Have you confirmed whether your organisation is in scope as an Essential or Important entity under NIS2?
Demonstrate that the organisation has systematically assessed and documented its NIS2 classification status using defined criteria, with supporting evidence reviewed by legal or compliance personnel and communicated to governance bodies.
Description
What this control does
This control establishes whether the organisation falls within the scope of the EU NIS2 Directive (Directive (EU) 2022/2555) by evaluating sector affiliation, entity size, service criticality, and cross-border operations. Organisations classified as Essential or Important entities face mandatory cybersecurity risk management, incident reporting, and governance obligations. Failure to correctly determine scope status results in non-compliance exposure, regulatory penalties, and inadequate cybersecurity posture for critical infrastructure.
Control objective
What auditing this proves
Demonstrate that the organisation has systematically assessed and documented its NIS2 classification status using defined criteria, with supporting evidence reviewed by legal or compliance personnel and communicated to governance bodies.
Associated risks
Risks this control addresses
- Regulatory penalties and enforcement actions due to failure to comply with NIS2 obligations when in scope
- Inadequate cybersecurity controls resulting from misclassification as out-of-scope when Essential or Important entity status applies
- Delayed incident reporting to national CSIRT or competent authorities due to lack of awareness of mandatory notification timelines
- Reputational and commercial damage from cybersecurity incidents affecting critical services without appropriate governance and risk management frameworks
- Supply chain disruption to dependent Essential entities if an Important entity fails to implement required security measures
- Cross-border regulatory conflicts when operating in multiple Member States without coordinated compliance approach
- Civil liability exposure from failure to implement supervisory body-mandated security measures
Testing procedure
How an auditor verifies this control
- Obtain and review the organisation's documented NIS2 scope assessment, including date of completion, author identification, and approval authority
- Verify the assessment evaluates organisation against Annexes I and II sector classifications (energy, transport, banking, digital infrastructure, healthcare, water, digital providers, postal, waste management, chemicals, food, manufacturing, research)
- Confirm the assessment considers entity size thresholds: medium enterprise criteria (50+ employees and €10M+ turnover or balance sheet) and criticality determinations for Essential vs Important classification
- Review evidence of cross-border operational analysis, including identification of Member States where services are provided and determination of lead supervisory authority
- Examine legal opinion or external counsel memorandum validating the scope determination, particularly for borderline cases or novel service models
- Trace communication of scope determination to the management body, including board minutes, executive committee records, or equivalent governance documentation
- Verify the scope assessment includes a re-evaluation trigger mechanism for changes in business model, service offerings, geographical reach, or entity size
- Sample correspondence or registration filings with national competent authorities if the organisation determined in-scope status, confirming timely notification