syslog.eu
ČeskyDeutschEnglishFrançais
NIS2/syslog.eu·

Does your organisation fall under NIS2? A practical guide for companies and public bodies

A practical guide to first-pass NIS2 scope assessment: common misconceptions, decision factors and what to prepare before formal legal or regulatory advice.

One of the most common questions around NIS2 is also one of the most poorly framed: “Does it apply to us?” The mistake is to look for a single trigger, such as headcount, sector label or a vague idea of being “critical”. In reality, the first useful step is to understand the organisation's service, sector, size and operational role.

A good first-pass assessment is not a legal shortcut. It is a way to separate three groups: organisations that are very likely in scope and need immediate action, organisations that need deeper analysis before deciding, and organisations that are mainly affected through customer and supply-chain expectations. That distinction helps leadership prioritise effort and helps IT avoid waiting for perfect legal certainty before addressing obvious evidence and traceability gaps.

This material does not constitute legal advice. It is intended as a practical framework for internal screening and preparation before a formal legal or regulatory assessment.

Who this page is for

This page is particularly relevant for:

  • executives and managing directors,
  • IT managers and infrastructure leads,
  • compliance, risk and security roles,
  • external administrators and MSPs helping clients with first-pass screening,
  • organisations that suspect they may be in scope but do not yet have a clear view.

What you will take away

After reading, you should have a clearer view of:

  • why NIS2 scope cannot be determined by one signal alone,
  • how direct regulatory scope differs from customer and supply-chain pressure,
  • what a useful internal first-pass assessment should cover,
  • why logging and evidence gaps matter before legal certainty is complete.

Why many organisations ask the wrong question

The common question is “are we a critical entity or not?” That is often too simplistic to be useful. Better questions are:

  • what service do we actually provide,
  • does that service fall within a regulated sector,
  • are we above the relevant size thresholds,
  • are we part of a wider group that changes the assessment,
  • do regulated customers depend on us in a way that creates practical pressure even if we are not directly in scope.

General interest in NIS2 versus direct regulatory impact

There is a major difference between having an interest in NIS2 and being directly affected by it. Many organisations should care about the directive because customers, insurers or partners now care about traceability and cyber resilience. That does not automatically mean the full regulatory regime applies. But the opposite mistake is just as dangerous: assuming the organisation is too small or too ordinary to matter.

Typical sectors and organisation types

At EU level, NIS2 covers organisations in sectors considered important for the economy, society or essential services. Typical categories include:

  • energy,
  • transport,
  • healthcare,
  • digital infrastructure,
  • public administration,
  • certain digital services,
  • wastewater and waste management,
  • selected manufacturing and other strategically relevant sectors.

That does not mean every organisation in one of these sectors is automatically in scope in the same way. The relevant question is not only the label attached to the sector, but the nature of the service and the role the organisation plays.

Size matters, but it is not the whole answer

NIS2 commonly captures medium-sized and larger organisations, but size is only one part of the picture. For a first-pass internal review, verify:

  • number of employees,
  • turnover or balance sheet figures,
  • whether the organisation belongs to a wider group,
  • whether the service itself is one of the regulated categories,
  • whether the organisation has a special operational role that may justify different treatment.

The size test is therefore a filter, not a complete decision.

Why the combination of factors matters

A large share of internal misunderstandings comes from relying on one argument that appears to settle the issue:

  • “we are too small”,
  • “we are only a supplier”,
  • “we are not a public body”,
  • “we only provide IT support”,
  • “our local entity is small”.

In practice, a meaningful review usually needs to consider:

  • sector,
  • nature of the service,
  • size,
  • group structure,
  • operational significance,
  • customer dependency,
  • national implementation details.

That is why a first-pass review should prepare facts and assumptions rather than attempt to deliver a categorical legal conclusion.

Common misconceptions

“We are a small business, so it cannot apply”

Many medium-sized organisations are within scope. And organisations sometimes overlook group-level figures that change the outcome.

“We are only a subcontractor”

That may still leave you outside direct scope, but it does not remove pressure from regulated customers. If you support critical operations, customers will increasingly expect stronger evidence, better incident handling and clearer audit trails.

“Only the sector matters”

Sector is important, but the actual service matters just as much. Two organisations in the same broad sector may be treated differently because the relevance and scale of the service differs.

“If we are not sure, we can wait”

Delay is rarely a strong strategy. Even if the organisation turns out not to be directly in scope, many of the same practical expectations around logging, traceability and evidence will still surface through customer requirements or incident handling.

How to perform an internal first-pass assessment

The purpose of a first-pass assessment is not to replace legal review. It is to organise facts and identify whether the organisation should escalate the issue quickly.

1. Define the service in operational terms

Describe what the organisation actually provides, who depends on it and what would happen if it were unavailable or compromised.

2. Map the service to a sector

Use an operational classification, not just website language or a generic business description.

3. Verify size and group structure

Check:

  • employee count,
  • turnover,
  • balance sheet figures,
  • parent and sister entities,
  • any aggregation rules that may apply.

4. Assess dependency relationships

Identify whether regulated customers rely on your systems, support, connectivity, identity services or operational continuity.

5. Identify critical systems and evidence gaps

If the organisation is likely in scope, what systems would need to support audit, traceability and incident analysis? Which identities, servers, network controls and cloud services are central? What evidence exists today, and what only exists locally on the source systems?

That naturally connects to Which logs you need for audit.

What to prepare before asking for formal advice

If you want a productive next step, assemble the following:

  • a short description of the services you provide,
  • basic information on customers and dependencies,
  • employee and revenue or balance-sheet figures,
  • group structure information,
  • a list of critical systems and platforms,
  • a rough view of existing logging and retention,
  • any evidence that regulated customers already ask for cyber assurances.

The logging point is often underestimated. Once there is a serious possibility that the organisation is in scope, the next operational question is usually simple: what can we actually prove today? If the answer is “our logs are scattered across devices and servers”, the organisation is starting from a weak evidence position.

Why management responsibility belongs in the same conversation

Scope assessment is not just an analytical exercise for legal or compliance teams. It is also an executive decision about urgency, ownership and budget. That is why the internal screening should quickly connect to questions such as:

  • who owns the issue at leadership level,
  • who prepares the next phase,
  • how quickly the organisation needs a minimum evidence baseline,
  • what operational gaps are already obvious.

That conversation is developed further in NIS2 for company leadership.

Why official calculators and official guidance matter

An internal review is useful, but it should be checked against official guidance wherever possible. In the Czech context, that means using NÚKIB's official materials, including:

  • the official calculator for first-pass orientation,
  • implementation guidance and supporting materials,
  • the regulator's information on the new Cybersecurity Act and follow-on obligations.

For organisations in other countries, the same principle applies: use the national regulator's official scope guidance and not just generic commentary. National transposition details matter.

Practical next steps

If your organisation is unsure, a sensible path is:

  1. complete a short internal first-pass review based on service, sector, size and group structure,
  2. identify critical systems, identities and the current state of logging,
  3. compare your assumptions against official guidance or an official calculator,
  4. escalate the topic to leadership if direct scope is plausible or customer pressure is already visible,
  5. begin improving the minimum evidence baseline even before a final legal conclusion is delivered.

This approach avoids two common failures: overreacting without facts and waiting too long for certainty.

FAQ

We are a supplier to a regulated organisation. Does that automatically put us in scope?

No. But it often means your customers will expect stronger cyber controls, evidence and incident readiness from you.

Is headcount enough to determine scope?

No. Size matters, but so do sector, service, group structure and the national implementation rules that apply.

Should we think about logging this early?

Yes. If there is a realistic chance the organisation is in scope, or if regulated customers are already asking for stronger controls, logging and evidence become immediate practical issues.

No. It is designed to organise facts, reduce confusion and prepare the organisation for a more formal decision.

Next step

  • Download the checklist for an internal first-pass NIS2 scope review.
  • Get a readiness assessment focused on scope, evidence and minimum logging maturity.
  • Request an initial consultation on how to move from uncertainty to a defensible next phase.
← Back to NIS2 overview