What is Essential Entity (NIS 2)?

Essential Entity classification under NIS 2 is determined by two factors: operating in a Sector of High Criticality listed in Annex I (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space) and meeting the large organization size threshold (250+ employees or 50M+ euro turnover with 43M+ euro balance sheet). Certain entities are classified as Essential regardless of size: qualified trust service providers, top-level domain name registries, DNS service providers, public electronic communications network providers, and entities specifically designated by member states. The key distinction from Important Entities is the supervision model: Essential Entities are subject to ex ante supervision, meaning competent authorities can conduct audits, inspections, security scans, and request compliance evidence at any time without prior evidence of non-compliance. This proactive approach reflects the critical nature of services these entities provide and the potentially severe consequences of their disruption. Essential Entities face the highest NIS 2 penalty ceiling (10M euros or 2% of global turnover) and, uniquely, authorities can seek court orders to temporarily suspend managerial responsibilities of individuals found responsible for compliance failures. Despite these heightened oversight and penalty provisions, Essential and Important Entities must implement the same Article 21 cybersecurity risk management measures — the difference lies in how compliance is verified and enforced, not in what is required.