NIS2 Essential vs Important Entities: Compliance Differences in Baseline Obligations

Article Thumbnail
cybersecurity | compliance | NIS2 | ACN | baseline | incident typology | classification | essential entities | important entities | annexes

NIS2 Essential vs Important Entities: Compliance Differences in Baseline Obligations

January 23, 2026

The Italian NIS framework distinguishes essential and important entities and calibrates baseline obligations accordingly. For compliance planning, the practical objective is to map entity classification to the correct annexes, control depth, and incident-typology obligations.

Sources: ACN baseline reading guide, ACN baseline obligations determination

Key takeaways

  • Essential and important entities follow different baseline annexes.
  • Security-measure depth is generally higher for essential entities.
  • Incident typologies are differentiated by entity category, with additional scope for essential entities.
  • Classification must be documented because it drives control selection and audit scope.

Sources: ACN baseline reading guide

Baseline annex mapping

1. Security measures

  • Annex 1: baseline security measures for important entities.
  • Annex 2: baseline security measures for essential entities.

2. Significant incidents

  • Annex 3: baseline significant incidents for important entities.
  • Annex 4: baseline significant incidents for essential entities.

Sources: ACN baseline reading guide, ACN baseline obligations determination

Operational implications for compliance teams

Area Important entities Essential entities
Measure baselineBaseline set per Annex 1Extended/deeper baseline per Annex 2
Incident typologiesTypologies per Annex 3Typologies per Annex 4 (including additional scope)
Program planningStandard baseline rolloutEnhanced control depth and evidence coverage
Audit preparationAnnex-specific evidence mappingBroader evidence set due to expanded obligations

Sources: ACN baseline reading guide

90-day implementation checklist

  1. Confirm and document entity classification rationale.
  2. Map applicable annexes and obligations to control owners.
  3. Re-baseline evidence requirements according to entity category.
  4. Validate incident-classification workflow against the correct annex set.
  5. Run governance review on classification-dependent compliance gaps.

FAQ

Can one control set be applied unchanged to both categories?

Not reliably. Baseline obligations are differentiated by category and should be mapped to the applicable annexes.

Sources: ACN baseline reading guide

Do essential entities have additional incident scope?

Official baseline guidance indicates differentiated incident typologies, with additional scope for essential entities.

Sources: ACN baseline reading guide

What is the first audit risk in this area?

Using the wrong annex mapping for entity classification, which leads to incomplete controls and evidence.

Sources: ACN baseline obligations determination, ACN baseline reading guide

Official sources

Share this post