Important Entity (NIS2)

Mid-sized companies in 18 NIS2 sectors — obligations apply from 06 December 2025

· Category: NIS2 · Compliance-Kit
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.

TL;DR

An important entity within the meaning of Article 3 NIS2 Directive / Section 28 BSIG is a medium-sized undertaking (50-249 employees, EUR 10-50 million annual turnover) in one of the 18 NIS2 sectors (Annex I + II) that does not qualify as an essential entity. Important entities are subject to the same risk-management obligations under Section 30 BSIG, but to lower sanctions.

What is an important entity (NIS2)?

Three categories under NIS2/BSIG:

Important entities must comply with all Section 30 BSIG obligations, but are supervised less strictly than essential entities on a risk-based approach.

Practical example

Typical important entities: - Mid-sized mechanical engineering companies (50-249 employees, manufacturing sector) - Regional banks / Volksbanken (banking) - IT service providers (digital infrastructure sector) - Regional logistics companies (transport) - Mid-sized clinics (health)

Frequently asked questions

How do I distinguish important from essential?
Size plus sector: 250 or more employees in 11 high-criticality sectors = essential; 50-249 employees in 18 sectors = important.
Do 'important' entities have fewer obligations?
The obligations are identical (Section 30 BSIG applies to all). The differences: lower maximum sanctions and lower supervisory priority by the BSI.
How is the employee headcount calculated?
On a group-wide basis under Section 28 (4) BSIG. Consequence: many subsidiary GmbHs qualify as 'important entities' even where they individually have fewer than 50 employees.

See also