GB EN IT IT ES ES
Free tool · No sign-up · 2 minutes

Are you in scope for NIS2?
Take the free NIS2 test & self-assessment quiz.

Answer 12 quick questions about your business and security setup. You'll get an instant verdict on whether the NIS2 Directive applies to you, a preparedness score and a prioritised list of gaps to fix.

NIS2 Self-Assessment Quiz

12 questions · about 2 minutes · no sign-up. Answer the test below to check your NIS2 scope and compliance risk.

Applicability
Where does your organisation operate or sell?

NIS2 applies to organisations active in the EU/EEA — and reaches non-EU companies through EU clients and the supply chain.

Which best describes your main activity?

NIS2 covers specific sectors listed in its Annexes I (high-criticality) and II (other critical).

How big is your organisation?

NIS2 generally applies from the 'medium' size: 50+ employees OR more than €10M annual turnover/balance sheet.

Do you provide any of these services?

Some categories are in scope regardless of company size.

Do larger EU organisations rely on you as a supplier?

In-scope entities must secure their supply chain, pushing requirements onto their vendors.

Security maturity
Do you have a formal, board-approved risk analysis and information security policy?

Article 21(2)(a) — the foundation of NIS2.

Do you have an incident response plan able to report to the authority within 24h / 72h?

Article 23 — early warning in 24h, notification in 72h, final report in 1 month.

Have you assessed and contractually secured your critical suppliers?

Article 21(2)(d) — supply chain security.

Is multi-factor authentication and strict access control enforced on critical systems?

Article 21(2)(j) — MFA, IAM and privileged access.

Do you have backups and a tested disaster-recovery / business-continuity plan?

Article 21(2)(c) — continuity and crisis management.

Do you encrypt data (at rest and in transit) and run vulnerability management / pen testing?

Article 21(2)(h),(e) — cryptography and secure systems.

Are you registered with your national authority (where required) and does management receive cybersecurity training?

Registration duty + Article 20 — management accountability and training.

This self-assessment is an indicative guide based on the NIS2 Directive (EU) 2022/2555 and is not legal advice. A formal scope determination and gap analysis require a professional review of your specific circumstances.

How the NIS2 test works

This free NIS2 test is a 12-question self-assessment quiz that takes about two minutes. It is split into two parts:

When you finish, the quiz instantly calculates your likely NIS2 scope, a preparedness score out of 100 and a prioritised list of gaps. Nothing is sent anywhere unless you choose to email yourself the report — scoring runs entirely in your browser.

What being in scope for NIS2 means: Essential vs Important entities

NIS2 sorts organisations into tiers. The test estimates which one you most likely fall into:

🔴 You are very likely an Essential Entity

Your sector, size and EU footprint place you in the highest NIS2 tier. Essential Entities face proactive supervision and fines up to €10M or 2% of global turnover. Registration with your national authority and full implementation of the Article 21 measures are mandatory.

🟠 You are very likely an Important Entity

Your sector, size and EU footprint bring you into NIS2 scope as an Important Entity. You face ex-post supervision and fines up to €7M or 1.4% of turnover. National registration and the Article 21 security measures apply to you.

🟡 Indirectly affected through the supply chain

You may not be directly designated, but you supply or serve in-scope EU organisations. NIS2 makes them responsible for their supply chain — so they will (or already do) require you to demonstrate equivalent security. In practice, you need to be compliant.

🟢 Likely out of direct NIS2 scope

Based on your answers you don't appear to fall under NIS2 directly. Keep in mind that scope depends on details and can change if you start serving EU clients or enter a covered sector. Strong cybersecurity remains a smart investment regardless.

NIS2 test — frequently asked questions

Is this NIS2 test free?+
Yes. The NIS2 self-assessment quiz is completely free, requires no sign-up and no payment. You can take the test as many times as you like, and your answers are processed in your browser — we never store them.
What is a NIS2 self-assessment?+
A NIS2 self-assessment is a structured questionnaire that estimates whether the NIS2 Directive (EU) 2022/2555 applies to your organisation and how prepared you are. Our quiz asks 12 questions about your sector, size, EU footprint and security controls, then returns an indicative scope verdict and a preparedness score.
How do I know if I am in scope for NIS2?+
NIS2 generally applies to medium and large organisations (50+ staff or over €10M turnover) operating in one of the sectors listed in Annex I or II of the Directive. Some providers — such as DNS, TLD registries and trust services — are in scope regardless of size. The first five questions of the test check exactly these criteria.
What is the difference between an Essential and an Important entity?+
Essential Entities (e.g. large operators in high-criticality sectors) face proactive supervision and fines up to €10M or 2% of global turnover. Important Entities face ex-post supervision and fines up to €7M or 1.4% of turnover. Both must register with their national authority and implement the Article 21 security measures. The test estimates which tier you most likely fall into.
Does NIS2 apply to UK or non-EU companies?+
It can. NIS2 reaches non-EU companies — including UK businesses — through their EU clients and supply chain. In-scope EU entities are responsible for the security of their suppliers, so they pass equivalent requirements down the chain. The quiz accounts for this in its scope logic.
How long does the NIS2 quiz take?+
About two minutes. There are 12 multiple-choice questions: five on applicability and seven on your security maturity. No preparation or documents are needed.
Is the test a substitute for legal advice?+
No. The self-assessment is an indicative guide based on the NIS2 Directive and is not legal advice. A formal scope determination and gap analysis require a professional review of your specific circumstances — which our consultants can provide free of charge.
What happens after I complete the assessment?+
You instantly see your scope verdict, a preparedness score out of 100 and a prioritised list of security gaps mapped to the NIS2 articles. You can optionally receive the full report by email and book a free consultation with a NIS2 specialist.