--- title: NIS2 Essential vs Important Entities Guide description: "NIS2 essential vs important entities: compliance differences in baseline obligations, supervision regime, penalties, and documentation requirements." canonical: https://www.aegister.com/en/cms/insights/nis2-essential-vs-important-entities-baseline-differences/ url: /en/cms/insights/nis2-essential-vs-important-entities-baseline-differences/ lang: en --- ![](/static/images/header-contact.webp) # NIS2 Essential vs Important Entities: Compliance Differences in Baseline Obligations --- ![NIS2 Essential vs Important Entities: Compliance Differences in Baseline Obligations](/static/images/cms/nis2-requisiti-di-base.webp) ## NIS2 Essential vs Important Entities: Compliance Differences in Baseline Obligations January 23, 2026 [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) [compliance](/en/cms/keyword/compliance/) [baseline](/en/cms/keyword/baseline/) +6 The Italian NIS framework distinguishes essential and important entities and calibrates baseline obligations accordingly. For compliance planning, the practical objective is to map entity classification to the correct annexes, control depth, and incident-typology obligations. Sources: [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base), [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) ## Key takeaways - Essential and important entities follow different baseline annexes. - Security-measure depth is generally higher for essential entities. - Incident typologies are differentiated by entity category, with additional scope for essential entities. - Classification must be documented because it drives control selection and audit scope. Sources: [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base) ## Baseline annex mapping ### 1. Security measures - Annex 1: baseline security measures for important entities. - Annex 2: baseline security measures for essential entities. ### 2. Significant incidents - Annex 3: baseline significant incidents for important entities. - Annex 4: baseline significant incidents for essential entities. Sources: [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base), [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) ## Operational implications for compliance teams | Area | Important entities | Essential entities | | --- | --- | --- | | Measure baseline | Baseline set per Annex 1 | Extended/deeper baseline per Annex 2 | | Incident typologies | Typologies per Annex 3 | Typologies per Annex 4 (including additional scope) | | Program planning | Standard baseline rollout | Enhanced control depth and evidence coverage | | Audit preparation | Annex-specific evidence mapping | Broader evidence set due to expanded obligations | Sources: [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base) ## 90-day implementation checklist 1. Confirm and document entity classification rationale. 2. Map applicable annexes and obligations to control owners. 3. Re-baseline evidence requirements according to entity category. 4. Validate incident-classification workflow against the correct annex set. 5. Run governance review on classification-dependent compliance gaps. ## FAQ ### Can one control set be applied unchanged to both categories? Not reliably. Baseline obligations are differentiated by category and should be mapped to the applicable annexes. Sources: [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base) ### Do essential entities have additional incident scope? Official baseline guidance indicates differentiated incident typologies, with additional scope for essential entities. Sources: [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base) ### What is the first audit risk in this area? Using the wrong annex mapping for entity classification, which leads to incomplete controls and evidence. Sources: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed), [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base) ## Related reading - [NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations](/en/cms/insights/nis2-baseline-obligations-master-overview/) - [NIS2 Legal Architecture and Role Model in Italy: Who Is Accountable for What](/en/cms/insights/nis2-legal-architecture-role-model-italy/) - [NIS2 mandatory documents master guide: what must be approved by the board and what to prepare now](/en/cms/insights/nis2-mandatory-documents-master-guide-board-approval/) - [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/) - [Free NIS2 Assessment](/en/assessment/) ## Official sources - [ACN - Guide to reading baseline specifications](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base) - [ACN - Baseline obligations determination and annexes](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) Share this post ## Related News [![NIS2 Incident Typology Model: Condition, Compromise, and Affected Object](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-incident-typology-model/) [NIS2 Incident Typology Model: Condition, Compromise, and Affected Object](/en/cms/insights/nis2-incident-typology-model/) [ACN baseline guidance classifies significant incidents through condition, compromise, and object of compromise. Practical guide to using the typology model for consistent classification and notification decisions.](/en/cms/insights/nis2-incident-typology-model/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +9 [![NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2 implementation guidance distinguishes the legal Point of Contact from the operational CSIRT contact role. Practical guide to role formalization, substitute model, competence mapping, and audit-ready evidence.](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +10 [![NIS2 Supply-Chain Security: Managing Critical Suppliers and High-Impact Procurements](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/) [NIS2 Supply-Chain Security: Managing Critical Suppliers and High-Impact Procurements](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/) [NIS2 supply-chain security is a governance obligation covering supplier identification, risk assessment, contractual integration, and lifecycle monitoring. Practical guide to GV.SC controls and evidence readiness.](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +9 ### NIS 2 Compliance with Aegister Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support. [Discover](/en/solutions/compliance/nis2/)