Why Businesses Must Care About Their Classification as Essential or Important Entities Under NIS 2?

In today’s interconnected world, the stakes for cybersecurity have never been higher. The NIS 2 Directive, introduced by the European Union, represents a landmark effort to strengthen the cybersecurity posture of critical sectors. A key aspect of the directive is the classification of organizations into Essential Entities and Important Entities, based on their size, sector and impact on society. While these classifications might seem like a regulatory technicality, they have profound implications for businesses. Understanding and addressing the requirements tied to these classifications is critical for any organization operating within the EU.

Essential vs Important Entities

Both Essential and Important Entities must comply with the directive, but the level of scrutiny and requirements varies significantly. The criteria for the classification are the following according to the EU:

Size: Generally, entities with more than 50 employees or an annual turnover or balance sheet exceeding €10 million fall under the scope of NIS 2. Organizations with 250 or more employees or revenue exceeding €50 million are classified as large entities. Those with 50 to 249 employees or revenue above €10 million are classified as medium entities. However, small and micro entities can still be designated as essential or important if they provide critical services.

Sector & Criticality: The role of the entity in maintaining vital societal or economic functions.

Large entities often fall under Essential Entities, while medium entities are typically classified as Important Entities. However, this correlation may vary depending on the sector and its criticality. The same principle applies to small and micro entities.

Essential Entities (EE)

Entities in this category are particularly susceptible to security breaches, which can have devastating societal effects. Therefore, the NIS 2 directive mandates that Member States impose a maximum fine of at least €10,000,000 or 2% of the global annual revenue for non-compliance. Αdditionally, these entities are subject to proactive supervision and must adhere to more stringent regulatory obligations.

Important Entities (IE)

These entities include businesses that are important but may have a less immediate impact on society in the event of an incident. Under NIS 2, Member States are required to impose fines of at least €7,000,000 or 1.4% of global annual revenue. They are subject to reactive supervision, meaning that authorities typically intervene after a breach or reported issue occurs.

Why Does Your NIS 2 Classification Matter?

  • Regulatory Oversight and Scrutiny

Essential Entities face stricter oversight and are more likely to undergo proactive audits by national authorities. Important Entities, while also regulated, typically experience reactive oversight. For businesses, this means Essential Entities must maintain a continuous state of readiness for audits. Important Entities may have fewer obligations but are still held accountable if issues arise.

  • Compliance Costs

Meeting the requirements of the NIS 2 Directive entails investments in technology, personnel and processes. However, Essential Entities often incur higher compliance costs because they are mandated to implement more robust risk management and incident response measures. They must maintain regular reporting to authorities, increasing administrative and operational expenses. Important Entities, on the other hand, can adopt a slightly less resource-intensive approach, though non-compliance risks still necessitate significant investment.

  • Financial and Legal Consequences of Non-Compliance

The penalties for non-compliance with the NIS 2 Directive are significant for both classifications of entities. However, Essential Entities are more likely to face regulatory action due to their proactive supervision. The consequences of non-compliance can include substantial fines based on turnover, legal liabilities resulting from breaches, operational disruptions, and damage to reputation, which can undermine customer and stakeholder trust. It is clear that the costs associated with compliance investments are much lower than the potential economic repercussions of an incident or non-compliance.

  • Business Disruption Risks

Essential Entities often operate in sectors where disruptions can cascade across society, such as energy grids or healthcare systems. The need for heightened cybersecurity to minimize downtime and ensure continuity is paramount. Important Entities, while less critical in immediate societal impact, face growing risks of supply chain attacks and indirect disruptions due to interconnected systems.

  • Customer Trust and Market Perception

Organizations classified as essential are seen as foundational to the functioning of society. Customers and partners inherently expect these entities to have robust cybersecurity measures. Falling short of these expectations can lead to loss of trust from customers, partners and regulators, and competitive disadvantages in sectors where security is a differentiating factor.

  • Strategic Cybersecurity Investments

Understanding whether a business is Essential or Important allows organizations to prioritize their cybersecurity investments strategically. Essential Entities need to focus on comprehensive threat monitoring, advanced incident response and employee training, while Important Entities should emphasize cost-effective measures that align with their risk profile while ensuring compliance.

  • Supply Chain Impact

Both Essential and Important Entities play a critical role in the supply chain. For instance, an Important Entity supplying services to an Essential Entity may face heightened scrutiny to prevent weak links in the chain. This interconnectedness means that even Important Entities must maintain strong cybersecurity practices to avoid cascading effects.

Embarking on Your Journey Toward NIS 2 Compliance?

The distinction between essential and important entities under NIS 2 is far from arbitrary; it has real implications for how businesses approach cybersecurity, allocate resources and manage risks. Regardless of classification, the directive underscores the growing importance of cybersecurity in ensuring business continuity, protecting sensitive data and maintaining public trust. By understanding their role within the NIS 2 framework, businesses can turn compliance into an opportunity—not just to meet regulatory requirements but to strengthen their overall resilience in an increasingly digital and interconnected world.

Neurosoft offers holistic technological support for the NIS 2 compliance journey. In addition to developing your compliance roadmap, we can immediately implement the required solutions and services. This takes the burden off your organization, allowing you to concentrate on your core business.

Do you need help with your NIS 2 classification? Contact a Neurosoft expert!

Corporate Responsibility.  Careers Certified Quality.  Privacy Policy.  Whistleblower Policy

© Copyright 2025 - Neurosoft S.A.
Neurosoft OT Security Service v2.0: Redefining Protection for Critical Infr...