Important Entity

Under the NIS2 Directive, important entities are organisations operating in the "other critical sectors" listed in Annex II. These sectors include postal and courier services, waste management, manufacture, production and distribution of chemicals, food production, processing and distribution, manufacturing (of medical devices, computers, electronics, optical products, electrical equipment, machinery, motor vehicles, and other transport equipment), digital providers (online marketplaces, search engines, social networking platforms), and research organisations.

Important entities are typically medium-sized enterprises in these sectors, those with 50 or more employees, or annual turnover and balance sheet total exceeding EUR 10 million, that do not meet the thresholds for essential entity classification. However, Member States may also designate additional entities as important regardless of size where disruption of the service could have a significant impact.

Important entities must comply with the same substantive cybersecurity risk management measures and incident reporting obligations as essential entities. The distinction lies primarily in the supervisory regime: important entities are subject to ex-post supervision, meaning competent authorities intervene only after receiving evidence of non-compliance (for example, following a reported incident or based on information from other sources).

The penalty regime is also less severe for important entities: administrative fines can reach up to EUR 7 million or 1.4% of total annual worldwide turnover, whichever is higher. Despite the lighter supervisory touch, important entities should not treat compliance as optional; the operational and reputational consequences of a significant cybersecurity incident can far exceed any regulatory fine.