Regulation
NIS2 in practice: what your company really needs to comply
NIS2 is not another directive that stays on paper. It is the EU's most ambitious cybersecurity regulatory framework, with penalties reaching 2% of global business volume and personal liability for executives.
NIS2 is not a bureaucratic obstacle. It is the regulatory pressure many companies needed to do what they should have done years ago.
— José Enrique IbarraDoes NIS2 affect your company?
NIS2 significantly expands its predecessor's scope. It affects medium and large companies (more than 50 employees or more than €10M turnover) in sectors considered essential or important, including energy, transport, banking, health, water, digital infrastructure, public administration and space.
Practical rule: If your company has more than 50 employees or exceeds €10M turnover and operates in one of these sectors, NIS2 affects you. If you are a supplier to an affected company, you should also review your contractual obligations.
Practical rule: If your company has more than 50 employees or exceeds €10M turnover and operates in one of these sectors, NIS2 affects you. If you are a supplier to an affected company, you should also review your contractual obligations.
The 10 mandatory NIS2 measures
NIS2 requires the implementation of technical and organisational measures proportionate to the risk. In practical terms, this translates into ten mandatory action areas: information system security policies, incident management, business continuity, supply chain security, security in system acquisition, vulnerability management and disclosure, effectiveness assessment of security measures, basic cybersecurity hygiene and training, cryptography and encryption, human resources security, and access control and asset management.
NIS2 readiness checklist
- Is your company within the scope of NIS2?
- Is there a cybersecurity officer with real authority?
- Do you have a complete inventory of critical digital assets?
- Is there a documented and tested incident response plan?
- Can you notify a significant incident in less than 24 hours?
- Do you assess the security of your suppliers and partners?
- Does the board of directors receive cybersecurity training?
Does NIS2 apply to your company? Sector + size test
NIS2 applies to essential and important entities. The distinction matters because both the sanctions regime and the supervisory regime are stricter for the former.
| Category | Main sectors | B2B examples |
|---|---|---|
| Essential | Energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure, public administration, space | Power operators, hospitals, banks, ISPs, data centers |
| Important | Postal services, waste management, chemicals, food, critical manufacturing, digital providers (marketplaces, search engines, social networks), research | E-commerce with own logistics, pharma manufacturers, MSPs |
Size threshold:
- Medium-sized or larger: more than 50 employees or more than 10 million EUR in annual turnover.
- Below those thresholds: in general it does not apply, except for special cases (sole provider of a critical service, systemic risk, explicit designation by the regulator).
Common edge cases in B2B projects:
- MSP managing infrastructure for a NIS2 client: the MSP qualifies as an important entity for providing managed ICT services, even if its direct client is larger.
- Industrial company with a plant under 50 employees but parent company over 250: the group criterion applies. It usually qualifies.
- B2B SaaS with 30 employees but turnover above 10M EUR: qualifies via the turnover threshold.
Real NIS2 fines: what could happen
NIS2 enforcement is one of the areas where the leap from NIS1 is most visible. The ranges are not indicative: they are set in the directive and Member States have transposed them.
| Entity type | Maximum fine |
|---|---|
| Essential entities | The greater of EUR 10 million or 2% of total worldwide annual turnover of the group |
| Important entities | The greater of EUR 7 million or 1.4% of total worldwide annual turnover of the group |
The "worldwide annual turnover of the group" criterion surprises many management committees. A medium-sized Spanish subsidiary may face fines calculated on the consolidated turnover of the parent group, not its own.
Beyond the fine: less visible consequences
- Personal liability of management body members: NIS2 requires Member States to establish accountability mechanisms for governing bodies. In some countries this includes the temporary disqualification of directors for repeated serious breaches.
- Publication of non-compliance: the regulator may order publication of the sanction. Reputational damage often exceeds the fine itself, especially in B2B sectors where corporate clients require due diligence.
- Cascade effect on B2B contracts: NIS2-bound clients are required to assess their suppliers. A public sanction or known non-compliance may trigger exit clauses in active contracts.
What kind of breaches are European regulators actually fining? Public files across Member States since 2025 show repeated patterns: failure to register as essential or important entity, late incident notification beyond the 24-hour initial deadline, missing documented risk analysis, missing supply chain measures, and absence of mandatory governance training. The pattern is consistent: early enforcement does not target sophisticated technical failures, it targets the absence of documented basics.
Frequently asked questions
When does NIS2 enter into force?
The directive entered into force in the EU on October 17, 2024. National transposition was delayed in several Member States, including Spain. From the date the national law enters into force, obligations and the sanctions regime are fully applicable.
What happens if my company does not register as an essential or important entity?
The non-registration is in itself an administrative breach. European regulators are opening early enforcement files precisely through this route: it is the easiest to detect. Late registration does not waive the open file.
Do I need to comply with NIS2 if I have fewer than 50 employees?
In general no, unless your company is the sole provider of a critical service, presents systemic risk, or has been explicitly designated by the regulator. There are specific sectors where the threshold is lower.
Does NIS2 replace NIS1?
Yes. NIS2 repeals NIS1 and broadens its scope. It adds obligations that NIS1 did not require: supply chain security, governance body training, and a hardened sanctions regime.
How much does NIS2 compliance cost?
It depends on the starting point and size. Mid-sized companies with ISO 27001 typically close gaps with EUR 30,000 to 80,000 in the first year. Companies without a prior framework may exceed EUR 200,000 including tools, consulting and training.
Does NIS2 require an in-house SOC?
No. The directive requires detection, response and notification capability. That capability can be in-house, outsourced (MDR, MSSP) or hybrid. What is not acceptable is not having it.
Does NIS2 apply to cloud and SaaS providers?
Yes, digital infrastructure and digital service providers are explicitly covered as important entities. In addition, NIS2 clients are required to assess their critical cloud and SaaS suppliers, creating cascading pressure even on providers below their own thresholds.
More NIS2 resources
Templates, checklists and practical guides to complement this article in our resources section.
View NIS2 resourcesDo you know if your company complies with NIS2?
We assess your current compliance level and identify priority actions to avoid penalties.
Request NIS2 diagnostic