Free tool
Are you in scope for NIS2?
Four questions to find out whether your organisation is an essential entity, an important entity, indirectly affected — or out of scope. No sign-up.
Question 1 of 4
How this simulator decides
Directive (EU) 2022/2555 combines two criteria: the sector — Annex I lists the highly critical sectors (energy, transport, health, banking, digital infrastructure…), Annex II the other critical sectors (chemicals, food, manufacturing, digital providers…) — and the organisation’s size. Broadly, a large organisation (250+ employees or over €50M turnover) in an Annex I sector is an essential entity; a mid-sized organisation (from 50 employees or €10M) in Annex I, or any medium-plus organisation in Annex II, is an important entity. The simulator applies that logic, then adds the indirect case: regulated entities must secure their supply chain, which cascades requirements onto their critical suppliers.
Frequently asked questions
How do I know if my company is covered by NIS2?
Two criteria combine: the sector (Annexes I and II of the directive list the highly critical and other critical sectors) and size (generally from 50 employees or €10M turnover). Smaller organisations can still be covered by exception (DNS, trust services…) or indirectly, as a critical supplier to a regulated entity.
Does this simulator replace ANSSI’s official test?
No. This simulator gives an indicative orientation based on a simplified reading of Directive (EU) 2022/2555. The reference test is MonEspaceNIS2, offered by ANSSI on cyber.gouv.fr, and the final French scope will be set by the transposition law.
What is the difference between an essential and an important entity?
Substantive obligations are largely identical; what changes is the supervision regime (ex-ante and ex-post controls for essential entities, ex-post for important ones) and the sanction ceilings: €10M or 2% of worldwide turnover for EEs, €7M or 1.4% for IEs.
What should I do if my company is in scope?
Start by documenting the Article 21 measures: security policy, risk analysis, incident response with 24h/72h notification, continuity, supply-chain security, access control, MFA, vulnerability management and training. ANSSI’s ReCyF framework (March 2026) describes the expected measures without waiting for the law.
In scope? Generate your documentary core
ISSP, incidents, continuity, suppliers: the policies Article 21 expects, generated in minutes.
See the NIS2 generator