NIS2 Compliance Guide for SMEs: What You Need to Do in 2026

The NIS2 Directive is the EU's most significant cybersecurity legislation since GDPR. Unlike its predecessor, NIS2 dramatically expands the scope of organizations that must comply — including many small and medium enterprises that previously flew under the regulatory radar.

If you provide services in energy, transport, banking, healthcare, digital infrastructure, ICT service management, postal services, waste management, manufacturing, food production, or digital services within the EU, NIS2 likely applies to you.

Does NIS2 Apply to Your Business?

NIS2 categorizes organizations into two groups:

Essential entities: Large organizations (250+ employees or €50M+ revenue) in critical sectors like energy, transport, banking, healthcare, and digital infrastructure.

Important entities: Medium organizations (50+ employees or €10M+ revenue) in the sectors listed above, plus postal services, waste management, manufacturing, food, chemicals, and digital providers.

Even if you're below these thresholds, you may still be in scope if you're a sole provider of a critical service in a member state, if disruption to your service would have significant systemic impact, or if you're a DNS service provider, TLD registry, or domain registration service.

Key difference from NIS1: the "important entities" category brings thousands of mid-size European companies into scope for the first time.

What NIS2 Requires

NIS2 Article 21 mandates an "all-hazards approach" to cybersecurity risk management. In practical terms, you must implement measures in ten areas:

1. Risk Analysis and Information Security Policies

You need documented policies covering information security, with regular risk assessments that inform your security measures. This is the foundation — without policies and risk assessments, nothing else counts.

2. Incident Handling

Establish procedures for detecting, reporting, and responding to security incidents. NIS2 has strict reporting timelines: an early warning within 24 hours of becoming aware of a significant incident, a full notification within 72 hours, and a final report within one month.

3. Business Continuity

Implement backup management, disaster recovery, and crisis management procedures. You must be able to restore operations after a disruptive event.

4. Supply Chain Security

Assess and manage cybersecurity risks in your supply chain. This means evaluating the security practices of your suppliers and service providers, and incorporating security requirements into contracts.

5. Security in Network and Information Systems

Secure the acquisition, development, and maintenance of your systems, including vulnerability handling and disclosure.

6. Cybersecurity Risk Management Assessment

Establish policies and procedures to assess the effectiveness of your cybersecurity measures. Regular testing, auditing, and review are required.

7. Cyber Hygiene and Training

Implement basic cyber hygiene practices and provide regular cybersecurity training for all staff, including management.

8. Cryptography

Establish policies on the use of cryptography, including encryption where appropriate.

9. Human Resource Security

Implement access control policies and asset management procedures. Staff must be vetted appropriately and given only the access they need.

10. Multi-Factor Authentication

Use MFA or continuous authentication solutions, along with secured voice, video, and text communications and emergency communication systems.

Penalties for Non-Compliance

NIS2 introduces significant penalties:

• Essential entities: Up to €10 million or 2% of global annual turnover (whichever is higher)
• Important entities: Up to €7 million or 1.4% of global annual turnover

Beyond fines, NIS2 introduces personal liability for management. Senior management can be held personally responsible for non-compliance, and member states can impose temporary bans on exercising managerial functions.

Your NIS2 Action Plan

Step 1: Determine Applicability (Week 1)

Confirm whether your organization falls under NIS2 scope based on sector and size. Check your member state's transposition of the directive for specific thresholds.

Step 2: Gap Assessment (Week 2-3)

Assess your current cybersecurity posture against all ten requirement areas. Identify where you already comply and where gaps exist.

Step 3: Policies and Risk Assessment (Week 4-8)

Create or update your security policies. Conduct a formal risk assessment covering all information systems and processes. Document everything.

Step 4: Implement Controls (Week 9-16)

Address the gaps identified in your assessment. Prioritize based on risk — focus on incident response, access control, and supply chain security first.

Step 5: Incident Response Readiness (Week 12-16)

Set up your incident reporting process. Ensure you can meet the 24-hour early warning requirement. Designate a contact point for your national CSIRT.

Step 6: Ongoing Compliance (Continuous)

NIS2 isn't a one-time exercise. Conduct regular risk assessments, test your incident response, review supply chain security, and train staff continuously.

NIS2 vs. ISO 27001

If you're already ISO 27001 certified, you have a strong foundation for NIS2 compliance. There's significant overlap — risk assessment, access control, incident management, and business continuity are core to both. However, NIS2 adds specific requirements around supply chain security, incident reporting timelines, and management accountability that go beyond ISO 27001.

Many organizations pursue both: ISO 27001 as the management system framework and NIS2 as the regulatory compliance layer on top.