Monitor reclassification triggers** — crossing the large enterprise threshold would elevate you to essential entity status

## Sample Output Excerpt

Below is a representative excerpt from a generated NIS2 Entity Classification Report showing the executive summary, sector mapping, and classification sections.

---

### Executive Summary

CloudOps Solutions GmbH is classified as an **important entity** under the NIS2 Directive (EU 2022/2555). The organization operates in two Annex I (high criticality) sectors — Digital infrastructure and ICT service management (B2B) — and meets the medium enterprise size threshold with 85 employees and EUR 22M annual turnover. Primary jurisdiction is Germany (DE) under the main establishment principle (Art. 26).

As an important entity, CloudOps Solutions is subject to reactive (ex-post) supervision, Art. 21 cybersecurity risk-management obligations, Art. 23 incident reporting requirements, and potential administrative fines of up to EUR 7M or 1.4% of worldwide annual turnover (Art. 34(5)).

### Sector Mapping

| # | Sector | Annex | Sub-sectors | Matched Activities | Ref |
|---|--------|-------|-------------|-------------------|-----|
| 1 | Digital infrastructure | I | Cloud, Data centres | Managed cloud infrastructure hosting for enterprise clients | Annex I, Directive (EU) 2022/2555 |
| 2 | ICT service management (B2B) | I | MSPs, MSSPs | Managed security monitoring and incident response services | Annex I, Directive (EU) 2022/2555 |

### Size Assessment

| Criterion | Value | Medium Threshold | Large Threshold | Result |
|-----------|-------|-----------------|-----------------|--------|
| Employees | 85 | >= 50 | >= 250 | Medium |
| Annual turnover | EUR 22,000,000 | >= EUR 10,000,000 | >= EUR 50,000,000 | Medium |
| Balance sheet total | EUR 18,000,000 | >= EUR 10,000,000 | >= EUR 43,000,000 | Medium |

**Enterprise size:** Medium | **Special category:** None

### Entity Classification

| Field | Value |
|-------|-------|
| Classification | **Important entity** |
| Legal basis | Art. 3(2), Directive (EU) 2022/2555 |
| Rationale | Medium enterprise operating in Annex I sector(s) |
| Supervision regime | Reactive (ex-post) — Art. 33 |
| Penalty ceiling | EUR 7,000,000 or 1.4% worldwide annual turnover (Art. 34(5)) |

### Jurisdiction

| Field | Value |
|-------|-------|
| Primary jurisdiction | **Germany (DE)** — main establishment, Art. 26(1) |
| Competent authority | Federal Office for Information Security (BSI) |
| Other EU establishments | None |
| Service provision countries | FR, NL, SE — supervisory cooperation applies |

### Applicable Obligations

1. **Cybersecurity risk-management measures (Art. 21)** — risk analysis, incident handling, business continuity, supply chain security, encryption, access control, MFA, network security, secure development practices
2. **Incident reporting (Art. 23)** — early warning within 24h, incident notification within 72h, intermediate report on request, final report within 1 month
3. **Governance (Art. 20)** — management body approval of cybersecurity measures, mandatory cybersecurity training for management
4. **Registration (Art. 27)** — register with competent authority, provide entity name, sector, establishment details, contact information

<!-- /excerpt -->

## Extension Tools

### `sector_mapper`

Matches an organization's business activities and service descriptions against all NIS2 Annex I and Annex II sectors using keyword analysis. Returns every matched sector with its sub-sector breakdown, the specific keywords that triggered the match, and the annex reference.

The tool covers all 18 NIS2 sectors: 11 Annex I sectors (Energy, Transport, Banking, Financial market infrastructures, Health, Drinking water, Waste water, Digital infrastructure, ICT service management, Public administration, Space) and 7 Annex II sectors (Postal and courier services, Waste management, Chemicals, Food, Manufacturing, Digital providers, Research organisations). When no sectors match, the tool flags the organization as potentially out of scope with a recommendation for manual review.

**When it runs:** Early in the conversation, after the agent collects the organization's activity and service descriptions. Results are confirmed with the user before proceeding to classification.

### `entity_classifier`

Applies the NIS2 size-cap rules and sector-specific overrides to produce a definitive classification: essential entity, important entity, or out-of-scope. Takes the confirmed sector mapping, employee count, annual turnover, balance sheet total, and any special category designation as inputs.

The tool evaluates two size thresholds — medium enterprise (50+ employees OR turnover >= EUR 10M AND balance sheet >= EUR 10M) and large enterprise (250+ employees OR turnover >= EUR 50M AND balance sheet >= EUR 43M). It then applies the classification logic: large enterprises in Annex I sectors are essential; medium enterprises in Annex I sectors are important; medium or large enterprises in Annex II sectors are important. Seven special categories (qualified trust service providers, DNS service providers, TLD registries, public ECN/ECS providers with 50+ employees, central government, sole providers, and entities with significant impact on public safety) are classified as essential regardless of size.

The output includes a size assessment table, the classification with legal basis, and regulatory implications — supervision regime, applicable articles, penalty ceiling, and governance requirements.

**When it runs:** After sector mapping is confirmed. Requires size data (employees, turnover, balance sheet) and optionally a special category designation.

### `jurisdiction_resolver`

Determines which EU member state(s) have jurisdiction over the organization's NIS2 obligations by applying the Art. 26 main establishment principle. Takes the list of EU establishments (with main establishment flag) and the member states where services are provided.

The tool handles three scenarios: (1) main establishment identified — primary jurisdiction is that member state, with supervisory cooperation available in service-provision countries; (2) EU establishments exist but no main designated — prompts the organization to designate where cybersecurity risk-management decisions are predominantly taken; (3) no EU establishment — the entity must designate an EU representative, and any member state where services are provided may take enforcement action. The tool also documents special jurisdiction rules for DNS/TLD providers, public ECN/ECS providers, and public administration entities.

**When it runs:** After entity classification, using the organization's establishment data and service provision geography collected during the profile-gathering step.

## Getting Started

Install the *NIS2 Entity Classification* skill and start a new conversation. Have the following information ready:

- **Legal entity name** and corporate structure
- **EU establishments** — countries where you have offices or registered entities, and which one is the main establishment
- **Business activities** — description of what the organization does, services it provides, and sectors it operates in
- **Employee headcount** (total)
- **Annual turnover** and **balance sheet total** (in EUR)
- **Service geography** — which EU member states you provide services in
- **Special designations** (if any) — qualified trust service provider, DNS service provider, TLD name registry, public ECN/ECS provider, or central government entity

The agent guides you through a structured workflow: gather your organization profile, map activities to NIS2 sectors, classify your entity against size thresholds, resolve jurisdiction, and compile a classification report with regulatory obligations and next steps. The full assessment typically takes 10-15 minutes.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)