Determining the size of your organization under the NIS2 Directive and the SME Recommendation

Understanding the size of the organization potentially in scope of NIS2 is crucial when navigating the requirements of the NIS2 Directive. It’s a common misconception that the criteria of headcount, annual turnover or annual balance sheet total are cumulative. However, this is not the case. Let’s delve into the specifics to clarify this point.

The NIS2 Directive: a brief overview

The NIS2 Directive is a legislative framework aimed at enhancing cybersecurity across the European Union. It categorizes entities as either ‘essential’ or ‘important’ and introduces a ‘size-cap rule’, which stipulates that all medium-sized and large entities within the covered sectors fall within its scope.

Size criteria main rule:

For an entity to be in scope of NIS2, it needs to be at least a medium-sized enterprise, meaning it has at least 50 employees (annual work units as defined in the Article 4 of the Annex to the SME Recommendation) or its annual turnover and annual balance sheet total is more than EUR 10 million.

Note that the entity is allowed to choose the lower of either the turnover or balance sheet to not meet the medium-sized enterprise size threshold. In other words, if the entity has below 50 employees and only one of the financial conditions exceeds EUR 10 million it will still be considered a small or micro enterprise.

Other rules of thumb:

>50 staff is always in scope of NIS2, regardless financial amounts

>10M in annual turnover and annual balance sheet is always in scope of NIS2, regardless staff headcount

>250 staff is always large

>50M annual turnover and >43M annual balance sheet is always large

Conclusion

When determining the size of your organization for the NIS2 Directive and the SME Recommendation, remember that the criteria are not to be added together. Each criterion stands alone, and meeting any one of them will place your organization within the respective category. This understanding is vital for ensuring compliance and taking advantage of the support programs available for different-sized enterprises. By keeping these guidelines in mind, organizations can accurately determine their size and understand their obligations under the NIS2 Directive and the SME Recommendation. It’s a straightforward process, but one that requires attention to detail and an understanding of the legislative context.

Register now for your free, tailored, daily legal newsfeed service.

Determining the size of your organization under the NIS2 Directive and the SME Recommendation

Filed under

Topics

Popular articles from this firm

Global AdVocate: advertising and marketing international quarterly newsletter *

Global Health & Life Sciences Bulletin *

How statutory warranty laws differ across jurisdictions *

Updata: Your quarterly privacy & cybersecurity update *

Commercially Connected - 25 February 2026 *

Professional development

Related practical resources PRO

Related research hubs

Netherlands

European Union

IT & Data Protection