Essential Entity (NIS2)

Highly regulated companies under Annex I NIS2 / Section 28 BSIG

26 April 2026 · Category: NIS2 · Compliance-Kit

Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.

TL;DR

An essential entity pursuant to Article 3 NIS2 Directive or Section 28 BSIG is a large enterprise (>=250 employees or >=EUR 50 million annual turnover) in one of the 11 high-criticality sectors under Annex I (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space). They are subject to stricter obligations and sanctions.

What is an Essential Entity (NIS2)?

Three categories under NIS2 (implemented in Section 28 BSIG): CategorySizeSectorsMaximum SanctionsEssential>=250 employees / >=EUR 50 million11 Annex I sectorsEUR 10 million / 2% of turnoverImportant50-249 employees / EUR 10-50 million18 sectors (Annex I + II)EUR 7 million / 1.4% of turnoverParticularly important (KRITIS)irrespective of sizeKRITIS thresholdsAdditional obligations under BSIGCertain sectors qualify entities as essential irrespective of size: .de TLD, DNS providers, trust service providers, public administration with critical functions.

Practical example

Typical essential entities: - Municipal utilities (energy + water) - University hospital (health, >=250 employees) - Major banks + cooperative banks (banking, >=250 employees) - Large logistics group (transport, >=250 employees) - Cloud provider (digital infrastructure)

Frequently asked questions

How do I distinguish essential from important entities?

Essential: >=250 employees in 11 high-criticality sectors. Important: 50-249 employees in 18 sectors. The sanction ceilings differ (EUR 10 million vs. EUR 7 million).

Are subsidiaries to be classified separately?

Group consolidation applies (Section 28(4) BSIG). Employee and turnover thresholds can be met on a group-wide basis, so smaller subsidiaries can also become obligated.

What are the additional obligations compared to important entities?

Essential entities: priority supervision by the BSI, shorter reaction periods, higher fines, and personal liability of managing directors becomes relevant sooner.