If you run a small or medium business in the EU, you've probably heard whispers about "NIS2." Maybe a client mentioned it in a contract. Maybe your IT person dropped it in a meeting. Or maybe you saw headlines about €10 million fines and thought, "that can't possibly apply to me."
Here's the uncomfortable truth: it might. And even if it doesn't apply directly, it probably will affect you through your customers.
NIS2 — the Network and Information Security Directive 2 (Directive (EU) 2022/2555) — is the EU's most ambitious cybersecurity regulation yet. It entered into force on 16 January 2023, with a transposition deadline of 17 October 2024. As of mid-2026, most Member States have transposed it into national law, and enforcement is ramping up.
This guide breaks down what NIS2 means for SMEs in plain English — no legal jargon, no scare tactics, just the facts and a practical plan.
What is NIS2?
NIS2 replaces the original NIS Directive from 2016. Where NIS1 covered about 7 sectors and roughly 300 entities in France, NIS2 expands to 18 sectors and is expected to cover over 160,000 entities across the EU — including thousands of SMEs.
The directive has one core goal: raise the baseline of cybersecurity across Europe by forcing organizations in critical sectors to implement proper risk management, report incidents fast, and take responsibility at the management level.
It distinguishes two categories of regulated entities:
| Category | Size threshold | Sectors | Supervision |
|---|---|---|---|
| Essential Entities (EE) | ≥250 employees OR ≥€50M turnover AND ≥€43M balance sheet | Energy, transport, banking, health, water, digital infrastructure, public administration, space | Proactive (ex-ante) |
| Important Entities (IE) | ≥50 employees OR ≥€10M turnover OR ≥€10M balance sheet | Postal services, waste management, chemicals, food, manufacturing, digital providers, research | Reactive (ex-post) |
Key point for SMEs: most medium-sized businesses (50–249 employees) in covered sectors fall into the "Important Entity" bucket. The obligations are identical to Essential Entities — only the supervision style and fine caps differ.
Does NIS2 apply to your SME?
Three criteria determine whether your business is in scope. You need to meet both the size and sector criteria — or fall into an exception.
Criterion 1: size
Your SME is potentially in scope if it meets at least one of these:
- 50 or more employees, OR
- €10 million or more annual turnover, OR
- €10 million or more annual balance sheet total
Important nuance: this applies at the legal entity level, not the group level. A subsidiary with 60 employees and €12M turnover is in scope even if the parent group is smaller.
Criterion 2: sector
Your business must operate in one of the 18 sectors listed in Annexes I and II of the directive:
Annex I — Essential sectors:
- Energy (electricity, gas, oil, hydrogen)
- Transport (air, rail, maritime, road)
- Banking and financial market infrastructures
- Health (hospitals, labs, medical device manufacturers)
- Drinking water and waste water
- Digital infrastructure (DNS, data centers, cloud, telecoms)
- Public administration
- Space
Annex II — Important sectors:
- Postal and courier services
- Waste management
- Chemical production and distribution
- Food production, processing, and distribution
- Manufacturing (medical devices, electronics, machinery, vehicles)
- Digital providers (online marketplaces, search engines, social networks)
- Research
Criterion 3: the supply chain exception (the hidden trap)
Even if you're below the size thresholds, you can still be pulled into NIS2 if you supply products or services to an Essential or Important Entity. Article 21(2)(d) requires these entities to assess the cybersecurity of their suppliers — and they typically pass this down as contractual security clauses.
Real-world example: a 20-person software development shop building a custom app for a hospital (Essential Entity) will likely face NIS2-aligned security requirements in its contract — even though the shop itself is below the size threshold.
Also always in scope regardless of size: DNS providers, TLD registries, qualified trust service providers, and public electronic communications networks/services.
The 10 Article 21 measures
Article 21 of NIS2 lists 10 minimum cybersecurity risk-management measures that every in-scope entity must implement. The directive explicitly frames these as "appropriate and proportionate" — meaning a 50-person manufacturer won't be held to the same standard as a multinational bank. But you must address all 10 areas.
Each measure maps cleanly onto the NIST CSF 2.0 functions, which is why Komplyo uses CSF 2.0 as its backbone (more on that below). Here's what each measure means in practice for an SME:
1. Risk analysis & information security policies
What it means: know your risks, write them down, and have a plan.
SME baseline:
- Maintain a risk register with your top 10–15 cybersecurity risks
- Have a board-approved Information Security Policy (even if it's 2 pages)
- Review risks at least annually
Evidence you need: risk register, policy document with approval signature, review meeting notes.
2. Incident handling
What it means: be able to detect, respond to, and recover from security incidents.
SME baseline:
- Documented incident response plan with roles and escalation paths
- Basic detection (EDR, SIEM, or at least antivirus with alerting)
- Post-incident review process
Evidence you need: IR plan, incident log/tickets, post-incident review template.
3. Business continuity & crisis management
What it means: keep running when things go wrong.
SME baseline:
- Backup policy following the 3-2-1 rule (3 copies, 2 media types, 1 off-site)
- Tested restoration process (not just "we have backups")
- Basic crisis communication plan
Evidence you need: backup policy, restore test results, RTO/RPO targets, crisis comms plan. (Setting realistic RTO/RPO targets starts with a business impact analysis.)
4. Supply chain security
What it means: your vendors are your risks.
SME baseline:
- Inventory of critical suppliers with risk ratings
- Security clauses in contracts with key vendors
- Basic due diligence checklist for new suppliers
Evidence you need: supplier inventory, contract clauses, review checklist.
5. Security in system acquisition, development & maintenance
What it means: security by design, not as an afterthought.
SME baseline:
- Security requirements in procurement
- Vulnerability management process with patching SLAs
- Change management for production systems
Evidence you need: procurement security requirements, patch policy, change logs.
6. Effectiveness assessment
What it means: prove your controls actually work.
SME baseline:
- Annual internal review or basic audit
- Key metrics (MFA coverage, patch compliance, backup success rate)
- Action tracker for findings
Evidence you need: review reports, KPI dashboard, corrective action tracker.
7. Cyber hygiene & training
What it means: your people are your first line of defense.
SME baseline:
- Annual security awareness training for all staff
- Phishing simulations (optional but recommended)
- Role-specific training for admins and developers
Evidence you need: training materials, completion records, onboarding/offboarding checklist.
8. Cryptography & encryption
What it means: protect data in transit and at rest.
SME baseline:
- TLS 1.2+ for all external communications
- Full-disk encryption on laptops
- Encryption for sensitive databases
Evidence you need: encryption policy, configuration screenshots, certificate inventory.
9. HR security, access control & asset management
What it means: control who can access what.
SME baseline:
- Joiner/Mover/Leaver process for access rights
- Annual access reviews
- Asset inventory (hardware and software)
- Principle of least privilege
Evidence you need: JML checklist, access review logs, asset inventory.
10. Multi-factor authentication (MFA) & secure communications
What it means: passwords alone are no longer enough.
SME baseline:
- MFA on all critical systems and admin accounts
- Secured communication channels for incident response
- Emergency communication plan
Evidence you need: MFA configuration proof, admin hardening evidence, emergency channel drill notes.
Incident reporting: the 24h/72h/1-month rule
Article 23 of NIS2 imposes a strict three-stage reporting timeline for "significant incidents" — those causing severe operational disruption, substantial financial loss, or considerable harm to others.
| Stage | Deadline | What to report |
|---|---|---|
| Early warning | Within 24 hours of becoming aware | Suspected malicious cause? Potential cross-border impact? |
| Incident notification | Within 72 hours of becoming aware | Updated assessment, severity, impact, indicators of compromise |
| Final report | Within 1 month of incident notification | Full description, root cause, mitigation measures, cross-border impact |
Critical point: the clock starts when you become aware of the incident — not when your investigation is complete. This means you need a 24/7 escalation process, including weekends and holidays. For many SMEs, this is the hardest cultural shift.
What counts as "significant":
- Severe operational disruption to services
- Substantial financial loss
- Considerable damage to other persons or organizations
Voluntary reporting: Article 30 allows voluntary reporting of near-misses and threats that don't meet the significance threshold. This builds goodwill with your CSIRT and can't trigger additional obligations.
Management accountability & fines
NIS2 is explicit: cybersecurity is a management responsibility, not just an IT issue.
Article 20 — governance
Management bodies must:
- Approve cybersecurity risk-management measures
- Oversee their implementation
- Undergo regular training to understand cyber risks
- Be potentially held personally liable for breaches
Article 34 — penalties
| Entity type | Maximum fine |
|---|---|
| Essential Entities | €10 million OR 2% of global annual turnover (whichever is higher) |
| Important Entities | €7 million OR 1.4% of global annual turnover (whichever is higher) |
Beyond fines, authorities can:
- Issue binding compliance orders
- Suspend certifications
- Temporarily ban individuals from management functions
- Require security audits at the entity's expense
- Publicly name non-compliant organizations ("name and shame")
The message for SME owners: if you're the managing director, you can't delegate NIS2 compliance to your IT person and walk away. The directive explicitly targets you.
Supply chain pressure: the hidden trap
Even if your SME is below NIS2 size thresholds, you may face compliance pressure through your customers. Here's how it works:
- Your customer is an Essential or Important Entity under NIS2
- Article 21(2)(d) requires them to assess supplier cybersecurity
- They insert security clauses into contracts with you
- You must now demonstrate controls, provide evidence, and possibly allow audits
Sectors where this is already happening:
- Healthcare (hospitals requiring security attestations from medical device suppliers)
- Financial services (banks pushing DORA/NIS2 requirements to fintech vendors)
- Public infrastructure (government contracts with mandatory security standards)
- Manufacturing (automotive and aerospace supply chains)
What this means practically: even a 15-person SaaS startup selling to a hospital may need to show an information security policy, evidence of MFA deployment, incident response procedures, backup and recovery testing, and basic staff training records.
The good news? If you build these capabilities proactively, you turn compliance into a competitive advantage — and the same evidence often satisfies ISO 27001 or SOC 2 buyers asking for assurance.
A realistic compliance roadmap for SMEs
Based on real-world implementations, here's a practical 12-month roadmap for an SME approaching NIS2 compliance.
Month 1–2: discovery & scoping
- Confirm if you're in scope: check size thresholds and sector against Annexes I/II
- Identify supply chain exposure: are you a critical supplier to an NIS2 entity?
- Register with your national authority (e.g., ANSSI in France, NCSC in Ireland)
- Conduct a gap analysis against the 10 Article 21 measures
Month 3–4: governance & documentation
- Designate a security lead (can be fractional/external for SMEs)
- Draft and approve an Information Security Policy
- Create a risk register with your top risks
- Document incident response procedures aligned with 24h/72h/1-month reporting
- Schedule management training on NIS2 obligations
Month 5–7: technical baseline
- Deploy MFA on all critical systems and admin accounts
- Implement EDR (Endpoint Detection and Response) on all devices
- Establish backup policy with 3-2-1 rule and test restoration
- Enable encryption for data at rest and in transit
- Deploy vulnerability management with defined patching SLAs
Month 8–9: processes & training
- Roll out security awareness training for all staff
- Implement Joiner/Mover/Leaver process for access control
- Create supplier security assessment checklist
- Conduct first tabletop exercise for incident response
- Test backup restoration and document results
Month 10–11: assessment & improvement
- Conduct internal audit of all 10 measures
- Perform penetration test or vulnerability assessment
- Review and update risk register and policies
- Prepare evidence pack for each Article 21 measure
- Address gaps identified during assessment
Month 12: validation & continuous improvement
- Conduct second tabletop exercise
- Review KPIs (MFA coverage, patch compliance, training completion)
- Update management on compliance status
- Plan next year's improvement cycle
Realistic budget for a 50-person SME: €15,000–€40,000 first year, then €5,000–€15,000 annually for maintenance.
How Komplyo makes NIS2 manageable
The 10 Article 21 measures aren't a random checklist — they map directly onto the NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover). Komplyo is built on exactly this: you assess once against CSF 2.0, and the platform projects your answers onto the frameworks that matter — so a single assessment surfaces your NIS2 posture alongside ISO 27001, SOC 2, and GDPR.
- Assess once, read everywhere. Your CSF 2.0 answers project automatically onto NIS2 expectations, GDPR, ISO 27001, and SOC 2. See how the methodology works.
- Start free. The free diagnostic gives you a teaser maturity score by CSF function in minutes — a fast way to find your biggest Article 21 gaps.
- From gaps to evidence. Identified gaps flow into a prioritized roadmap and generated policies (information security policy, incident response, backup) — the exact evidence pack NIS2 supervisors and enterprise customers ask for. Explore the product.
Frequently asked questions
Is my small business really in scope for NIS2?
You're likely in scope if you meet at least one size threshold (≥50 employees, or ≥€10M turnover, or ≥€10M balance sheet) and operate in one of the 18 sectors in Annexes I/II. Below the thresholds, you can still be pulled in contractually as a supplier to an Essential or Important Entity. France's MonEspaceNIS2 wizard is the quickest way to self-check.
What's the difference between Essential and Important Entities?
The cybersecurity obligations (the 10 Article 21 measures) are identical. The differences are supervision (proactive/ex-ante for Essential, reactive/ex-post for Important) and fine caps (€10M or 2% of turnover vs €7M or 1.4%).
What are the NIS2 incident reporting deadlines?
Three stages for significant incidents: an early warning within 24 hours, a fuller incident notification within 72 hours, and a final report within one month. The clock starts when you become aware of the incident, not when the investigation ends.
Can company directors be held personally liable under NIS2?
Yes. Article 20 makes management bodies responsible for approving and overseeing risk-management measures and requires them to undergo training. Individuals can be temporarily banned from management functions for serious non-compliance.
How does NIS2 relate to NIST CSF 2.0, ISO 27001, and GDPR?
The Article 21 measures align with NIST CSF 2.0 functions and overlap heavily with ISO 27001 controls and GDPR Article 32 (security of processing). That's the core of Komplyo's "assess once, project everywhere" model — you answer against CSF 2.0 once and read your readiness across all of them. See SOC 2 vs ISO 27001: which one first?.
Free resources & tools
| Resource | Source | What it provides |
|---|---|---|
| NIS2 Directive full text | EU Official Journal | The legal text of Directive (EU) 2022/2555 |
| ENISA NIS2 topic page | ENISA | Country-by-country transposition status |
| ANSSI NIS2 resources (France) | ANSSI | French transposition guidance, templates, FAQ |
| NCSC Ireland NIS2 FAQ | NCSC Ireland | Irish-specific guidance and registration |
| MonEspaceNIS2 (France) | French Government | Self-assessment wizard to check if you're in scope |
| ECSO NIS2 transposition tracker | ECSO | Detailed country-by-country transposition analysis |
| NIST CSF 2.0 | NIST | Framework that maps well to NIS2 Article 21 measures |
| CISA Cyber Essentials | CISA | Free baseline security guidance for small businesses |
Final thoughts: don't panic, but don't wait
NIS2 is not a punishment. It's a recognition that in a connected economy, one weak link can compromise an entire sector. For SMEs, the directive creates both obligation and opportunity.
The obligation is clear: if you're in scope, you must implement the 10 measures, report incidents on time, and accept management accountability.
The opportunity is less obvious but equally real: SMEs that build robust cybersecurity practices can use them as a competitive differentiator. When a hospital chooses between two software vendors — one with a documented security program and one without — the choice becomes obvious.
Start with three questions:
- Are we in scope? (size + sector + supply chain)
- What's our biggest gap? (usually: asset inventory, tested backups, or incident response)
- Who owns this? (someone needs to be accountable — and it can't just be "IT")
Frameworks like NIST CSF 2.0 and ANSSI's EBIOS provide the structure. The NIS2 directive provides the urgency. Your business knowledge provides the context. Combine them — and compliance becomes manageable, even for a 50-person team.