Important Entity

An important entity is an organisation in a NIS2 sector that is subject to cybersecurity requirements but with a lighter supervisory regime than essential entities. Authorities carry out reactive supervision of important entities, meaning that inspections are typically initiated on the basis of an incident or complaint.

Back to Dictionary

What is an important entity?

The NIS2 Directive divides all covered organisations into two categories: essential entities and important entities. Important entities are organisations that operate in sectors listed in Annex II to the directive — sectors that are important to society but assessed as posing a somewhat lower systemic risk than those that confer essential-entity status.

It is important to understand that the designation 'important' does not mean that the requirements are insignificant. Important entities must fulfil the same technical and organisational security requirements as essential entities.

Sectors for important entities

The following sectors are listed in NIS2 Annex II and typically confer important-entity status:

Postal and courier services
Waste management
Chemicals: Manufacture, production and distribution
Food: Production, processing and distribution
Manufacturing: Medical devices, electronics, machinery, motor vehicles, etc.
Digital services: Online marketplaces, online search engines and social networking platforms
Research

Size threshold: As a general rule, medium-sized and large organisations (50 or more employees or EUR 10 million or more in turnover) in these sectors are important entities. Member States may, however, extend the scope to additional entities based on national risk assessments.

Obligations of important entities

Important entities must implement the same types of security measures as essential entities, including:

Risk management: Policies for cybersecurity risk management and information security
Incident reporting: Reporting of significant incidents within the prescribed timeframes
Supply chain security: Assessment and management of supplier and sub-contractor risks
Business continuity: Contingency plans and business continuity arrangements
Technical measures: Encryption, access control, vulnerability management
Management accountability: Board-level responsibility and mandatory training

Supervision and penalties

The primary practical difference from essential entities concerns the supervisory regime:

Reactive supervision: Authorities normally initiate supervision only in response to signs of non-compliance, after an incident or on the basis of a complaint.
Penalty levels: Fines can reach up to EUR 7 million or 1.4% of global annual turnover — compared with EUR 10 million or 2% for essential entities.

Frequently Asked Questions about Important Entity

What is an important entity under NIS2?

An important entity is an organisation in one of NIS2's Annex II sectors, such as postal services, waste management, chemicals, food, manufacturing and digital services. They are subject to NIS2's security requirements with reactive supervisory oversight.

Are the requirements the same for important and essential entities?

The technical and organisational security requirements are the same. The difference lies in the supervisory regime and penalty levels. Important entities are supervised reactively (after an incident or complaint), while essential entities are supervised proactively.

What sectors fall under important entities?

Sectors for important entities include postal and courier services, waste management, chemicals, food, manufacturing, digital services (online marketplaces, search engines, social networks) and research.

What penalties do important entities face?

Important entities may face administrative fines of up to EUR 7 million or 1.4% of total worldwide annual turnover, whichever is higher. This is lower than the maximum for essential entities (EUR 10 million or 2%).

Can an organisation in an Annex II sector be classified as essential?

Yes. Member States may designate specific organisations in Annex II sectors as essential entities if a disruption of their services would have a significant impact. Additionally, certain types of entities may be reclassified based on national risk assessments.