CORE THESIS Whether NIS2 applies to your organisation is not decided by your own headcount and revenue, but by the consolidated size of the economic unit you belong to. Under the EU SME definition, linked enterprises count at 100% and partner enterprises pro rata — which is why a forty-person company can sit squarely within scope without making a single additional hire.

Compliance officers across Europe are repeating a sentence that often turns out to be wrong: “We only have forty people at headquarters, so NIS2 doesn’t apply to us.”

The assumption is understandable. The headline numbers for the EU’s Network and Information Security Directive (Directive (EU) 2022/2555, “NIS2”)¹ sound large: medium and large enterprises, fifty employees, ten million euros. A company that counts its own staff, looks at its own revenue, and lands below those lines concludes it is safe.

Often it is not, and the reason has little to do with how many people work at headquarters. It has to do with who owns the company, what the company owns, and how the directive tells you to count. ENISA, the EU cybersecurity agency, estimates that NIS2 brings roughly 160,000 organisations into scope — close to ten times the number under the previous directive — and its work points to a large share of newly in-scope organisations that did not yet know they were covered.²

This article looks at how to close that gap. It starts before the obligations, the controls, and the reporting deadlines, because none of those matter until you have answered one question correctly: are we in scope at all?

Two filters, and the one almost everyone underestimates

NIS2 scope rests on two filters, applied in order.

The first is sector. The directive lists eighteen sectors across two annexes: eleven “sectors of high criticality” in Annex I (energy, transport, banking, health, drinking and waste water, digital infrastructure, ICT service management, public administration, space, and others) and seven “other critical sectors” in Annex II (postal services, waste management, chemicals, food, manufacturing of certain products, digital providers, and research).³ If none of your activities map to a listed sector, you are out. But the trap is already taking shape: a manufacturer with its own software arm, a logistics firm running a data centre, or an industrial group with an in-house telecommunications function can touch several sectors at once. NIS2 looks at what a company does, not at how it describes itself.

The second filter is size, and this is where most of the costly errors happen. The directive does not write its own size test; it refers to the EU’s standard definition of small and medium-sized enterprises in Commission Recommendation 2003/361/EC.⁴ In practice, an organisation generally enters scope once it qualifies as at least a medium-sized enterprise under that Recommendation: as a rule of thumb, 50 or more employees, or annual turnover or balance sheet total above €10 million. Below that line (fewer than 50 staff and €10 million or less) a company is small or micro, and generally excluded.

A higher tier matters later for classification rather than scope: a large enterprise has 250 or more employees, or turnover above €50 million together with a balance sheet total above €43 million. That upper line feeds into essential-versus-important status — although the actual classification also depends on sector-specific provisions and national transposition, not on size alone.⁵

NOTE ON THE THRESHOLDS The EU SME methodology applies the headcount ceiling alongside the financial ceilings, and most regulatory guidance treats the €10 million line as crossed by either turnover or balance sheet. National transpositions still differ in how strictly they weight these. For any organisation near the line, the safer approach is the conservative one: assume the lower bar and calculate accordingly. Guessing optimistically is not a defence.

This is where the size filter hides its real catch. You do not get to count yourself alone.

How the directive actually tells you to count

Recommendation 2003/361/EC — the text NIS2 points to — does not ask for your standalone headcount and revenue. It asks for a consolidated figure that includes the companies you are connected to. Article 6 of the Annex sets out the mechanics. Your own data count at 100%. Linked enterprises — where one company controls another, typically through a majority (more than 50%) of capital or voting rights — are added at 100%, and the chain extends, so linked enterprises of your linked enterprises count too. Partner enterprises — holdings between 25% and 50% — are added pro rata, in proportion to the stake, while partners of your partners are not counted. Holdings below 25% are generally treated as independent investment and left out.⁶

At a glance, the group-counting rule looks like this:

Ownership / voting rights	Relationship type	Counted toward your size
Your own entity	—	100%
More than 50%	Linked enterprise	100% (full headcount and financials)
25%–50%	Partner enterprise	Pro rata (in proportion to the stake)
Below 25%	Independent investment	Generally excluded

Figure 1. Group consolidation under the EU SME definition: the entity counts 100% of itself, 100% of any linked enterprise (>50% ownership), the pro-rata share of a partner enterprise (25–50%), and excludes holdings below 25%.

Put simply: a majority owner brings its entire weight onto your count, and a significant minority partner brings a slice of it. The company you think of as “just us” is, for the directive’s purposes, part of a larger economic unit.⁷

The scenarios below show how the same forty-person company can reach very different answers depending on its structure.

Scenario 1: Standalone, on headcount

A regional energy services firm employs 90 people and earns €8 million in revenue. No parent, no significant shareholdings either way. It clears the 50-employee line on its own, so it is in scope. This is the straightforward case, and the only one most companies actually check.

Scenario 2: Standalone, on the financial threshold

A specialised cloud-services provider has just 45 employees but €12 million in annual turnover. Counting heads, it looks small. But the financial threshold is independent: cross €10 million in turnover or balance sheet and you are medium-sized regardless of payroll. That puts it in scope — and because cloud-computing service providers are listed in Annex I, potentially as an essential entity. The lesson: a lean, high-revenue business cannot hide behind a small org chart.

Scenario 3: The linked subsidiary

This is the one that catches people. A manufacturing subsidiary has 30 employees and €6 million in revenue, comfortably small on its own. But its parent owns 70% and employs 480 people with €140 million in turnover. A majority holding makes the two companies linked, so the subsidiary must add 100% of the parent’s figures: roughly 510 employees and €146 million on a consolidated basis. The 30-person subsidiary is not only in scope, it sits in large-enterprise territory. This pattern regularly surprises mid-sized subsidiaries that see themselves as independent small companies. They are independent on the org chart, but not in the arithmetic.

Scenario 4: The minority partner

A 40-employee firm with €8 million in revenue would be out of scope on its own. But an investor holds a 40% stake, and that partner is a 200-person company with €60 million in turnover. Partner data is added pro rata, so 40% of the partner flows in: +80 employees and +€24 million. The consolidated picture — roughly 120 employees and €32 million — sits well past the threshold. A minority shareholding you treat as purely financial can pull you into a regulatory regime.

Scenario 5: The mixed chain

Real corporate structures are rarely clean. Take a 20-employee entity with €4 million in revenue that has two relationships: a wholly-owned sister company (25 employees, €5 million, added at 100% as linked) and a 30% stake held by a larger firm (100 employees, €30 million, added pro rata). Adding them gives roughly 75 employees and €18 million consolidated. Each piece looked harmless on its own, but together they cross €10 million and trigger scope. The mixed chain is dangerous precisely because no single relationship looks decisive until you do the full calculation.

Scenario 6: The overlooked in-house IT entity

Many groups concentrate IT in a single small subsidiary that serves the others. It often has modest headcount and revenue, which is exactly why it gets overlooked. But if it provides services in a covered sector, such as ICT service management,⁸ and the group’s consolidated figures carry it over the threshold, that internal service company can become regulated in its own right. Some groups have responded by restructuring IT into a ring-fenced entity to limit scope. Whether that works depends heavily on national independence exemptions, so it should be a deliberate decision rather than an accident.

Scenario 7: Size does not matter at all

Some entities are in scope regardless of how small they are: trust service providers, DNS service providers, top-level domain registries, providers of public electronic communications networks, and sole providers of a service essential to society or the economy. A five-person trust service provider is covered. For these organisations the linked-and-partner arithmetic is beside the point; the answer is yes before you start counting.

What the regulators have not settled

This is not fully settled law, and two uncertainties deserve a board’s attention. The first concerns national independence exemptions. Member states may create exemptions where a group-wide view would be disproportionate — for example where a subsidiary is genuinely independent of its parent. National transpositions diverge here: some appear more receptive to relief for genuinely independent subsidiaries, while others apply the group consolidation more strictly. The same corporate structure can therefore produce different answers in different EU countries, and groups operating across borders have to assess each entity against its local rules.^{9 10} The second concerns intra-group IT services. Whether a parent’s IT support to its subsidiaries counts as “negligible” or material is read differently across jurisdictions. This is not a minor technicality; it has real consequences for how a group structures itself.¹¹

Both uncertainties point in the same direction: when you are near a line, calculate broadly, document your reasoning, and treat ambiguity as a reason to prepare rather than to relax. The consolidation rule is settled in principle but unsettled at the edges — and the edges are exactly where group structures tend to sit.

Why the answer matters

Scope is not a yes/no curiosity; the category you land in sets the regime you operate under. Organisations classified as essential — broadly the larger entities in the high-criticality Annex I sectors — face proactive supervision, tighter incident-reporting timelines, and penalties of up to €10 million or 2% of global annual turnover.¹² Organisations classified as important face reactive supervision and penalties up to €7 million or 1.4% of turnover.¹³ Authorities can move an important entity up to essential status where its role or risk warrants it. And failing to identify yourself does not get you off the hook: competent authorities can designate entities that should have known they were in scope.

This is why “are we in scope?” is not an IT question to push down the organisation. It is a governance question. The arithmetic of linked and partner enterprises is, in the end, a question about the shape of your corporate group — and that belongs in the boardroom.

What to actually do

None of this requires a large project. In most cases it is a focused piece of analysis. First, map your activities to the sectors, being honest about secondary functions: the software arm, the logistics operation, the internal IT company. Then draw your real ownership graph, identifying every linked enterprise (>50%) and every partner (25–50%), both upward and downward. Consolidate the figures as the Recommendation requires — 100% for linked enterprises, pro rata for partners — and compare against the thresholds. Classify as essential or important, and check the size-independent categories. Finally, document the determination: a defensible record of how you reached “in” or “out” is itself part of compliance.

Most organisations can finish this assessment quickly once they stop counting only themselves. The ones that get caught out are rarely those that did the analysis and disagreed at the margins. They are the ones that never ran it, because the headline numbers felt safe.

Determining scope is only the starting point. Once the answer is yes, the harder questions follow: the risk-management measures NIS2 requires, the incident-reporting timelines, and the personal accountability it places on an organisation’s management body. Those are the subject of a follow-up.

SUMMARY FOR DECISION-MAKERS Whether NIS2 applies is not answered by your standalone headcount. Map your activities to the eighteen listed sectors; draw the full ownership graph upward and downward; consolidate at 100% for linked enterprises (>50%) and pro rata for partners (25–50%); compare the consolidated figures against the medium-enterprise threshold (50 employees, or €10 million turnover or balance sheet); then classify as essential or important and check the size-independent categories. Document the determination — a defensible record of how you reached “in” or “out” is itself part of compliance. The organisations that get caught out are not those that ran the calculation and disagreed at the margins, but those that never ran it because the headline numbers felt safe.

Glossary of abbreviations

All abbreviations are spelled out in the text on first use. The following overview is provided for quick orientation.

Abbreviation	Meaning
Annex I	Sectors of high criticality (Directive (EU) 2022/2555)
Annex II	Other critical sectors (Directive (EU) 2022/2555)
DNS	Domain Name System
ENISA	European Union Agency for Cybersecurity
EU	European Union
ICT	Information and Communication Technology
NIS2	Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union
RDG	Rechtsdienstleistungsgesetz (German Legal Services Act)
SME	Small and medium-sized enterprise (Commission Recommendation 2003/361/EC)
TLD	Top-Level Domain

Bibliography

Sources are organised below by category. Full citations including access dates are provided in the footnotes. Primary sources (directives and official EU documents) are listed separately.

Primary sources: directives and official EU documents

Directive (EU) 2022/2555 (NIS2): Measures for a high common level of cybersecurity across the Union — Article 2 and Annexes I–II https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng

Commission Recommendation 2003/361/EC: EU definition of micro, small and medium-sized enterprises; Article 6 consolidation method https://eur-lex.europa.eu/eli/reco/2003/361/oj/eng

European Commission: SME Definition — User Guide, with worked examples for partner and linked enterprises https://single-market-economy.ec.europa.eu/smes/sme-fundamentals/sme-definition_en

Commission Implementing Regulation (EU) 2024/2690: Technical and methodological requirements for digital-infrastructure and ICT entities https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj

Official guidance

ENISA: NIS Investments 2024 https://www.enisa.europa.eu/publications/nis-investments-2024

ENISA: NIS360 2024 https://www.enisa.europa.eu/publications/enisa-nis360-2024

ILR Luxembourg: NIS2 — scope and field of application https://www.ilr.lu/en/sectors/niss/nis-2/scope-and-field-of-application/

European Commission: NIS2 Directive — frequently asked questions https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs

Practitioner analysis

Arthur Cox: NIS2 and the SME guidelines — how do they apply, and the thresholds https://www.arthurcox.com/knowledge/nis2-sme-guidelines-how-do-they-apply-and-thresholds/

Hogan Lovells: The EU NIS2 Directive and intra-group IT services https://www.hoganlovells.com/en/publications/the-eu-nis2-directive-and-intragroup-it-services

Eversheds Sutherland: Application and classification under NIS2 — linked and partner enterprises https://www.eversheds-sutherland.com/en/global/insights/application-and-classification-under-nis-2-exploring-linked-and-partner-enterprises

ICLG: EU cybersecurity regulatory landscape — a deep dive into the NIS2 Directive https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/03-eu-cybersecurity-regulatory-landscape-a-deep-dive-into-the-nis2-directive

German transposition

OpenKRITIS: Entities and enterprise size under NIS2 (NIS2UmsuCG / BSIG) https://www.openkritis.de/it-sicherheitsgesetz/einrichtungen-unternehmensgroesse-nis2.html

Legal notice: This article serves general information purposes and does not constitute legal advice within the meaning of the German Legal Services Act (Rechtsdienstleistungsgesetz, RDG). A binding determination of NIS2 scope for a specific organisation should be made on its individual circumstances, where appropriate with qualified legal counsel. As of: May 2026.

1. Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2). Available at: https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng (accessed May 2026). ↩

2. ENISA, NIS Investments 2024. Available at: https://www.enisa.europa.eu/publications/nis-investments-2024 (accessed May 2026). ↩

3. ENISA, NIS360 2024. Available at: https://www.enisa.europa.eu/publications/enisa-nis360-2024 (accessed May 2026). ↩

4. Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises. Available at: https://eur-lex.europa.eu/eli/reco/2003/361/oj/eng (accessed May 2026). ↩

5. Arthur Cox, NIS2 and the SME guidelines: how do they apply, and the thresholds. Available at: https://www.arthurcox.com/knowledge/nis2-sme-guidelines-how-do-they-apply-and-thresholds/ (accessed May 2026). ↩

6. European Commission, SME Definition — User Guide (worked examples for partner and linked enterprises). Available at: https://single-market-economy.ec.europa.eu/smes/sme-fundamentals/sme-definition_en (accessed May 2026). ↩

7. Eversheds Sutherland, Application and classification under NIS2: linked and partner enterprises. Available at: https://www.eversheds-sutherland.com/en/global/insights/application-and-classification-under-nis-2-exploring-linked-and-partner-enterprises (accessed May 2026). ↩

8. Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down technical and methodological requirements for digital-infrastructure and ICT service-management entities. Available at: https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj (accessed May 2026). ↩

9. ILR Luxembourg, NIS2 — scope and field of application. Available at: https://www.ilr.lu/en/sectors/niss/nis-2/scope-and-field-of-application/ (accessed May 2026). ↩

10. OpenKRITIS, Entities and enterprise size under NIS2 (NIS2UmsuCG / BSIG). Available at: https://www.openkritis.de/it-sicherheitsgesetz/einrichtungen-unternehmensgroesse-nis2.html (accessed May 2026). ↩

11. Hogan Lovells, The EU NIS2 Directive and intra-group IT services. Available at: https://www.hoganlovells.com/en/publications/the-eu-nis2-directive-and-intragroup-it-services (accessed May 2026). ↩

12. European Commission, Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive) — frequently asked questions. Available at: https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs (accessed May 2026). ↩

13. ICLG, EU cybersecurity regulatory landscape: a deep dive into the NIS2 Directive. Available at: https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/03-eu-cybersecurity-regulatory-landscape-a-deep-dive-into-the-nis2-directive (accessed May 2026). ↩