Essential Entity

Under the NIS2 Directive (Directive 2022/2555), essential entities are organisations in sectors of high criticality listed in Annex I. These sectors include energy (electricity, oil, gas, district heating, hydrogen), transport (air, rail, water, road), banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, and space.

Essential entities are generally large enterprises in these sectors, those with 250 or more employees or annual turnover exceeding EUR 50 million and a balance sheet total exceeding EUR 43 million. However, certain entities are classified as essential regardless of size, including providers of public electronic communications networks, trust service providers, top-level domain name registries, DNS service providers, and entities identified as critical under the Critical Entities Resilience Directive (CER).

Essential entities face the full weight of NIS2's obligations: they must implement comprehensive cybersecurity risk management measures, comply with incident reporting requirements, and ensure supply chain security. Their management bodies must approve the cybersecurity risk management measures and undergo cybersecurity training.

Crucially, essential entities are subject to an ex-ante supervisory regime, meaning competent authorities can conduct proactive inspections, security audits, and targeted assessments without waiting for an incident to occur. Administrative fines for essential entities can reach up to EUR 10 million or 2% of total annual worldwide turnover, whichever is higher, significantly more severe than the penalties for important entities.