Essential Entity

An essential entity is an organisation operating in one of NIS2's highest-priority sectors. These organisations are subject to the strictest cybersecurity requirements under the NIS2 Directive and are subject to proactive supervision by national authorities — regardless of whether an incident has occurred.

Back to Dictionary

What is an essential entity?

Under the NIS2 Directive, all covered organisations are divided into two categories: essential entities and important entities. The categorisation primarily determines which supervisory regime the organisation is subject to.

Essential entities are organisations that operate in sectors the EU has deemed particularly critical to the functioning of society. A disruption in these sectors would have potentially catastrophic consequences for large numbers of people and for socioeconomic stability.

Which sectors are covered?

NIS2 Annex I designates the following sectors for essential entities:

Energy: Electricity, gas, oil and district heating
Transport: Air, rail, road and maritime
Banking: Credit institutions
Financial market infrastructures: Trading venues and central counterparties
Health: Hospitals, laboratories, pharmaceutical manufacturers
Drinking water: Supply and distribution
Waste water: Treatment and disposal
Digital infrastructure: DNS, TLD registries, cloud services, data centres, CDNs, TSPs
ICT service management: Managed service providers and managed security service providers
Public administration: Central government entities
Space: Ground-based infrastructure

Size criteria and exceptions

As a general rule, organisations in these sectors qualify as essential entities if they are medium-sized (50 or more employees or EUR 10 million or more in turnover) or large. However, certain types of organisations are always essential entities regardless of size — for example, DNS providers, TLD registries and providers of public electronic communications networks.

Proactive supervision: The defining characteristic of essential entities is that they are subject to proactive supervisory oversight. National authorities may conduct inspections, audits and on-site visits at any time, without needing to wait for an incident or complaint. This contrasts with the reactive supervision applied to important entities.

Obligations of essential entities

Essential entities must comply with the full range of NIS2 requirements, including:

Risk management: Implementing a comprehensive cybersecurity risk management framework covering policies, procedures and technical measures.
Incident reporting: Reporting significant incidents within 24 hours (early warning) and 72 hours (full notification) to the competent authority.
Supply chain security: Assessing and managing risks arising from suppliers and sub-contractors.
Management accountability: Board-level approval and personal accountability for cybersecurity measures, including mandatory training.
Technical measures: Encryption, access control, vulnerability management, backup and business continuity arrangements.

Essential vs important entities

The practical difference between the two categories primarily concerns supervision and penalties, not the security requirements themselves:

Supervision: Essential entities are subject to proactive supervision — authorities may inspect them at any time. Important entities are subject to reactive supervision.
Penalties: Fines for essential entities can reach up to EUR 10 million or 2% of global annual turnover. For important entities, the maximum is EUR 7 million or 1.4%.

Frequently Asked Questions about Essential Entity

What is an essential entity under NIS2?

An essential entity is an organisation operating in one of NIS2's highest-priority sectors, such as energy, transport, health or digital infrastructure. These organisations are subject to the strictest cybersecurity requirements and proactive supervisory oversight from national authorities.

What is the difference between an essential and an important entity?

Both categories are subject to the same fundamental security requirements. The difference lies primarily in the supervisory regime: essential entities are subject to proactive supervision (authorities may inspect them without a prior incident), while important entities are subject to reactive supervision.

Which sectors fall under essential entities?

Sectors for essential entities include energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration and space.

What penalties do essential entities face for non-compliance?

Essential entities may face administrative fines of up to EUR 10 million or 2% of their total worldwide annual turnover, whichever is higher. National authorities may also impose non-monetary remedies such as compliance orders and binding instructions.

Are small organisations ever classified as essential entities?

Generally, essential entities are medium-sized or large organisations. However, certain types of organisations are always essential entities regardless of size, including DNS providers, TLD registries and providers of public electronic communications networks.