Content

    These are the 7 points this article covers on what NIS2 is and who needs to comply:

    1. What NIS2 is
    2. Who needs to comply with NIS2 (essential and important entities)
    3. What compliance involves
    4. Incident reporting and risk management
    5. Penalties for non-compliance
    6. Timelines and application in the EU
    7. How to prepare and what to do next

    Cyber threats are no longer just a technical issue: they are a business risk. In response, the EU has rolled out NIS2, the directive that strengthens cybersecurity in critical sectors and among digital service providers. If you operate in Europe, especially in Saas, cloud services or managed services, you need to know what NIS2 is and who needs to comply.

    This guide answers exactly that: what NIS2 is, who is obliged to comply, what compliance requires, and what timelines and penalties apply. It is broader, stricter and more enforceable than the original NIS directive, and it is not optional for in-scope entities.

    What Is NIS2?

    NIS2 is the second version of the EU directive on network and information security (Directive 2022/2555). It replaces and extends the original NIS directive with a wider scope, clearer obligations and stronger penalties.

    The aim is to establish a common baseline for managing cyber risk across all Member States and to raise resilience and incident response capacity. NIS2 turns “recommended good practices” into mandatory requirements, backed by national supervision and enforcement.

    The directive has been in force since January 2023; following national transposition, the competent authorities may initiate supervisory and sanctioning actions in accordance with domestic law

    Each country has transposed NIS2 into its legal order, so you should check the exact obligations in the Member States where you operate.

    Who Needs to Comply with NIS2? Essential and Important Entities

    To understand what NIS2 is and who needs to comply, you need to look at two categories: essential entities and important entities.

    Essential entities include organisations in sectors such as energy, transport, banking, health, water, digital infrastructure, public administration and space. These are organisations whose disruption would have serious consequences for society or the economy.

    Important entities cover, among others: online marketplaces, cloud service providers, SaaS platforms, managed IT service providers, postal and waste management, chemicals, food, manufacturing, and research.

    In practice, if you provide digital services to critical sectors or host sensitive data, you are likely to fall here.

    Size also matters: if your organisation exceeds certain thresholds (typically more than 50 employees or more than €10 million in annual turnover), the likelihood of being in scope increases. Smaller organisations can still be in scope if they play a critical role in supply chains or key infrastructure.

    SaaS is not exempt from NIS2. If you support critical functions or essential/important sectors, you are probably in scope. Each Member State has specified in its transposition which activities and thresholds apply; you should check against national law.

    A gap analysis or scope assessment with a specialised partner can clarify your position and prioritise the measures you need before a possible inspection.

    What Does NIS2 Compliance Involve?

    Understanding what NIS2 is and who needs to comply includes knowing the obligations it creates. In summary, organisations must:

    • Implement appropriate and proportionate technical and organisational measures to protect networks and systems: access control, encryption, periodic vulnerability assessments, and structured cybersecurity management.
    • Put in place an incident reporting mechanism. Serious cybersecurity incidents must be reported to the competent national authority without delay (see timelines below), with investigation and corrective action.
    • Manage risk on an ongoing basis, including internal systems, suppliers and outsourced services. If a supplier introduces vulnerabilities, responsibility can still lie with your organisation.
    • Designate a compliance or security lead. NIS2 requires that cybersecurity responsibilities are clearly assigned, with oversight at management level. The directive does not prescribe a specific job title (CISO, compliance officer, etc.), but there must be at least one identifiable person who coordinates compliance and leads the process.
    • Staff training. The directive requires that employees receive periodic cybersecurity training and that senior management is trained to understand risks and responsibilities (Article 20). Training must be recurring, documented and role-appropriate.
    • Operational resilience and supply chain. Periodic testing (incident simulations, business continuity), oversight of ICT suppliers and documentation showing that controls work in practice are expected. Contracts with suppliers should include security and regulatory cooperation clauses, and you must be able to show that you supervise them actively.

    If you also process personal data, best practices for implementing the GDPR and understanding GDPR audit expectations complement your compliance framework well.

    Incident Reporting and Risk Management Under NIS2

    One of the most demanding NIS2 requirements is incident reporting. National authorities expect an early warning within a very short period (in practice within 24 hours of detecting a serious incident) and full notification within a longer period (e.g. 72 hours under the directive’s scheme), with details on impact and measures taken.

    Organisations therefore need internal protocols in place: clear procedures to detect, assess and escalate incidents, with defined roles and communication channels with the authority. If you have not defined what counts as a reportable incident or who triggers the process, the risk of non-compliance and chaotic response is high.

    Risk management is not a one-off exercise. NIS2 requires keeping the risk assessment up to date, reviewing it when technology, structure or regulation changes, and using it as the basis for decisions. Having done an assessment in 2024 is not enough; you must show that you review it and that measures evolve.

    Penalties for Non-Compliance with NIS2

    NIS2 gives national regulators powers to investigate, audit and sanction organisations that do not comply.

    For essential entities, fines can reach €10 million or 2% of global annual turnover, whichever is higher. For important entities, penalties can go up to €7 million or 1.4% of global turnover.

    Beyond the financial impact, non-compliance can lead to reputational damage, exclusion from supply chains and personal liability for managers in cases of serious negligence. Authorities can request evidence, carry out inspections and require corrective measures; under NIS2, what you cannot demonstrate does not exist for the supervisor.

    Timelines and Application of NIS2 in the EU

    Member States had to transpose NIS2 into national law by 17 October 2024. From that date, effective application began, with some variation in detail by country.

    Startups and scale-ups should not assume they are exempt. Even small SaaS companies can be in scope if they provide services to essential or important sectors or act as a critical link in infrastructure. If you are unsure whether your organisation is an essential or important entity, a scope and readiness assessment is the first step.

    What Documentation and Measures You Need to Comply with NIS2

    To comply with NIS2 you must not only “be compliant” but demonstrate it. Authorities can request up-to-date documentation (policies, procedures, supplier contracts), operational evidence (records, logs, minutes of incident simulations), traceability between risks and measures applied, and accountable people with active processes.

    You should have: a risk register and treatment plan, a cybersecurity policy and assignment of responsibilities, a tested and documented incident notification procedure, a training programme with attendance records and role-based content, assessment and oversight of ICT suppliers, and evidence of resilience testing (simulations, continuity).

    An information security management system (ISMS) aligned with obtain ISO 27001 certification can help meet many NIS2 requirements, as they share a risk-based approach and controls.

    Mistakes That Can Block NIS2 Compliance

    These pitfalls are common and can delay compliance or trigger penalties:

    Assuming “it doesn’t apply to you” without checking. If you operate in digital or critical sectors, verify against national transposition whether you are an essential or important entity.

    Not designating a clear lead. NIS2 requires assigned accountability and oversight at management level; without an owner for compliance, coordination with authorities and internal consistency suffer.

    Training only IT or running a one-off session. The directive requires periodic, documented and role-appropriate training, including for senior management. Failing to keep records or evaluations weakens your position in an inspection.

    Not having an incident protocol ready. Reporting within 24 hours requires clear procedures, defined roles and teams that know when and how to trigger them. Improvising in a real incident increases regulatory and reputational risk.

    Dropping risk management after the first assessment. NIS2 requires maintaining compliance: reviewing risks, updating documentation and demonstrating continual improvement. Compliance is not something you file away; you demonstrate it every day.

    How PrivaLex Can Help You with NIS2

    At PrivaLex Partners we support organisations that need clarity on what NIS2 is and who needs to comply, and those already in scope that want to implement or maintain compliance. We don’t sell software: we provide judgement, experience and direct support on gap assessments, risk mapping, policy design, incident response plans, training and preparation for inspections.

    With over 205 active clients in 40 countries and experience in obtain ISO 27001 certification and EU regulatory compliance, we help you turn NIS2 into competitive advantage: trust, resilience and readiness for audits and incidents.

    Schedule a strategic session with PrivaLex and clarify whether your organisation needs to comply with NIS2 and how to prepare.

    Frequently Asked Questions (FAQs)

    What is NIS2 and who needs to comply in the EU?

    NIS2 is the EU directive on network and information security (Directive 2022/2555). Essential entities (energy, transport, banking, health, digital infrastructure, etc.) and important entities (including cloud service providers, SaaS, online marketplaces, managed IT services) must comply. 

    Size (employees and turnover) and role in critical supply chains also matter; each country has specified scope in its transposition.

    Does my SaaS company need to comply with NIS2?

    If your SaaS company operates in the EU and falls under the definition of essential or important entity (by sector, size or role in critical infrastructure), yes. 

    Digital service providers that serve sensitive sectors or host critical data are often in scope. Check your Member State’s national transposition to confirm.

    What are the incident reporting deadlines under NIS2?

    The directive requires reporting serious incidents with an early warning within a very short period (in practice within 24 hours of detection) and full notification within a longer period (e.g. 72 hours), with information on impact and measures. Member States may specify exact deadlines in national law.

    What are the penalties for not complying with NIS2?

    For essential entities: up to €10 million or 2% of global annual turnover. For important entities: up to €7 million or 1.4% of global turnover. Authorities can also impose corrective measures, and in cases of serious negligence there may be personal liability for managers.

    Does NIS2 require staff training?

    Yes. NIS2 requires that employees receive periodic cybersecurity training and that senior management is trained to understand risks and responsibilities. Training must be recurring, documented and role-appropriate. Authorities can request evidence during an inspection.

    How do I prepare to comply with NIS2?

    Check whether your organisation is an essential or important entity under national transposition; assign a compliance lead; carry out a cybersecurity risk assessment (infrastructure, services, APIs, third-party dependencies); implement proportionate technical and organisational measures (access control, multi-factor authentication, incident response, ongoing training); establish a tested incident notification protocol with defined roles; design a documented, role-based training programme; and keep documentation and evidence up to date.

    Audits or inspections under NIS2 are not one-off; authorities can request evidence at any time, so integrating compliance into business-as-usual is key. A partner like PrivaLex can support you with assessment and implementation.

    Next Step

    Knowing what NIS2 is and who needs to comply is the first step; the next is to check whether your organisation is in scope and prepare in good time. Schedule a strategic session with PrivaLex and turn regulatory compliance into your competitive advantage.

    Avatar photo

    Javier Castellano

    Javier leads the certifications practice at PrivaLex Partners, specializing in technical compliance, risk management, and the full lifecycle of security and privacy certifications. He supports companies through the preparation, implementation, and audit of frameworks including ISO 27001, ISO 42001, ENS, NIS2, and DORA, transforming complex regulatory demands into practical, structured action plans. Javier’s approach goes beyond box-ticking: he helps clients turn certification into a genuine competitive advantage, building internal capabilities that strengthen their security posture for the long term.