NIS2 Compliance: What It Requires, Who It Affects, and How B2B Companies Can Prepare
A practical guide to NIS2 compliance — what the directive requires, which organisations are affected, key obligations around risk management, incident reporting, supply chain security, and how to demonstrate compliance to regulators and buyers.
NIS2 Compliance: What It Requires, Who It Affects, and How B2B Companies Can Prepare
The Network and Information Security Directive 2 (NIS2) is the EU's updated cybersecurity framework, replacing the original NIS Directive from 2016. It entered into force in January 2023, with member states required to transpose it into national law by October 2024.
NIS2 significantly expands the scope of covered organisations, strengthens security requirements, introduces strict incident reporting timelines, and establishes personal accountability for management. For B2B SaaS companies, NIS2 creates direct obligations if you fall within scope, and indirect obligations through supply chain requirements — your customers who are NIS2 entities will require evidence of your cybersecurity posture.
This guide covers what NIS2 requires, who it applies to, key compliance obligations, and how to prepare as a B2B company.
NIS2 Scope and Applicability
Who is Affected
NIS2 covers two categories of entities across 18 sectors:
Essential Entities (Annex I — Highly Critical Sectors)
| Sector | Examples |
|---|---|
| Energy | Electricity, oil, gas, hydrogen, district heating |
| Transport | Air, rail, water, road transport |
| Banking | Credit institutions |
| Financial market infrastructure | Trading venues, central counterparties |
| Health | Healthcare providers, EU reference laboratories, medical device manufacturers |
| Drinking water | Water supply and distribution |
| Wastewater | Wastewater collection, disposal, treatment |
| Digital infrastructure | IXPs, DNS, TLD registries, cloud, data centres, CDNs, trust services |
| ICT service management (B2B) | Managed service providers, managed security service providers |
| Public administration | Central government entities |
| Space | Operators of ground-based infrastructure |
Important Entities (Annex II — Other Critical Sectors)
| Sector | Examples |
|---|---|
| Postal and courier services | Postal service providers |
| Waste management | Waste collection and treatment |
| Chemicals | Manufacturing, production, distribution |
| Food | Production, processing, distribution |
| Manufacturing | Medical devices, computers, electronics, machinery, motor vehicles |
| Digital providers | Online marketplaces, search engines, social networking platforms |
| Research | Research organisations |
Size Thresholds
| Category | Employees | Annual Turnover | Balance Sheet |
|---|---|---|---|
| Medium enterprise | 50-249 | €10M-€50M | €10M-€43M |
| Large enterprise | 250+ | €50M+ | €43M+ |
Some entities are covered regardless of size: qualified trust service providers, DNS service providers, TLD name registries, providers of public electronic communications networks, and entities that are the sole provider of a critical service in a member state.
Key NIS2 Requirements
Risk Management Measures (Article 21)
NIS2 Article 21 mandates an all-hazards approach to cybersecurity risk management. Required measures include:
1. Risk analysis and information system security policies
- Establish a risk assessment methodology
- Conduct regular risk assessments
- Document and implement security policies
- Align with recognised frameworks (ISO 27001, NIST CSF)
2. Incident handling
- Establish incident detection, response, and recovery procedures
- Define incident classification and severity levels
- Implement monitoring and alerting capabilities
- Document and test incident response plans
3. Business continuity and crisis management
- Develop business continuity plans
- Implement backup management and disaster recovery
- Conduct regular testing of continuity plans
- Integrate with incident response procedures
4. Supply chain security
- Assess risks from direct suppliers and service providers
- Include security requirements in supplier contracts
- Monitor supplier compliance
- Account for overall quality of supplier cybersecurity practices
5. Security in systems acquisition, development, and maintenance
- Vulnerability handling and disclosure
- Secure development practices
- Security testing throughout the lifecycle
- Patch management processes
6. Effectiveness assessment
- Regular testing of cybersecurity measures
- Penetration testing
- Security audits
- Continuous monitoring
7. Cyber hygiene and training
- Basic cyber hygiene practices
- Regular cybersecurity awareness training
- Role-specific security training
- Phishing awareness and testing
8. Cryptography and encryption
- Policies on the use of cryptography
- Encryption of data at rest and in transit
- Key management procedures
- Assessment of cryptographic adequacy
9. Human resources security and access control
- Access control policies (least privilege, need-to-know)
- Identity and access management
- Multi-factor authentication
- Asset management and classification
10. Multi-factor authentication and continuous authentication
- MFA for critical systems and administrative access
- Secured voice, video, and text communications
- Secured emergency communication systems
Incident Reporting (Article 23)
Multi-Stage Notification Framework
| Stage | Deadline | Content Required |
|---|---|---|
| Early warning | 24 hours | Whether incident is suspected unlawful/malicious, potential cross-border impact |
| Incident notification | 72 hours | Initial assessment of severity, impact, indicators of compromise |
| Intermediate reports | On request | Updated assessment as investigation progresses |
| Final report | 1 month | Detailed description, root cause, mitigation measures, cross-border impact |
What Constitutes a Significant Incident
An incident is significant if it:
- Causes or is capable of causing severe operational disruption or financial loss
- Affects or is capable of affecting other natural or legal persons by causing considerable material or non-material damage
Member states may define additional criteria for determining significance within their transposition.
Supply Chain Security (Article 21(2)(d))
What NIS2 Requires
NIS2 elevates supply chain security from a best practice to a legal obligation. Covered entities must:
- Assess supply chain risks — Evaluate the cybersecurity posture of direct suppliers and service providers
- Contractual security requirements — Include specific cybersecurity obligations in supplier contracts
- Monitor compliance — Verify that suppliers maintain required security levels
- Account for supplier quality — Consider the overall quality of products and cybersecurity practices of suppliers, including secure development procedures
Impact on B2B SaaS Companies
Even if your company is not directly an essential or important entity under NIS2, your customers may be. This means:
- Increased security questionnaires — NIS2 entities must assess supplier security, leading to more detailed vendor assessments
- Contractual requirements — Customers will require NIS2-aligned cybersecurity clauses in contracts and DPAs
- Evidence of controls — Buyers will request documentation of security measures, incident response capabilities, and testing results
- Sub-processor transparency — Customers need visibility into your supply chain (sub-processor lists, hosting providers, third-party services)
- Incident notification obligations — Your contracts may need to reflect NIS2's 24-hour early warning requirement
Governance and Accountability
Management Responsibility (Article 20)
NIS2 introduces personal accountability for management bodies:
- Approval: Management must approve cybersecurity risk-management measures
- Oversight: Management must oversee implementation of security measures
- Training: Management members must undergo cybersecurity training
- Liability: Management can be held personally liable for non-compliance
- Sanctions: Member states may temporarily suspend management-level individuals from exercising managerial functions
This is a significant shift — cybersecurity is no longer solely an IT department responsibility but a board-level governance obligation.
Supervisory Measures
Supervisory authorities can:
| Measure | Essential Entities | Important Entities |
|---|---|---|
| Audits | Ex ante and ex post | Ex post only |
| Security scans | Yes | Yes |
| Document requests | Yes | Yes |
| Binding instructions | Yes | Yes |
| Suspension of certifications | Yes | Yes |
| Temporary management suspension | Yes | No |
Penalties (Article 34)
Harmonised Penalty Framework
| Entity Type | Maximum Fine | Alternative |
|---|---|---|
| Essential entities | €10,000,000 | 2% of global annual turnover |
| Important entities | €7,000,000 | 1.4% of global annual turnover |
The higher amount applies. Member states may impose additional penalties beyond these minimums.
Beyond Financial Penalties
- Binding instructions to implement specific measures
- Orders to undergo security audits at the entity's expense
- Orders to notify customers of significant incidents
- Publication of non-compliance findings
- Temporary certification suspension
- Temporary prohibition of management functions (essential entities only)
NIS2 and Other Frameworks
NIS2 and ISO 27001
| Aspect | ISO 27001 | NIS2 Additions |
|---|---|---|
| Risk management | Comprehensive ISMS | Aligned, but NIS2 mandates specific measures |
| Incident reporting | Internal procedures | Mandatory 24/72-hour external reporting |
| Supply chain | A.5.19-A.5.23 | Explicit supply chain security obligations |
| Management liability | Management commitment | Personal liability and sanctions |
| Penalties | None (voluntary standard) | Fines up to €10M or 2% turnover |
| Scope | Organisation-defined | Sector and size-based determination |
NIS2 and GDPR
| Aspect | GDPR | NIS2 |
|---|---|---|
| Focus | Personal data protection | Network and information security |
| Incident reporting | 72 hours (data breaches) | 24 hours early warning + 72 hours notification |
| Scope | Any personal data processing | Critical and important sectors |
| Penalties | Up to €20M or 4% turnover | Up to €10M or 2% turnover |
| Overlap | Security incidents involving personal data require dual reporting |
Preparing for NIS2 Compliance
Step-by-Step Approach
- Determine applicability — Assess whether your organisation is an essential or important entity based on sector and size
- Gap analysis — Compare current security measures against NIS2 Article 21 requirements
- Implement an ISMS — If not already in place, establish an information security management system (ISO 27001 provides a strong foundation)
- Enhance incident response — Update procedures to meet 24/72-hour reporting timelines
- Address supply chain security — Assess supplier risks, update contracts, maintain sub-processor lists
- Management engagement — Ensure board-level approval, oversight, and training for cybersecurity measures
- Document everything — Maintain comprehensive records for supervisory authority audits
- Test regularly — Conduct security testing, penetration testing, and incident response exercises
- Monitor continuously — Implement ongoing monitoring of security measures and compliance status
How Orbiq Supports NIS2 Compliance
- Trust Center: Publish your NIS2 compliance posture — security measures, incident response capabilities, and supply chain transparency for buyer self-service
- Continuous Monitoring: Track NIS2 Article 21 requirements across your security controls with real-time compliance status
- Evidence Management: Centralize security documentation, audit evidence, and incident records mapped to NIS2 requirements
- AI-Powered Questionnaires: Auto-respond to NIS2-related security questionnaire questions from your documented controls
Further Reading
- Incident Response — Building incident response capabilities that meet NIS2 Article 23 timelines
- ISO 27001 Certification — The ISMS framework that provides NIS2 compliance foundations
- Third-Party Risk Management — Managing supplier risks as required by NIS2 Article 21(2)(d)
- GDPR Compliance — Understanding dual reporting obligations for incidents involving personal data
This guide is maintained by the Orbiq team. Last updated: March 2026.