Essential Entity (EE)

The higher-risk tier under NIS2. Essential Entities are subject to proactive ('ex-ante') supervision by competent authorities, including regular audits, on-site inspections, and targeted security scans. Fines can reach €10 million or 2% of global annual turnover. EEs include operators in Annex I sectors (energy, transport, water, banking, financial market infrastructure, health, digital infrastructure, ICT managed services, public administration, and space).

Important Entity (IE)

The lower-risk tier under NIS2. Important Entities are subject to reactive ('ex-post') supervision, competent authorities act only when there is evidence of non-compliance. Fines can reach €7 million or 1.4% of global annual turnover. IEs include operators in Annex II sectors (postal services, waste management, chemicals, food, manufacturing, digital services, and research).

Article 21 Security Measures

The 10 mandatory cybersecurity risk management measures all in-scope entities must implement: (1) risk analysis and information system security policies; (2) incident handling; (3) business continuity and backup; (4) supply chain security; (5) network and information system security; (6) policies and procedures for assessing security measure effectiveness; (7) cybersecurity training and hygiene; (8) cryptography and encryption; (9) human resources security and access control; (10) multi-factor authentication.

Computer Security Incident Response Team. Under NIS2, each EU member state must designate one or more CSIRTs as the recipient of mandatory incident notifications. CSIRTs analyse threats, coordinate incident response, and share intelligence across borders via the EU's CSIRTs Network. Examples include CERT.be (Belgium), CERT.pl (Poland), and BSI (Germany).

The European Union Agency for Cybersecurity. ENISA supports NIS2 implementation by developing guidelines, producing the NIS360 country assessment report, supporting EU-level threat intelligence through CERT-EU, and facilitating the EU-CyCLONe crisis coordination network. ENISA does not directly supervise entities, that remains a member state responsibility.

The national body designated by each EU member state to oversee NIS2 compliance within specific sectors. Competent authorities have powers to conduct audits, request information, issue binding instructions, impose administrative fines, and, for Essential Entities, conduct proactive supervisory actions. Some countries use a single authority (e.g., CCB in Belgium); others use sector-specific regulators (e.g., Netherlands, Sweden).

An incident that must be reported under NIS2 Article 23. An incident is significant if it: (a) has caused or is capable of causing severe operational disruption or financial loss to the entity; or (b) has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. The European Commission's implementing regulation (EU 2024/2690) provides sector-specific thresholds.

Early Warning (24-hour notification)

The first mandatory incident notification stage under NIS2. Within 24 hours of becoming aware of a significant incident, entities must notify their CSIRT (or competent authority). The early warning must state: whether the incident is suspected to be caused by unlawful or malicious acts, whether it has cross-border impact, and a preliminary assessment of the incident type and severity.

20 terms

NIS2 & CER Glossary

All essential terms from the NIS2 and CER Directives, with article references and plain-language definitions for compliance teams and IT managers.

A

Article 21 Security MeasuresArt. 21: The 10 mandatory cybersecurity risk management measures all in-scope entities must implement: (1) risk analysis and information system security policies; (2) incident handling; (3) business continuity and backup; (4) supply chain security; (5) network and information system security; (6) policies and procedures for assessing security measure effectiveness; (7) cybersecurity training and hygiene; (8) cryptography and encryption; (9) human resources security and access control; (10) multi-factor authentication.
Annex I Sectors (NIS2)Annex I: The 11 high-criticality sectors whose operators qualify as Essential Entities under NIS2 (subject to size thresholds): (1) Energy (electricity, gas, oil, hydrogen, district heating/cooling); (2) Transport (air, rail, water, road); (3) Banking; (4) Financial market infrastructure; (5) Health; (6) Drinking water; (7) Wastewater; (8) Digital infrastructure (IXPs, DNS, TLDs, cloud, data centres, CDNs, trust services, telecom); (9) ICT service management (MSPs, MSSPs); (10) Public administration; (11) Space.
Annex II Sectors (NIS2)Annex II: The 7 other critical sectors whose operators qualify as Important Entities under NIS2: (1) Postal and courier services; (2) Waste management; (3) Manufacture, production, and distribution of chemicals; (4) Production, processing, and distribution of food; (5) Manufacturing (medical devices, computers, machinery, motor vehicles, other transport equipment); (6) Digital providers (online marketplaces, online search engines, social networking platforms); (7) Research organisations.

B

Business ContinuityArt. 21(2)(c): Mandatory under NIS2 Article 21(2)(c). Entities must implement business continuity management, including backup procedures, disaster recovery plans, and crisis management, to ensure service availability during and after a significant incident. For Essential Entities, regulators may inspect BCM plans during audits. The NIS2 threshold for activation is typically any incident that causes or could cause significant operational disruption.

C

CSIRT: Computer Security Incident Response Team. Under NIS2, each EU member state must designate one or more CSIRTs as the recipient of mandatory incident notifications. CSIRTs analyse threats, coordinate incident response, and share intelligence across borders via the EU's CSIRTs Network. Examples include CERT.be (Belgium), CERT.pl (Poland), and BSI (Germany).
Competent AuthorityArt. 8: The national body designated by each EU member state to oversee NIS2 compliance within specific sectors. Competent authorities have powers to conduct audits, request information, issue binding instructions, impose administrative fines, and, for Essential Entities, conduct proactive supervisory actions. Some countries use a single authority (e.g., CCB in Belgium); others use sector-specific regulators (e.g., Netherlands, Sweden).
CER Directive: The EU Directive on the Resilience of Critical Entities (2022/2557). CER is the 'physical twin' of NIS2, while NIS2 addresses cybersecurity, CER addresses physical resilience (natural disasters, terrorist attacks, insider threats, public health emergencies). CER applies to 11 sectors and requires national risk assessments, entity identification, resilience plans, background checks on staff, and incident reporting to national authorities.

E

Essential Entity (EE)Art. 3(1): The higher-risk tier under NIS2. Essential Entities are subject to proactive ('ex-ante') supervision by competent authorities, including regular audits, on-site inspections, and targeted security scans. Fines can reach €10 million or 2% of global annual turnover. EEs include operators in Annex I sectors (energy, transport, water, banking, financial market infrastructure, health, digital infrastructure, ICT managed services, public administration, and space).
ENISA: The European Union Agency for Cybersecurity. ENISA supports NIS2 implementation by developing guidelines, producing the NIS360 country assessment report, supporting EU-level threat intelligence through CERT-EU, and facilitating the EU-CyCLONe crisis coordination network. ENISA does not directly supervise entities, that remains a member state responsibility.
Early Warning (24-hour notification)Art. 23(4)(a): The first mandatory incident notification stage under NIS2. Within 24 hours of becoming aware of a significant incident, entities must notify their CSIRT (or competent authority). The early warning must state: whether the incident is suspected to be caused by unlawful or malicious acts, whether it has cross-border impact, and a preliminary assessment of the incident type and severity.
EU-CyCLONeArt. 16: The Cyber Crisis Liaison Organisation Network. Established under NIS2 Article 16, EU-CyCLONe brings together national cyber crisis management authorities to coordinate large-scale cross-border cybersecurity incidents and crises. It operates alongside the CSIRT Network and ENISA to form the EU's three-layer incident response architecture.

I

Important Entity (IE)Art. 3(2): The lower-risk tier under NIS2. Important Entities are subject to reactive ('ex-post') supervision, competent authorities act only when there is evidence of non-compliance. Fines can reach €7 million or 1.4% of global annual turnover. IEs include operators in Annex II sectors (postal services, waste management, chemicals, food, manufacturing, digital services, and research).
Implementing Regulation 2024/2690: Commission Implementing Regulation (EU) 2024/2690, adopted October 2024. This regulation provides mandatory technical and methodological requirements for Article 21 security measures for certain entities in digital infrastructure and digital service sectors. It is directly applicable (no national transposition needed) and represents the most detailed prescriptive standard under NIS2.

M

Management BodyArt. 20: Under NIS2 Article 20, the management body of an in-scope entity, the board of directors, executive committee, or equivalent, must: approve cybersecurity risk management measures, oversee their implementation, and complete cybersecurity training. Management body members can be held personally liable for infringements. This is one of the most significant governance changes NIS2 introduces compared to its predecessor.
Multi-Factor Authentication (MFA)Art. 21(2)(j): Mandatory under NIS2 Article 21(2)(j) for all in-scope entities. MFA requires users to verify their identity using at least two independent factors: something you know (password), something you have (hardware token, smartphone app), or something you are (biometric). NIS2 specifically mandates MFA for remote access to network and information systems, privileged accounts, and customer-facing authentication where applicable.

N

NIS2 Size ThresholdsArt. 2: NIS2 applies to medium and large enterprises. A medium enterprise has 50–249 employees AND annual turnover of €10–50 million (or balance sheet of €10–43 million). A large enterprise has 250+ employees OR annual turnover exceeding €50 million. Micro (< 10 employees, < €2M) and small enterprises (< 50 employees, < €10M) are generally out of scope, with exceptions for certain digital infrastructure types, TLD registries, and public administrations.

P

Peer ReviewArt. 19: Under NIS2 Article 19, member states participate in peer reviews of each other's cybersecurity frameworks. These reviews are coordinated by ENISA and examine the effectiveness of national NIS2 implementation, including supervisory practices, incident response capabilities, and the technical security level of in-scope entities. Findings are published but participation is voluntary.

S

Significant IncidentArt. 23: An incident that must be reported under NIS2 Article 23. An incident is significant if it: (a) has caused or is capable of causing severe operational disruption or financial loss to the entity; or (b) has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. The European Commission's implementing regulation (EU 2024/2690) provides sector-specific thresholds.
Supply Chain SecurityArt. 21(2)(d): One of the 10 mandatory Article 21 measures. Entities must assess and manage cybersecurity risks arising from their relationships with direct suppliers and service providers. This includes evaluating the overall security practices of suppliers, including their vulnerability disclosure policies and patch management. ENISA's Supply Chain Cyber Security Guidelines (December 2023) provide a framework for implementing this obligation.

V

Vulnerability DisclosureArt. 12: NIS2 Article 12 requires each EU member state to establish a coordinated vulnerability disclosure (CVD) policy. Additionally, Article 21(2)(d) on supply chain security implicitly requires entities to consider their suppliers' vulnerability disclosure practices. ENISA maintains the European Vulnerability Database (EUVD) as a complement to the US NVD.

📊 Quick Test

Find out if your company is in scope

Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?

Check NIS2 Scope →

🔧 Practical Tools

Use our free compliance tools to check if NIS2 applies to you and run a full Article 21 gap assessment.

🎯 NIS2 Scope Checker →📊 Article 21 Gap Assessment →🌍 Country Guides →