NIS2 Scope Decoded: Which SMEs Fall Under the Directive — and What It Means for Your Business

The NIS2 Directive (Directive (EU) 2022/2555) represents the most significant overhaul of EU cybersecurity legislation since the original NIS Directive in 2016. By dramatically expanding its scope, introducing stricter obligations, and imposing substantial penalties, NIS2 forces thousands of organisations across Europe to reassess their cybersecurity posture. For SMEs, the challenge is understanding whether and how the directive applies to their business.

The Scope Expansion: Who Is Covered?

The original NIS Directive applied to a narrow set of operators of essential services and digital service providers. NIS2 replaces this with a much broader classification: essential entities and important entities. The distinction matters because it determines the intensity of supervisory oversight and the severity of penalties.

Essential Entities

Essential entities are subject to proactive, ex ante supervisory measures. This category includes organisations in the following sectors:

• Energy (electricity, oil, gas, hydrogen, district heating)
• Transport (air, rail, water, road)
• Banking and financial market infrastructure
• Health (healthcare providers, EU reference laboratories, pharmaceutical manufacturing)
• Drinking water supply and distribution
• Waste water management
• Digital infrastructure (IXPs, DNS providers, TLD registries, cloud computing, data centres, CDNs)
• ICT service management in B2B (managed service providers, managed security service providers)
• Public administration (central government)
• Space

Important Entities

Important entities are subject to reactive, ex post supervision. Sectors include:

• Postal and courier services
• Waste management
• Chemical manufacturing, production, and distribution
• Food production, processing, and distribution
• Manufacturing of medical devices, computers, electronics, machinery, and motor vehicles
• Digital providers (online marketplaces, search engines, social networking platforms)
• Research organisations

Size Thresholds

NIS2 applies a size-cap rule. In general, the directive covers medium-sized enterprises and above: organisations with 50 or more employees OR annual turnover (or annual balance sheet total) of EUR 10 million or more. However, certain entities fall within scope regardless of size, including providers of DNS services, TLD name registries, and entities that are the sole provider of a critical service in a Member State.

SMEs below these thresholds are generally exempt unless they operate in one of the specifically designated subsectors. However, any organisation in the supply chain of an essential or important entity may face contractual cybersecurity obligations imposed by their clients to comply with NIS2 supply chain security requirements.

Key Obligations Under NIS2

1. Cybersecurity Risk Management (Article 21)

Article 21 requires essential and important entities to take appropriate and proportionate technical, operational, and organisational measures to manage risks to the security of network and information systems. These measures must include, at a minimum:

• Policies on risk analysis and information system security
• Incident handling procedures
• Business continuity and crisis management (including backup management and disaster recovery)
• Supply chain security, including security aspects concerning relationships with direct suppliers
• Security in network and information system acquisition, development, and maintenance, including vulnerability handling and disclosure
• Policies and procedures to assess the effectiveness of cybersecurity risk management measures
• Basic cyber hygiene practices and cybersecurity training
• Policies on the use of cryptography and, where appropriate, encryption
• Human resources security, access control policies, and asset management
• Use of multi-factor authentication, secured communications, and secured emergency communications

2. Incident Reporting (Articles 23 and 30)

NIS2 introduces a multi-stage incident reporting obligation that is significantly stricter than the original directive:

1. Early warning: Within 24 hours of becoming aware of a significant incident, notify the competent authority or CSIRT. The early warning must indicate whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have cross-border impact.
2. Incident notification: Within 72 hours, provide an initial assessment including the severity and impact, and indicators of compromise where available.
3. Final report: Within one month, provide a detailed description of the incident, the root cause, mitigation measures applied, and cross-border impact where relevant.

A significant incident is defined as one that has caused or is capable of causing severe operational disruption or financial loss, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

3. Supply Chain Security

Article 21(2)(d) explicitly requires entities to address supply chain security. This means assessing the cybersecurity practices of your direct suppliers and service providers, incorporating security requirements into procurement contracts, and monitoring third-party risk on an ongoing basis. For many SMEs, this obligation will arrive indirectly through contractual requirements imposed by larger clients who are themselves NIS2-regulated entities.

4. Management Body Accountability (Article 20)

NIS2 places direct accountability on the management body (board of directors, executive management) for approving and overseeing the implementation of cybersecurity risk management measures. Management body members must undergo cybersecurity training, and they can be held personally liable for infringements. This is a significant departure from the original NIS Directive and aligns cybersecurity governance with the level of accountability seen in financial regulation.

National Transposition and Enforcement

Member States were required to transpose NIS2 into national law by 17 October 2024. As of early 2026, the majority of Member States have completed transposition, though implementation timelines and specific requirements vary. Organisations should consult the national transposition in each Member State where they operate, as requirements may exceed the NIS2 minimum.

Penalties

The penalties under NIS2 are substantial and differentiated by entity type:

• Essential entities: Administrative fines of up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher.
• Important entities: Administrative fines of up to EUR 7 million or 1.4% of total worldwide annual turnover, whichever is higher.

Supervisory authorities can also impose non-monetary remedies, including binding instructions, orders to implement audit recommendations, orders to bring security measures into compliance, and temporary suspension of certifications or authorisations.

Practical Steps for SMEs

If your organisation falls within the NIS2 scope, or if you operate in the supply chain of a regulated entity, the following steps provide a pragmatic starting point:

1. Scope assessment: Determine whether your organisation is an essential entity, an important entity, or out of scope. Consider both the sector classification and the size thresholds.
2. Gap analysis: Compare your current cybersecurity measures against the Article 21 requirements. Identify areas where your existing controls fall short.
3. Incident response preparation: Build or enhance your incident response plan to meet the 24-hour, 72-hour, and one-month reporting timelines.
4. Supply chain review: Assess the cybersecurity posture of your critical suppliers and incorporate security requirements into procurement contracts.
5. Management engagement: Brief your board or executive management on their NIS2 responsibilities and arrange cybersecurity training.
6. Documentation: Maintain evidence of all cybersecurity measures, risk assessments, and incident reports. NIS2 compliance is demonstrable compliance.

The NIS2 Directive is not a distant regulatory concern. It is an active compliance obligation for thousands of European organisations. SMEs that act now to understand their obligations and close their cybersecurity gaps will be significantly better positioned than those that wait for enforcement action to force their hand.