Quick answer
NIS2 is the EU directive that significantly expands cybersecurity obligations across European businesses. It came into force in October 2024, and member states are in the middle of transposing it into national law.
Three things every growing European business should know:
- NIS2 covers far more sectors than its predecessor. Many medium-sized companies that were out of scope under NIS1 are now in.
- Even if NIS2 does not apply to you directly, it likely applies to your customers — and the obligations cascade down the supply chain through vendor management.
- Management is personally accountable. The directive deliberately puts cybersecurity responsibility at the board and executive level, with personal liability for breaches of duty.
If you are running a growing SaaS, agency, or knowledge business in Europe with 50+ employees, you should have a defensible answer to "does NIS2 apply to us?" by the end of this quarter. If you do not, your customers will eventually ask the question for you.
What NIS2 actually is
NIS2 (the Network and Information Security Directive 2) replaces the original NIS Directive from 2016. It is one of the largest cybersecurity legal changes in Europe in a decade.
What is new compared to NIS1:
- Significantly broader sector coverage.
- Two tiers of regulated entities: "essential" and "important," with different penalty structures.
- Stricter incident reporting timelines.
- Explicit management accountability — including personal liability for senior leadership.
- Stronger supply chain requirements.
- Higher financial penalties.
Each EU member state is responsible for transposing NIS2 into national law. The Netherlands, like most member states, has been working through this process; expect concrete national legislation, regulator activity, and enforcement to ramp up during 2026.
Does NIS2 apply to you?
There are three practical tests.
The sector test. NIS2 covers a much wider range of sectors than NIS1. The list now includes (among others): digital infrastructure, ICT service management, providers of public electronic communications services, energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, public administration, space, postal and courier services, waste management, chemicals, food production and distribution, manufacturing of certain products, digital providers (online marketplaces, search engines, social networks), and research organisations.
If you operate in or supply into any of these sectors, the sector test is satisfied.
The size test. NIS2 generally applies to medium-sized and large entities. A medium-sized entity is broadly defined as having 50 or more employees and an annual turnover above €10 million (or balance sheet total above €10 million). Large entities have 250+ employees or €50M+ turnover.
Many growing SaaS companies cross this threshold during the period where they are also pursuing enterprise compliance — meaning the obligations land at exactly the worst possible time if you have not prepared.
The exception test. Even small entities can be designated as in-scope if they are deemed critical (for example, sole providers of a service in their member state, or providers whose disruption would have significant impact). This is a real risk in concentrated SaaS markets.
If you pass any of these three tests, plan accordingly.
What changes if you are in scope
The directive sets out a defined set of risk management measures. Practically, these translate to:
- A documented information security management approach — close to what ISO 27001 already requires.
- Incident handling and reporting capability.
- Business continuity and crisis management.
- Supply chain security — explicit due diligence on critical suppliers.
- Network and information system security.
- Policies on risk analysis and information system security.
- Use of cryptography and access control measures.
- Human resources security, training, and awareness.
- Multi-factor authentication and other identity controls.
If you read this list and the response is "we already do most of this," you are in a good position. If the response is "we know we should be doing this," you have measurable work ahead.
Incident reporting timelines
NIS2 introduces some of the tightest incident reporting requirements in European cybersecurity law:
- Within 24 hours of becoming aware of a significant incident: an early warning to the national competent authority.
- Within 72 hours: a detailed incident notification.
- Within one month: a final report.
"Significant incident" is defined in the directive and member state law; in practice, any incident that meaningfully disrupts services or compromises customer data is likely to qualify.
The operational implication: you cannot meet a 24-hour notification requirement without detection capability, an incident response procedure, and a defined escalation path. These are not things you can build during the incident itself.
The supply chain effect — even if you are not directly in scope
This is the part most growing companies miss.
NIS2 explicitly requires in-scope organisations to manage cybersecurity risk in their supply chain. That means: even if NIS2 does not apply to your company directly, it likely applies to several of your customers — and those customers are now required to assess and monitor your security posture as part of their NIS2 obligations.
What this looks like in practice:
- More detailed vendor security questionnaires.
- Contractual security requirements with measurable obligations.
- Right-to-audit clauses that are actually exercised.
- Higher expectations on incident notification — your customers may require you to notify them within hours of an incident affecting their data.
If you sell into regulated European industries, NIS2 affects you whether you are in direct scope or not.
Management liability — what this actually means
NIS2 puts cybersecurity decision-making and oversight at the management level, with explicit accountability. In most member state transpositions, members of management bodies can be held personally liable for breaches of their duties under NIS2.
Practically:
- Management must approve the risk management measures.
- Management must oversee their implementation.
- Management must keep itself informed enough to provide oversight.
- There can be personal consequences for failing to do so.
The directive deliberately puts cybersecurity in the board agenda. Companies that have historically treated security as "an IT thing" are being forced to reconsider that framing.
The penalty structure
NIS2 sets significant administrative fines:
- For essential entities: up to €10 million or 2% of total worldwide annual turnover, whichever is higher.
- For important entities: up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher.
National authorities also have enforcement powers including binding instructions, mandatory audits, and orders to make incidents public.
The penalty structure is deliberately modelled on GDPR — and like GDPR, the practical enforcement is likely to evolve over the next few years.
How NIS2 relates to ISO 27001
The two frameworks overlap heavily but serve different purposes.
ISO 27001 is a voluntary certifiable standard for an Information Security Management System. NIS2 is mandatory law within its scope.
If you implement ISO 27001 properly, you cover a substantial portion of NIS2's risk management requirements. The reverse is not as direct — NIS2 compliance does not give you an ISO 27001 certificate, but it gets you most of the way there.
For most growing European companies, the most efficient sequence is: build the ISMS once (the work that gets you to ISO 27001), then layer the NIS2-specific obligations on top (incident reporting workflow, supply chain due diligence, management oversight evidence). See our SOC 2 vs ISO 27001 piece for the framework decision.
What to do this quarter
Five concrete steps:
- Determine your scope. Sector test + size test + exception test. Document the answer. If you are uncertain, get qualified legal input. This is not the area to guess.
- Map your customers' NIS2 status. If they are in scope and you serve them, the supply chain obligations will cascade to you regardless of your own scope.
- Run an honest assessment against the NIS2 risk management measures. What do you have? What is missing? Where is the evidence?
- Build incident detection and notification capability. Centralised logging, alerting on the conditions that matter, a documented response process with defined timelines.
- Get cybersecurity on the management agenda formally. Quarterly briefing, documented decisions, evidence of oversight.
Common mistakes
- Assuming "we're too small for NIS2 to apply." The sector + size test catches many growing companies. The exception test catches others. The supply chain effect catches almost everyone selling into Europe.
- Waiting for the national transposition to be "final" before starting. The substantive obligations are not going to soften. Starting now is faster and cheaper than starting later.
- Treating NIS2 as a paperwork exercise. The directive expects working controls, not described controls. Auditors and regulators will look for evidence.
- Keeping management out of the loop. The directive explicitly requires the opposite.
FAQ
Does NIS2 apply to a 60-person B2B SaaS company in the Netherlands? Quite possibly — depends on the sector classification and customer base. ICT service management providers and digital providers are often in scope at that size. Run the three tests and document the result.
What if our customer base is mostly outside the EU? NIS2 applies based on where you are established and the services you provide in the EU. Selling primarily to non-EU customers does not exempt you if you are an EU-based company providing in-scope services.
Is NIS2 enforced yet? Member states are at different stages of transposition and enforcement. Treat the substantive obligations as effective today; enforcement will catch up.
How does NIS2 interact with GDPR? They are complementary, not overlapping. GDPR governs personal data; NIS2 governs cybersecurity risk to network and information systems. Many controls overlap (incident management, access control, training) but the legal frameworks are independent.
What if we already have SOC 2 or ISO 27001? You have done most of the work. NIS2 adds specific incident reporting timelines, explicit management accountability, and supply chain obligations on top of an existing ISMS.
The bottom line
NIS2 is the largest cybersecurity regulatory change in Europe in a decade. For growing European companies, the most expensive position is "we'll deal with it when it applies to us." By then, your customers are already asking the questions.
The companies that move now — determine scope, build the basics, get management informed — close enterprise deals more easily and stop being the weak link in their customers' supply chain. The ones that wait will spend the next two years catching up under pressure.
Either way, the work is the same. The only variable is the timing.
"The cheapest moment to act is now. The most expensive moment is when your largest customer's procurement team sends you a NIS2-driven security questionnaire and you have nothing to send back."
Next step
Not sure where you stand on NIS2?
Start with The Clarity Assessment — we'll map your scope and posture in two weeks.