This free, open-source self-assessment answers one question: does your company fall under NIS2 — and if so, as which type of entity? No sign-up, no data leaving your browser.
DirectiveØ
Scope check / EN / v1
Check in under 2 minutes whether your company falls under Germany's NIS2 implementation act — as an essential or important entity, or indirectly through the supply chain.
Basis: NIS2UmsuCG / §28 BSIG, in force since 06 Dec 2025 · no registration, no email required
Step 1 / 3 — Special cases
Does one of these cases apply?
For these entities, NIS2 applies regardless of company size.
Step 2 / 3 — Sector
Which sector does your company operate in?
The activity matters, not the marketing industry label. Choose the closest sector.
Annex 1 — high-criticality sectors
Annex 2 — other critical sectors
Step 3 / 3 — Company size
How large is your company?
Use the last completed financial year, including partner and linked enterprises.
Employees
Annual turnover
Balance sheet total
Additional question — supply chain
Do you supply NIS2-regulated companies?
Even companies outside direct scope can become evidence-bound through contract clauses and security questionnaires (§30(1) supply-chain security).
This result is a self-assessment based on your inputs — not legal advice and not a certificate. The decisive source is the BSIG as amended by the NIS2UmsuCG, especially §28 and Annexes 1 and 2.
Classification under §28 BSIG (NIS2 Implementation Act). Sectors: Annexes 1 and 2 to the BSIG. Thresholds: important entity from 50 employees or over €10m turnover; essential entity from 250 employees or over €50m turnover and €43m balance-sheet total.
FAQ
What's the difference between an important and an essential entity?
Both have the same core duties. Essential entities are subject to proactive, regular BSI supervision; important entities are only reviewed when there's cause.
Is NIS2 the same as KRITIS?
No. KRITIS operators are a subset of essential entities with extra duties; NIS2 is much broader.
Am I affected as a supplier?
Possibly indirectly: if a NIS2-regulated customer requires evidence by contract, you have to provide it even without a direct duty of your own.