NIS2 Directive: What SMBs Must Do Now

The NIS2 directive extends mandatory cybersecurity obligations beyond large enterprises to SMBs operating in the supply chains of essential and important sectors — with penalties reaching 10 million euros or 2% of global annual turnover. If you provide services to an energy company, hospital, or transport operator, you're now subject to concrete security requirements.

This article breaks down what NIS2 actually requires, whether it applies to your business, and what steps you need to take. For the broader AI regulatory picture, start with our EU AI Act overview — NIS2 is the cybersecurity companion to that framework.

What NIS2 Is and Who It Affects

NIS2 (Directive (EU) 2022/2555) replaces the original 2016 Network and Information Security directive. While NIS1 covered a handful of critical sectors, NIS2 dramatically expands the scope. The goal is to raise cybersecurity maturity across the entire European economy.

The directive creates two categories of regulated organizations:

Essential entities — organizations in sectors critical to society:

• Energy (electricity, oil, gas, district heating)
• Transport (aviation, rail, water, road)
• Healthcare (hospitals, laboratories, pharmaceuticals)
• Drinking water and wastewater
• Digital infrastructure (DNS services, data centers, cloud providers)
• Banking and financial market infrastructure
• Public administration

Important entities — organizations in economically significant sectors:

• Postal and courier services
• Waste management
• Food production and distribution
• Manufacturing (chemicals, medical devices, electronics, machinery)
• Digital service providers (search engines, social networks, online marketplaces)
• Research organizations

The Supply Chain Effect: Why NIS2 Reaches You

Here's where it gets relevant for SMBs. NIS2 requires essential and important entities to assess and ensure the cybersecurity of their entire supply chain. If you provide services to an organization that falls under NIS2, that organization will impose security requirements on you.

The standard thresholds are 50 or more employees or annual turnover above 10 million euros. But — and this is critical — supply chain obligations have no lower limit. A software company with 8 employees building an application for a hospital falls under NIS2 requirements through that chain.

Self-Assessment: Does NIS2 Apply to Your Business?

Work through these three checks to determine whether NIS2 affects you:

Check 1 — Sector. Does your business operate in one of the sectors listed above? If yes, go to check 2. If no, go to check 3.

Check 2 — Size. Do you have 50 or more employees, or annual turnover exceeding 10 million euros? If yes, you fall directly under NIS2.

Check 3 — Supply chain. Do you provide products or services to organizations that do fall under NIS2? Consider whether you:

• Provide IT services to an energy company
• Deliver logistics to a pharmaceutical firm
• Build software for a government agency
• Provide facility management for a hospital
• Act as a hosting provider for a financial institution

If you answered yes to check 3, your clients will almost certainly impose NIS2 requirements on you contractually — even if you're below the size thresholds. It's not a question of if, but when.

The Ten Key Obligations

NIS2 prescribes ten areas where organizations must implement measures. These apply directly to essential and important entities, and indirectly to their suppliers through contractual requirements.

Obligation 1 — Risk analysis and security policies. You need a current overview of risks to your network and information systems, plus a policy describing how you manage those risks.

Obligation 2 — Incident handling and reporting. Security incidents must follow a documented handling process. For significant incidents, there's a mandatory reporting timeline: initial notification to the CSIRT within 24 hours, full report within 72 hours.

Obligation 3 — Business continuity and crisis management. You need a plan for maintaining operations during a cyber incident — backups, failover scenarios, and recovery procedures.

Obligation 4 — Supply chain security assessment. You must assess the cybersecurity risks posed by your own suppliers and service providers. Our AI compliance checklist overlaps significantly with this obligation.

Obligation 5 — Security in system acquisition and development. New systems must be developed and procured with security built in. Security by design, not bolted on afterwards.

Obligation 6 — Effectiveness assessment. You must periodically verify that your security measures actually work. Think penetration tests, audits, and security reviews.

Obligation 7 — Cyber hygiene practices and training. All employees must receive cybersecurity awareness training. Phishing simulations, password policies, and secure remote working are all part of this.

Obligation 8 — Cryptography and encryption policies. You need a policy defining when and how you apply encryption — for data at rest, in transit, and during processing.

Obligation 9 — Human resource security and access control. Who has access to which systems and data? It must be documented, restricted to what's necessary, and reviewed regularly.

Obligation 10 — Multi-factor authentication and secure communication. MFA isn't optional under NIS2. It's required for all critical systems and administrative accounts. Our website security checklist covers several of these measures specifically for web environments.

Penalties and Management Liability

NIS2 comes with serious enforcement teeth. The penalty structure differs by category:

The personal liability clause was deliberately included to prevent cybersecurity from being delegated entirely to the IT department. NIS2 makes it a boardroom responsibility. Compare this with the risks and liability around AI — here too, accountability is shifting toward senior management.

Practical Compliance Checklist: Eight Steps

Step 1: Gap Analysis

Map where you currently stand against each of the ten NIS2 obligations. Score each on a scale from 1 (nothing in place) to 5 (fully compliant). This gives you a clear picture of the work ahead.

Step 2: Asset Inventory

Create a complete register of all network and information systems — hardware, software, cloud services, and data storage locations. You can't protect what you don't know exists. This aligns with the asset inventory you'll also need for AI data security.

Step 3: Risk Assessment

Conduct a formal risk assessment for each inventoried system. What threats exist? What's the impact if a system is compromised? How likely is each scenario?

Step 4: Security Policies

Write or update your security policies based on the risk assessment. Make sure the policies cover all ten NIS2 obligations, assign clear responsibilities, and include measurable objectives.

Step 5: Incident Response Plan

Create an incident response plan that meets NIS2 reporting deadlines: 24 hours for the initial notification, 72 hours for the full report. Practice the plan at least twice a year through tabletop exercises.

Step 6: Supply Chain Assessment

Evaluate the cybersecurity posture of your own suppliers. Define minimum security requirements and include them in contracts. Ask suppliers for certifications (ISO 27001, SOC 2) or a self-assessment.

Step 7: Training Program

Establish an ongoing training program for all employees. Not a one-time slide deck — continuous awareness activities including phishing simulations, security updates, and role-specific training for IT staff.

Step 8: Documentation and Audit Preparation

Document everything. Policies, procedures, risk assessments, incident logs, training records — it all needs to be demonstrable. Prepare for regulators who may request this documentation at any time.

Dutch Implementation Context

NIS2 is an EU directive that each member state must transpose into national law. In the Netherlands, this happened through the Wet beveiliging netwerk- en informatiesystemen (Wbni), which entered into force in October 2024.

Enforcement is divided across multiple authorities depending on the sector:

• NCSC (National Cyber Security Centre) — coordinates, advises, and serves as the national CSIRT
• ACM (Authority for Consumers and Markets) — oversees digital service providers and telecom
• DNB (Dutch Central Bank) — oversees the financial sector
• AFM (Authority for Financial Markets) — oversees financial market infrastructure
• Agentschap Telecom — oversees digital infrastructure
• IGJ (Health and Youth Care Inspectorate) — oversees the healthcare sector

For SMBs in the supply chain, the practical reality is this: your client is your first "regulator." Essential and important entities will impose contractual requirements, and non-compliance means lost contracts — long before an official regulator comes knocking.

Wondering how the EU AI Act relates to NIS2? Both regulatory frameworks run in parallel and reinforce each other. Compliance with one helps with the other.

How AI Helps with NIS2 Compliance

AI isn't just something that gets regulated — it's also a powerful tool for meeting regulatory requirements. For NIS2, where continuous monitoring and rapid response are central, AI offers tangible advantages:

Automated threat monitoring. AI systems analyze network traffic around the clock and detect anomalies that human analysts miss. A sudden spike in outbound data traffic at 3 AM? AI raises the alarm instantly.

Faster incident response. NIS2 requires an initial notification within 24 hours. AI-powered detection reduces the average detection time from days to minutes, giving you more time for analysis and reporting.

Automated compliance documentation. One of the biggest time sinks in NIS2 compliance is documentation. AI can automatically convert log files, configurations, and security scans into compliance reports. See our article on AI and data security for specific implementation guidance.

Continuous vulnerability scanning. AI tools continuously scan your systems for known vulnerabilities and configuration errors, rather than only during periodic audits.

Costs for SMBs

NIS2 compliance is an investment. The scope depends on your current security maturity:

One-time compliance costs:

• Small SMBs with limited IT infrastructure: EUR 5,000 – 10,000 (gap analysis, basic policies, training)
• Mid-sized businesses with more complex IT: EUR 10,000 – 25,000 (formal risk assessment, technical measures, external audit)
• Businesses without existing security policies: toward the upper end of this range

Ongoing costs:

• Monitoring and vulnerability scanning: EUR 500 – 1,000/month
• Training and awareness programs: EUR 200 – 500/month
• Periodic audits and penetration tests: EUR 2,000 – 5,000/year

The math is straightforward: even the top end of the compliance budget (EUR 25,000 one-time plus EUR 2,000/month ongoing) is a fraction of a NIS2 fine that can reach 10 million euros. On top of that, you prevent business damage from cyber incidents — the average cost of a data breach for SMBs runs to EUR 42,000.

Your Next Move

NIS2 isn't an optional improvement — it's a legal obligation that's already in effect. The businesses that move fastest have a double advantage: they avoid fines and they stand out as trustworthy partners in the supply chain.

Start with the gap analysis from step 1. Map your current position, prioritize the biggest risks, and tackle the quick wins first. Setting up MFA, writing an incident response plan, and training your employees — those are steps you can take this month.

Want to know where your business stands on cybersecurity and AI compliance? Our AI consulting specialists combine security expertise with business automation to accelerate your compliance journey. Check out our comprehensive AI compliance checklist for the full set of action items around AI regulation.