NIS2 applicability quiz — Essential / Important / Out of scope
Eight questions classify your company under the NIS2 Directive (2022/2555) and the Hungarian Act LXIX of 2024. Verified sources only: Annex I and II sector lists, size thresholds, Art. 23 reporting deadlines, Art. 34 fine ranges.
8 questions — 2 minutes
Free, no signup. Email the detailed result to yourself if you want it.
1. Does your company operate in a NIS2 Annex I (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, ICT service management) OR Annex II (postal/courier, waste, chemicals, food, manufacturing sub-sectors, digital service providers, research) sector?
Annex I sectors map to essential entities, Annex II to important entities, subject to size thresholds. Source: NIS2 Directive 2022/2555.
1 / 8
2. Is your company a large entity? (≥250 staff OR ≥€50M annual turnover / ≥€43M balance sheet)
Large size + Annex I = essential entity. Definition follows EU recommendation 2003/361/EC.
2 / 8
3. (If 'no' to 2) Are you medium-sized? (50–249 staff OR €10–50M turnover / €10–43M balance sheet)
If you answered 'yes' to 2, this is auto-skipped. Medium + Annex I = important. Medium + Annex II = important.
3 / 8
4. Are you a DNS provider, TLD registrar, public administration body, data centre operator or ICT service management provider?
NIS2 Article 2(2): these providers are in scope regardless of size. A 5-person DNS provider is a reporting entity.
4 / 8
5. Has your company had a reported cyberattack or IT security incident in the last 24 months?
Does not change the classification but raises the supervisory risk profile. Under Art. 23, significant incidents must be reported in 24h / 72h / 1 month — that obligation is now active.
5 / 8
6. Do you store personal or health data about customers?
Not a classification driver, but increases the risk surface — GDPR + NIS2 dual reporting obligations apply on a single incident.
6 / 8
7. Do you have a CISO or dedicated information security officer?
Under Art. 21(2), management must be accountable for cyber risk management. Without a CISO, on-paper compliance is hard.
7 / 8
8. Is your incident response plan current AND have you exercised it in the last 12 months?
The 24h / 72h / 1-month (Art. 23) deadlines can only be met with a tested IR plan. A plan that lives on paper but never runs is not enough.
8 / 8
Verdict appears here
Answer all questions and click 'Show verdict'. The classification (essential / important / out of scope) and next steps appear here immediately.
- Cited EU + Hungarian legal references
- Fine floor matched to your classification
- Reporting deadlines (24h / 72h / 1 month)
- Concrete next steps for the next 2 weeks
Every classification rule on the page
No black box. The verdict comes from the six logical steps below, each citing the EU article and the Hungarian transposition.
1. Annex I — essential sectors
If Q1 = yes + Annex I sector + large company (≥250 staff OR ≥€50M turnover / ≥€43M balance sheet) → essential entity
Annex I sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, ICT service management. Large company in any of these = essential entity.
2. Annex II — important sectors
If Annex II + (large or medium) OR Annex I + medium → important entity
Annex II sectors: postal/courier, waste, chemicals, food, manufacturing (selected sub-sectors), digital service providers, research. Crossing the size threshold puts the company in important-entity scope. A medium company in Annex I is also important (not essential).
3. Size thresholds
Large: ≥250 staff OR ≥€50M turnover / ≥€43M balance sheet. Medium: 50–249 staff OR €10–50M / €10–43M.
NIS2 uses the 2003/361/EC SME thresholds. Below 50 staff and €10M turnover the company is below size — except for the size-independent providers (see point 4).
4. Size-independent applicability
DNS, TLD registrars, public administration, data centre operators, ICT service management → in scope regardless of size (Art. 2(2))
Some critical service providers are pulled into scope by the directive regardless of size. A 5-person DNS provider has the same reporting obligations as a 500-person energy company.
5. Reporting deadlines
24h early warning · 72h full incident notification · 1-month final report (Art. 23)
A significant incident (one causing material operational disruption or significant financial loss) triggers staged reporting. The Hungarian competent authority is the National Cyber Defence Institute.
6. Fine ranges
Essential: ≥€10M or 2% global turnover · Important: ≥€7M or 1.4% global turnover (Art. 34)
Minimum fine floors are fixed by the directive. The Hungarian supervisory fee (max 0.015% of prior-year revenue, max 10M HUF/entity, 50M HUF group cap) is a separate maintenance fee, not a sanction.
What the verdict means
Essential entity
You face the strictest supervision: proactive audits, on-site inspections, the 24h / 72h / 1-month reporting chain, the ten Art. 21(2) measures. Fine floor: €10M or 2% global turnover. Next step: request a NIS2 audit for the gap analysis.
Important entity
Reactive supervision (after a complaint or incident), but the same deadlines and measure list. Fine floor: €7M or 1.4% global turnover. We close the checklist gaps in 4–8-week mini-projects.
Out of scope
No direct NIS2 obligation — but supply-chain rules can pull you in indirectly when an essential or important customer asks for your compliance evidence. Audit-readiness still pays back.
Uncertain result
Some sector classifications (e.g. 'digital service provider', 'research') need to be mapped to your concrete service list. If the quiz is ambiguous, request a NIS2 audit — the precise classification only locks in with a full scope review.
Honest disclaimer
This quiz does not replace legal advice. For the precise classification, request a NIS2 audit — there we work from your real service catalogue, customer list and incident history.
NIS2 applicability quiz — frequently asked
It produces a fast first-pass classification of whether your company falls under NIS2 (essential / important / out of scope). Eight questions, two minutes. The logic is grounded in NIS2 Directive 2022/2555 and the Hungarian Act LXIX of 2024 (in force from 6 January 2026). For the precise legal classification, request a NIS2 audit — the quiz does not replace legal advice, only orients you on risk level and next steps.
Related
Topics that come up most often alongside the NIS2 question.
NIS2 checklist for IT leaders
Detailed Art. 21(2) measure-mapping and audit-readiness guide.
MegnézemNIS2 compliance project
Gap analysis, control rollout, audit preparation. Fixed-price project packages.
MegnézemEU AI Act high-risk checklist
If you also run AI systems alongside NIS2: 24 steps for the 2026-08-02 deadline.
MegnézemBanking sector software development
Banks as essential entities — NIS2 + AI Act dual-compliance baked into the project.
MegnézemERP TCO calculator
If a NIS2 audit raises ERP-replacement questions: 5-year TCO across 4 vendors.
Megnézem
Talk to us about NIS2 readiness
Hungarian Act LXIX of 2024 came into force on 6 January 2026. A 30-minute call clarifies your classification, audit plan and the measure list for the next six months. Phone +36 30 098 0767, email balint@appforge.hu.
Budapest office: 1054 Budapest, Szabadság tér 7. (Bank Center), 1st floor, office 112 · Mon–Fri 9:00–18:00 by appointment.Request a NIS2 audit — gap analysis in 5 working days
The applicability quiz is only the first classification. We measure the real compliance gaps in a 5-working-day fixed-price audit.