NIS2 Directive: Essential vs Important Entities in Italy

Why Classification Matters

EU Directive 2022/2555^[1] (NIS2) replaced the original NIS Directive with a substantially expanded framework bringing thousands of additional organisations under mandatory cybersecurity obligations. Its two-tier classification system—essential and important entities—determines regulatory scrutiny, supervision intensity, and potential sanctions.

Italy's transposition through Decreto Legislativo 138/2024^[2] assigns the Agenzia per la Cybersicurezza Nazionale (ACN)^[3] as competent authority and national CSIRT, establishes the registration and notification framework, and introduces Italy-specific penalties. Notably, Italy has gone beyond the directive's minimum requirements, particularly on registration timelines and sector-specific guidance.

For Private Equity portfolio companies and Family Office-controlled entities, classification directly affects governance requirements,incident response timelines, and financial exposure. Misclassification—whether deliberate or accidental—carries its own penalty risk under the Italian transposition.

The Size-Cap Rule: Quantitative Thresholds

NIS2 uses a size-cap mechanism as the primary scope determinant, applying objective criteria aligned with the European Union's enterprise size definitions (Commission Recommendation 2003/361/EC). A medium enterprise employs 50+ persons or exceeds EUR 10 million in turnover/balance sheet. A large enterprise employs 250+ persons, or exceeds EUR 50 million turnover and EUR 43 million balance sheet. Small and micro enterprises are generally excluded, with exceptions noted below.

The size-cap applies at entity level, not group level—critical for PE-backed businesses. A portfolio company with 60 employees in a NIS2-scope sector is within scope regardless of parent size. However, linked enterprise rules under the SME Recommendation may trigger aggregation, meaning subsidiaries of larger groups could cross thresholds even if individually below them. This requires careful analysis of PE corporate structures.

Sector-Based Classification: Essential vs Important

Once an entity meets the size threshold, classification depends on sector. NIS2 divides scope into Annex I (“high criticality”) and Annex II (“other critical sectors”).

Essential Entities

Essential entities include large enterprises in Annex I sectors: energy (electricity, oil, gas, hydrogen, district heating/cooling), transport (air, rail, water, road), banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure (IXPs, DNS, TLD registries, cloud, data centres, CDNs, trust services, public electronic communications), ICT service management (MSPs and MSSPs), public administration, and space.

Certain categories are automatically essential regardless of size: qualified trust service providers, TLD registries, DNS providers, and entities designated by a member state. D.Lgs. 138/2024 empowers the ACN to designate additional entities based on national security considerations.

Important Entities

Important entities capture the remainder: medium enterprises in Annex I sectors and all medium/large enterprises in Annex II sectors (postal/courier services, waste management, chemicals, food production, manufacturing, digital providers, and research organisations). Many mid-market portfolio companies in manufacturing, food, chemicals, or digital services fall here. While Article 21 cybersecurity obligations apply identically to both tiers, supervisory and enforcement regimes differ materially.

Differences in Obligations and Supervision

Both tiers must implement Article 21's ten minimum security measures—risk analysis, incident handling, business continuity,supply chain security, network security, vulnerability management, cyber hygiene, cryptography, access control, and MFA—and comply with Article 23 incident reporting.

Essential entities face proactive, ex ante supervision: the ACN may conduct regular audits, on-site inspections, request compliance evidence, and perform security scans at any time. Important entities face reactive, ex post supervision—investigations triggered by evidence of non-compliance rather than routine inspections.

Penalties reflect this distinction. Essential entities: up to EUR 10 million or 2% of global turnover. Important entities: up to EUR 7 million or 1.4%. The ACN can also suspend certifications, temporarily prohibit management functions, and publicly disclose non-compliance.

Self-Assessment and ACN Registration

NIS2 operates on self-assessment: entities must determine their own scope and classification based on size, sectors, and services. The Italian transposition requires registration with the ACN through a dedicated platform, disclosing legal identity, sector classification, services, size parameters, and security contacts. Failure to register within prescribed periods is a standalone violation.

Registration is ongoing—entities must update when material changes occur (corporate restructuring, sector changes, size shifts). For PE-backed entities, acquisitions, carve-outs, or mergers may all require updates. The ACN retains authority to review and reclassify entities, meaning registration data accuracy directly affects supervisory outcomes.

For PE portfolios, each company must be evaluated independently. A diversified fund may have essential entities, important entities, and out-of-scope companies. Document the analysis as evidence of diligent self-assessment.

Penalties for Misclassification

The Italian transposition treats misclassification as a distinct compliance failure, subject to sanctions independent of substantive non-compliance. The penalty framework considers whether misclassification resulted from analytical error or deliberate understatement, and whether it delayed implementation of appropriate security measures.

For management bodies, misclassification carries personal liability under Article 20. Directors must approve cybersecurity measures and oversee implementation—failure to ensure proper classification constitutes a breach of fiduciary obligations. Fund-appointed directors on portfolio company boards have direct interest in ensuring accurate classification.

Practical Classification Methodology

Based on our advisory work with European PE firms and Family Offices, we recommend four steps. First, map each entity's sector activities against Annex I and Annex II—many entities span multiple sectors. Second, perform the size-cap assessment using current financials and headcount, applying linked enterprise rules. Third, determine classification by mapping sector and size results. Fourth, document the entire analysis as compliance evidence.

Entities near classification boundaries require particular care. Growth, service changes, or acquisitions can move entities into scope mid-year. Integrate regular reassessment into governance calendars. An incorrect classification cascades through every downstream obligation—governance, security measures, incident response, and supervisory interactions—making rigour at this stage essential.